Avoiding Common Deficiencies in Yellow Book and Single Audits

Avoiding Common Deficiencies in Yellow Book and Single Audits A Governmental Audit Quality Center Web Event March 22, 2016

Administrative Notes Please ensure your pop-up blocker is disabled. Note the interactive toolbar at the bottom of your screen. Download slides and materials by clicking this icon. Ask questions by entering your question in the “Q&A” box. Please click the “Help” your screen. and/or “Contact Us” at the bottom of Call AICPA Member Service at 888.777.7077. Governmental Audit Quality Center 2

Trouble Shooting Troubleshooting Tips No Audio? Ensure that your computer speakers are turned on that the volume is appropriately set Check to ensure that audio streaming is enabled on your computer If the presentation slides stop advancing during the presentation Close out of the presentation and re-launch the webcast If you are still having audio or other technical difficulty Check with your IT personnel at your firm or state audit organization (SAO) to ensure that this event is not being blocked by a firewall Call the AICPA Service Center at 888.777.7077 Governmental Audit Quality Center 3

Continuing Professional Education You must answer at least 75% of the random, attendance checks to earn CPE credit. Please respond to the attendance checks during the live presentation. You are not eligible to earn CPE by watching the archive of this event. At the end of today’s presentation we will provide steps for obtaining your CPE certificate Governmental Audit Quality Center 4

Presenters Rick Reeder, CPA Reeder & Associates Brian Schebler, CPA RSM US LLP Governmental Audit Quality Center 5

What We Will Cover Common Deficiencies in Single Audits and Audits Performed under Government Auditing Standards (Yellow Book) Top Areas that Auditors Need to Get Right to Avoid Quality Issues Preparing for the Next Single Audit Quality Study AICPA Enhancing Audit Quality Initiatives Resources Governmental Audit Quality Center 6

But First .Why Should These Audits be a Focus Area for Auditors? Single audits are a “risky” business Regulator and other scrutiny Quality Control Reviews (QCRs) and Desk Reviews of auditors Single audits are a “must select” area in peer review Ongoing federal oversight of non-federal auditees Implementation of the Uniform Administrative Requirements, Cost Principl es, and Audit Requirements for Federal Awards at 2 CFR 200 (UG or Uniform Guidance) Historical evidence shows audit quality issues Future periodic study of audit quality required by UG Governmental Audit Quality Center 7

Common Single Audit and Yellow Book Deficiencies Governmental Audit Quality Center 8

Peer Review Ethics Enhanced Violations Oversight AICPA Professional Ethics, Most Frequent Violations of Professional Standards: Governme nt and Not-for-Profit Investigations AICPA Peer Review Program, Annual Report on Oversight (see page 52 of report) Governmental Audit Quality Center 9

Failed to Accurately Identify and/or Test all Major Programs Failure to combine same CFDA#s as one program for major program determination and testing Clusters not treated as one program for major program determination and testing Type A threshold incorrect Failure to consider effect of large loans on Type A Threshold Governmental Audit Quality Center 10

Incorrectly Identified Auditee as a Low-Risk Auditee When One of More of Following Occurred Data Collected Form (DCF) not filed or filed late Opinion on financial statements or Schedule of Expenditures of Federal Awards (SEFA) was modified Material weaknesses in internal control (IC) over financial reporting or compliance were noted Material noncompliance on major federal program(s) was reported Governmental Audit Quality Center 11

Internal Control over Compliance and Compliance Testing Problematic Compliance requirements documented as applicable, but no testing performed Use of out-ofdate work programs Improper application of dual purpose testing Governmental Audit Quality Center Lack of understanding of difference between IC and compliance testing 12

Documentation Issues Type A or B risk assessment documentation missing or inadequate No documentation of fraud risk regarding noncompliance for major programs Failure to perform or document analytical procedures in the planning and/or final stages of audit Failure to utilize or customize an audit program Governmental Audit Quality Center 13

Reporting Issues Auditor’s reports did not include all required elements Auditor did not properly date the report(s) Inconsistency in reporting of findings between the Schedule of Findings and Questioned Costs (SFQC) and the reports Other reporting issues such as outdated wording and failure to correctly opine on prior year information Governmental Audit Quality Center 14

Yellow Book Issues Engagement team did not meet CPE requirements Independence documentation issues Failed to meet YB peer review requirements Governmental Audit Quality Center 15

Top Areas that Auditors Need to Get Right to Avoid Audit Quality Issues Governmental Audit Quality Center 16

What Auditors Must Get Right Yellow Book Independence Evaluation and Documentation Engagement Team Selection Acceptance and Continuance of Single Audit Engagements Major Program Determination, Percentage of Coverage, SEFA IC Over Compliance and Compliance Testing (Including Sampling) Documentation, Documentation, Documentation Correct Reporting Correct Reporting of Audit Findings in Both Single Audit Reporting and the DCF Governmental Audit Quality Center 17

Planning - Yellow Book Independence Evaluation and Documentation Identify nonaudit services Meet preconditions Evaluate and document Skills Knowledge and Experience (SKE) of management Assess threats Consider individually and in the aggregate Document consideration of significant threats Document your understanding of non-audit services with the auditee Apply safeguards when significant threats exist Governmental Audit Quality Center 18

No SKE No Independence You can’t safeguard your way out of no SKE Governmental Audit Quality Center 19

Planning – Engagement Team Selection Ensure all members of the team meet YB CPE requirements Governmental Audit Quality Center Experience and competency of engagement team members 20

Planning – Acceptance and Continuance Firm’s quality control (QC) policies and procedures should provide reasonable assurance that it will undertake or continue relationships and engagements only where it is competent to perform the engagement and has the capabilities, including the time and resources, to do so Key policies include: Evaluating whether the engagement can be completed with professional competence; Undertaking only those engagements for which the firm has the capabilities, resources, and professional competence to complete; and Evaluating, at the end of specific periods or upon occurrence of certain events, whether the relationship should be continued. Governmental Audit Quality Center 21

Planning - Acceptance and Continuance Objective: Only undertake engagements when appropriate QC Procedures Document communications with prior auditors Document relevant information before accepting or continuing client relationship Document services to be performed Procedures for withdrawal from an engagement Document the fact that the firm possesses the expertise and knowledge to perform the engagement Governmental Audit Quality Center 22

Performing - SEFA Requirements Remember .first and foremost the SEFA is a client responsibility! From auditor perspective: Ensure familiar with changes to the SEFA as a result of the Uniform Guidance Are clusters and programs identified correctly? This is key! Determine whether information required on the face of SEFA is there and that all required disclosures included Reconciliation of SEFA amounts to financial records Governmental Audit Quality Center 23

Performing – Major Program Determination Ensure appropriate program and cluster determinatio n Perform the 2-year look back correctly Use the correct threshold for Type A/Type B determinatio n Governmental Audit Quality Center Use the lowrisk auditee criteria provided in the regulation Make sure you have adequate coverage (at the end of process!) Use all 4 steps in the process. Use judgment only where appropriate 24

Performing - Understanding and Testing Internal Control Use COSO/GAO’s Green Book Test of design and implementation AND test of effectiveness Need evidence of who, when, what Evaluate results of test of controls on tests of compliance Control must be effective or you should have a finding! Governmental Audit Quality Center 25

Performing - Compliance Testing Use all parts of Compliance Supplement for a correct Single Audit 2: Matrix of Compliance Requirements 3.1 and 3.2: Compliance Requirements for audits performed under A-133 and under Uniform Guidance – USE CORRECT PART 3 4: Agency Program Requirements 5: Clusters of Programs 6: Internal Control – NOT INCLUDED IN 2015 SUPPLEMENT AND UNSURE WHETHER WILL APPEAR IN 2016 7: Guidance for Auditing Programs not Included in the Supplement Don’t forget Appendices Use the correct year’s Supplement Governmental Audit Quality Center 26

Performing – I/C and Compliance Complete full circle on risk of material noncompliance Identify, Assess, Respond, Evaluate The risk assessment process is not complete until the audit report is issued! Internal controls should be continually reevaluated throughout the audit process Understand the difference between control vs. compliance Controls: What did entity do to ensure compliance? Compliance: Did entity comply? Testing compliance gives indirect evidence on controls, but cannot serve as the basis for assessing controls as operating effectively Governmental Audit Quality Center 27

Performing - Ensure Understanding of Sampling Access more detailed GAQC Sampling Web event Ensure sample sizes appropriate Appropriate documentation Watch out for dual purpose sampling Tests of Controls Provide evidence about the effectiveness of the design, implementation, or operation of controls and policies in preventing or detecting material noncompliance. Concern: Rates of deviations from a prescribed control. Governmental Audit Quality Center Tests of Compliance Provide evidence about an auditee’s ability to adhere to the direct and material compliance requirements of its major programs. Concern: Rates and potential magnitude of noncompliance. 28

Performing - Documentation If it was not documented it was not done! Key areas of documentation include: Materiality levels and basis for how determined Major program determination – including individual program risk assessments Governmental Audit Quality Center Understanding and testing of I/C over compliance Compliance testing and support for sampling used Overall Conclusions 29

Performing – Documentation I/C and Compliance Documentation Best Practices Documenting an understanding of I/C over compliance that addresses the five elements of COSO Documentation supporting the operating effectiveness of controls and that controls have been implemented Documenting evidence of who, when, what Documentation that indicates the use of a combination of procedures (versus inquiry alone) When using dual-purpose sampling, a clear distinction between the compliance test versus the controls test Documentation of the evidence that supports results of test of controls including: - Understanding of deviation and consequences - Assessment of the deviation and proper reporting - Assessment of the impact on tests of compliance Governmental Audit Quality Center 30

Reporting – Audit Reports Reports must use up-to-date language and include all appropriate references to Government Auditing Standards, Uniform Guidance, Compliance Supplement, etc. Use illustrative audit reports provided in the AICPA Audit Guide, Government Auditing Standards and Single Audits Report on compliance and I/C over compliance refers to major programs in the Summary of Auditor Results in SFQC Ensure major programs in Summary of Auditor Results correct and matches what is in audit documentation! Ensure DCF identifies same major programs! Governmental Audit Quality Center 31

Reporting – Correctly Reporting Findings Key Point Audit reports SFQC DCF Documentation Ensure single audit report on compliance and I/C over compliance appropriately identifies I/C findings Do not report significant deficiencies or material weaknesses in the management letter in lieu of putting them in your audit report Include all required finding elements in your findings write-ups (see next slide) Do not ignore reporting findings that were “corrected” later in the year of audit Governmental Audit Quality Center 32

Reporting - Uniform Guidance Finding Elements Views of Responsible Officials Program information Recommendatio n Cause & Effect Criteria Finding Elements Repeat Finding From Prior Year Whether Condition Found Context Sampling was Questioned Statistically Costs Valid Governmental Audit Quality Center 33

Reporting - Tips to Avoid DCF Errors Errors in the DCF can lead to federal quality reviews Review DCF thoroughly before it is submitted Avoid these common specific issues (some broadly discussed previously) DCF doesn’t indicate some or all of the programs in a cluster were audited as major All lines on DCF with same CFDA # not marked as audited as major Type A/B threshold on DCF doesn’t match threshold in SFQC Amounts on DCF do not agree with SEFA Inconsistency between federal awards and audit findings tabs Identifies that a program-specific audit was performed when a single audit was performed Governmental Audit Quality Center 34

Preparing for the Upcoming Single Audit Quality Study Governmental Audit Quality Center 35

Single Audit Quality Study UG requirement for a federal study of quality once every 6 years beginning in 2018 Statistically reliable estimate of the extent that single audits conform to applicable requirements, standards, and procedures Results of reviews must be made public Start out on the right foot with UG and all of its requirements Governmental Audit Quality Center UG §200.513(a)(3)(ii) 36

Governmental Audit Quality Center 37

Why Hone in on the UG Quality Study Requirement? – Think Back to the Prior Federal Single Audit Quality Study Results Previous federal study of single audits issued in 2007 resulted in more than 50% of audits being either unacceptable or limited reliability Governmental Audit Quality Center 38

What Should Auditors be Doing? Ensure understanding of UG effective dates and requirements Focus QC systems on areas that the prior quality study showed to be problematic (see last section of this presentation): Major program determination Understanding and testing internal control Use of Compliance Supplement and compliance testing SEFA requirements Ensuring adequate audit documentation Single audit reporting Writing findings DCF requirements Pay attention to deficiency listings from AICPA Peer Review and Ethics teams (see earlier slide) Use your GAQC membership and refer to its resources! Governmental Audit Quality Center 39

What Should Auditors be Doing? Obtain appropriate CPE each year and ensure competency New competency framework and assessment tool relevant to single audits offered at AICPA Competency and Learning Web site Exam-based single audit certificate program coming soon! Learn more! Utilize various checklists to assist in reviewing single audit engagements (e.g., peer review checklists or federal quality checklists) Proactively review your firm’s DCF submissions in the FAC Governmental Audit Quality Center 40

What Should Auditors be Doing? Select an adequate cross-section of governmental audits for Engagement Quality Control Review Select a peer reviewer that has adequate experience and knowledge in the type of governmental engagements your firm performs Governmental Audit Quality Center 41

Enhancing Audit Quality Initiatives at AICPA Governmental Audit Quality Center 42

“Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution .” William Foster, Business Executive 43

Overall AICPA 6-Point Plan to Improve Quality Governmental Audit Quality Center 44

Enhancing Peer Reviewer Quality Expand oversights with experts to review engagements and firms Review audit engagements and firms prior to report acceptance Better measure how system is working Facilitate prevention of undetected deficiencies Increase initial and ongoing training Team captains Reviewers of high-risk and regulated industries Includes competency assessment Streamline removal of ineffective reviewers Governmental Audit Quality Center 45

Enhanced Oversight Process Governmental Audit Quality Center 46

Breakdown of Engagements Selected 1 9 48 32 EBP Single Audit Governmental Audit Quality Center Government Auditing Standards SOC 1 47

Oversight Results by Type Total Engagements Reviewed EBP GAS/Single Audit Governmental Audit Quality Center 1 1 17 22 41 48 Non-Conforming Engagements SOC 1 48

Oversight Results by Type EBP GAS/Single Audit Governmental Audit Quality Center 1 1 77 17 22 41 48 Only 7 non-conforming engagements were identified by Non-Conforming Engagements Total Engagements Reviewed the peer reviewer. SOC 1 49

Strengthening Firm Quality – Areas of Focus Current peer review areas of focus include: Independence (non-attest services and appropriate evaluation of client SKE) Single audits Audits of governmental entities that issue municipal securities Sufficiency of audit evidence - sampling, risk assessment, and internal controls Employee Benefit Plans, including Employee Stock Ownership Plans and government plans Crowdfunding Governmental Audit Quality Center 50

Strengthening Firm Quality Evaluate “new” engagements promptly Audits in high-risk industries Performed outside of peer review year Require pre-issuance or post-issuance review in instances of non-conformity Identify deficient audits through the FAC Governmental Audit Quality Center 51

Population Completeness Updated peer review scheduling and enrollment forms Continue to explore publicly available databases Confirmed ability to obtain Employee Identification Numbers (EINs) for: Single audits Employee benefit plan audits U.S. Department of Housing and Urban Development (HUD) engagements Governmental Audit Quality Center 52

Complete Engagement Listing Enhanced warning to firms Revised representation letter Material misrepresentation consequences Report recalled (with state board notification) Hearing panels determine outcome Re-enrollment subject to second hearing panel Individual referral to Ethics Use publicly available databases Governmental Audit Quality Center 53

Accelerated Remediation Process Effective January 1, 2015 Mandatory assessment to hearing panel for two consecutive non-pass reports Presumptively mandatory referral for two consecutive fail reports OR pass with deficiency to fail reports Mandatory referral to hearing panel for three consecutive non-pass reports Governmental Audit Quality Center 54

Why Should We Care About Quality Control? AICPA is seeing significant quality issues The effectiveness of the quality control system directly impacts the quality of the work product Similar to internal controls over financial reporting Better quality controls help mitigate risks It’s required! Statements on Quality Control Standards (SQCS) No. 8—The firm must establish a system of quality control Applies to accounting and auditing practices of all CPA firms Starting in 2016—enhanced Quality Control focus in peer review Governmental Audit Quality Center 55

Establishing and Maintaining a System of Quality Control for a CPA Firm’s Accounting and Auditing Practice Two versions of practice aid prepared by the Quality Control Standards Task Force Small and Medium-Sized Firms Sole Practitioner Practice aids have been revised to : make the illustrative policies and procedures more applicable to a wider range of firms make the illustrative policies and procedures more easily customizable for practitioners include tips, warnings and notes to help practitioners better implement the policies and procedures Governmental Audit Quality Center 56

Establishing and Maintaining a System of Quality Control for a CPA Firm’s Accounting and Auditing Practice Tips, warnings and reminders Developed by the task force based on years of experience as peer reviewers and partners responsible for their firms’ system of quality control. Take the time to read them – they provide insightful and practical advice. Practice aids include references to resources offered by the AICPA at no charge to assist practitioners in enhancing engagement quality and improving efficiency. Expected to be available July 2016 Governmental Audit Quality Center 57

Questions/Discussion Governmental Audit Quality Center 58

Resources Governmental Audit Quality Center 59

Access Auditing Standards of AICPA and GAO AICPA Auditing Standards A&A hotline - http://apps.aicpa.org/technicalhotline/form.asp or 877.242.7212 Government Auditing Standards Governmental Audit Quality Center 60

AICPA Audit Guide: Government Auditing Standards and Single Audits Updated for Uniform Guidance Covers internal control over financial reporting in Government Auditing Standards section Includes chapters on internal control over compliance and sampling Purchase from www.cpa2biz.com 2016 Update expected this summer Governmental Audit Quality Center 61

Other Relevant AICPA Guides for Financial Statement Audits AICPA Audit and Accounting Guide, State and Local Governments AICPA Audit and Accounting Guide, Not-forProfit Entities AICPA Audit and Accounting Guide, Health Care Entities All three of above Guides can be ordered at www.cpa2biz.com Governmental Audit Quality Center 62

AICPA 2011 Yellow Book Independence - Nonaudit Services Documentation Practice Aid Flat PDF Version. Free to AICPA members, including GAQC members; For Sale Version. Designed for Auditor Documentation Input and available for a small fee. Can be saved and included as part of auditor’s documentation Governmental Audit Quality Center 63

AICPA - Ethics Updated AICPA — Yellow Book (GAGAS) Independence Rules Comparison AICPA Professional Ethics, Most Frequent Violations of Professional Standards: Government and Not-forProfit Investigations (Issued April 2015) Ethics - [email protected] 888.777.7077 Governmental Audit Quality Center 64

AICPA – Peer Review and QC Peer Review - [email protected] or 919-402-4500 AICPA Peer Review Program, Annual Report on Oversight Archived Peer Review Update Webinar Archived Sufficiency of Audit Evidence Webinar Quality Control Workshops Toolkit New virtual group study course Governmental Audit Quality Center 65

Key Single Audit-Related Information Uniform Guidance codified in Title 2 of CFR, Subtitle A, Chapter II, Part 200 How to Access the Uniform Guidance Electronic Code of Federal Regulations (e-CFR) version OMB Federal Financial Management Web site OMB Compliance Supplement Other Uniform Guidance related documents at: http:// www.whitehouse.gov/omb/grants docs Office of Federal Financial Management Web page COFAR guidance including FAQs, archived webcasts, and other information Visit https://cfo.gov/COFAR/ for all resources The DCF and related instructions can be accessed from the Federal Audit Clearinghouse Governmental Audit Quality Center 66

GAQC Archived Uniform Guidance Events GAQC archived Web events that may help with the Uniform Guidance Single Audit Fundamentals Series Preparing for a Single Audit: An Auditee Perspective Now is the Time for Auditors to Get Ready for the Uniform Guidance Audit Requirements Internal Control: COSO, the Green Book, and More Sampling in a Single Audit Environment Governmental Audit Quality Center 67

GAQC Archived Uniform Guidance Events GAQC archived Web events that may help with the Uniform Guidance Uniform Guidance for Federal Awards: The New Cos t Principles, Time and Effort Reporting, Procurement and Other Administrative Requirements Uniform Guidance for Federal Awards: How Clients will Need to Monitor Subrecipients Going Forward Uniform Guidance for Federal Awards: Auditor Planni ng Considerations for the New Single Audit Rules 2015 OMB Compliance Supplement and Single Audit Update Governmental Audit Quality Center 68

How do I get my CPE certificate? Access your CPE certificate by clicking this orange icon. If at the end of this presentation you are eligible for but unable to print your CPE certificate, please log back in to this webcast in 24 hours and click the orange “Get CPE” button. Your certificate will still be available. If you need assistance with locating your certificate, please contact the AICPA Service Center at 888.777.7077 or [email protected]. Governmental Audit Quality Center 69

Thank You for Attending! Governmental Audit Quality Center 70