In Brief
Under its Single Audit Quality Study, the Office of Management and Budget will soon be reviewing single audit engagements. To help auditors enhance the quality of the single audits they perform, this article analyzes the results of a Peer Review Program study of such audits and identifies common problems—specifically issues related to compliance with governmental auditing standards, the determination of major programs, low-risk auditee status, internal controls, and reporting. Auditors who wish to practice successfully in this complex area must keep on top of current issues and enroll in the proper education courses.
* * *
Most auditors who perform single audits under the Uniform Guidance (UG), formerly known as Office of Management and Budget (OMB) Circular A-133, are aware that a study of audit quality is required every six years. What they might not realize is that this Single Audit Quality Study will examine single audit engagements performed under the UG and submitted no earlier than 2018. The examination is likely to occur in 2019 for single audits being worked on at the time of this article’s publication, and it is hoped that this discussion can identify common failures in nonconforming audits.
A Study of Single Audits
In 2014, the AICPA published Enhancing Audit Quality: A 6-Point Plan to Improve Audits. Single audits were identified as a high-risk area, and were designated as a peer-review area of focus. The AICPA has increased scrutiny on peer reviewers, requiring greater reviewer qualifications and enhanced education on governmental auditing topics like single audits. In 2015, an AICPA Peer Review Program study of single audit engagements, which included a sample of 87 single audits reviewed by enhanced-oversight experts, was completed. The results indicated that almost half (48%) of the single audits reviewed were considered nonconforming.
The study attempted to isolate specific environmental factors that led to common audit deficiencies. Interestingly, the study found that the size of the firm was less important than the number of single audits that it performed. Firms that only performed one single audit had a 62% chance of a nonconforming audit, whereas those that performed two to ten single audits still had a 49% chance. It wasn’t until a firm performed more than ten single audits that the nonconformity rate decreased to a more respectable 15%.
The results were similar when examining the number of single audits that a specific partner performed. For example, the nonconformity rate for a partner performing just one single audit was 68%, and 44% for a partner who handled between two and ten audits; however, for a partner performing more than ten audits, it fell to 25%. Other factors reviewed indicated that nonconformity spiked when a partner had less than six years of experience performing single audits and took less than nine hours of continuing professional education (CPE) specifically on single audits. Consequently, partners who perform single audits should make sure they are taking appropriate CPE, and firms that have more experienced partners should provide oversight to less experienced ones.
Recently, noncompliance with Generally Accepted Government Auditing Standards has surfaced as a significant problem.
When a CPA firm has a nonconforming audit during its peer review, it will not receive a passing score. If a peer reviewer concludes that the reviewed firm has submitted for review an engagement that was not performed or reported on in conformity with applicable professional standards, the reviewer will issue a report with a failure rating. A noncon-forming audit seems likely to trigger such a conclusion. This could affect the reputation of the reviewed firm and could be detrimental when it comes to attracting new clients or retaining existing ones.
Does this mean that a firm that only performs one or very few single audits needs to discontinue that practice? Not necessarily. Each firm must look at its own new client-acceptance and existing client retention policies, then decide whether its staff has the time and resources necessary to become proficient in this highly technical area.
Noncompliance with Government Auditing Standards
What were the common problem areas noted in the 2015 study and in recent peer reviews? The long list includes major program determination, low-risk auditee status, testing on internal controls over compliance, reporting, and overall documentation matters. Recently, noncompliance with Generally Accepted Government Auditing Standards (GAGAS), often referred to as the Yellow Book, has surfaced as a significant problem—and has taken on increased importance in the peer-review process.
To that end, one of the areas that peer reviewers are increasingly focusing on is the Yellow Book’s independence framework and the related proper documentation. Most CPAs are aware that if they perform nonaudit services for attest clients under U.S. Generally Accepted Auditing Standards (GAAS), they must evaluate the skills, knowledge, and expertise (SKE) of the entity. A client must take responsibility for the nonaudit service, which must be overseen by a person possessing adequate SKE. GAAS does not require that the designated person be able to reperform the nonaudit service themselves, and independence would not be impaired when that designated person has the SKE to accept responsibility for the auditor performing that service.
Many CPAs, however, are not aware that the criteria for being independent are enhanced when the audit is performed under the Yellow Book, and that all single audits must meet Yellow Book standards. Under the Yellow Book, if the SKE assessment of the entity’s personnel indicates that the entity does not have the ability to reperform the service, it creates a threat that can only be alleviated if the firm implements a safeguard.
Many CPAs are also unaware that some of the routine services and tasks they perform during an audit are considered nonaudit services. For example, many CPAs know that financial statement and tax return preparations are nonaudit services that need to be evaluated—but so is preparation of the schedule of expenditures of federal awards (SEFA), cash-to-accrual conversions, maintaining fixed asset schedules, and performing reconciliations.
Therefore, to conform to Yellow Book standards, auditors must document how they evaluated all the nonaudit services they performed for a client in a single audit. And when the SKE evaluation indicates that the client cannot reperform the service, specific safeguards must be applied. Those safeguards can consist of an engagement quality review by a partner within the firm who has no other planning or reporting responsibilities or by an outside independent organization that can perform a secondary review. Other approaches include educating the client and providing tools to help the client succeed, such as a financial disclosure checklist and other practice aides. Auditors can use their judgment about which safeguard to apply, depending upon the extent of the nonaudit service and the impact it has on the auditors’ attest work.
It should be noted that the draft of the revised Yellow Book has expanded the independence requirements to state that anyservices performed by auditors related to preparing accounting records and financial statements (other than those already defined as impairments to independence) create significant threats to independence. Auditors should document the threats, as well as the safeguards applied to eliminate and reduce those threats to an acceptable level; otherwise, they should decline to perform the service. This author recommends that firms include a secondary partner review or other safeguard for all single audits.
Another area that is highly scrutinized in the peer review process is the requirement of those performing single audits to have the proper CPE credits, as previously mentioned. Each auditor performing work in accordance with Yellow Book should complete, every two years, at least 24 hours of CPE directly related to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. Auditors involved in any amount of planning, directing, or reporting on Yellow Book audits (and auditors who are not involved in those activities but charge 20% or more of their time annually to Yellow Book audits) should also obtain at least an additional 56 hours of CPE, for a total of 80 hours of CPE in every two-year period. Those required to take the 80 hours of CPE should complete at least 20 hours in each year of the two-year period. It should be noted that the draft of the revised Yellow Book does a better job of outlining which courses meet the specific government rule. The draft also proposes an additional four-hour requirement on specific GAGAS topics each time a new version of the Yellow Book is issued. Firms should track partner and staff CPE progress to ensure that the CPE rules are met.
When the federal government issued the UG, it superseded OMB Circular A-133 in outlining the requirements that auditors need to follow when performing single audits. It is critical that auditors undergo adequate training on changes brought forth by the UG and maintain updated practice aids to act as a guide through this transition.
It is critical that a review of the major-program calculation be performed after the completion of fieldwork, but before sending out the report as a draft to a client.
Other Common Problems
The determination of major programs.
As referred to above, one of the more common errors that led to non-conforming audits in recent peer reviews was the determination of major programs. To properly calculate major programs, it is critical to have an accurate SEFA. Often, in the planning stages of an audit, the SEFA used is based on preliminary information that can differ from the final audit. Changes resulting from audit adjustments, discovery of awards during the confirmation process that turn out to have federal pass-through funds, and other factors can alter whether a program is considered a “type A” program. This can affect the risk evaluation that needs to be performed and, ultimately, the determination of whether the program is high risk and should be tested as a major program; it can also affect whether the total programs tested met the minimum percentage of coverage (see below for other pitfalls when meeting the minimum percentage of coverage). Not combining as one program any federal awards that have the same catalog of federal domestic assistance (CFDA) number and not identifying all the programs that make up a cluster (which requires testing as one program) are two other common mistakes in calculating major programs. Thus, it is critical that a review of the major-program calculation be performed after the completion of fieldwork, but before sending out the report as a draft to a client.
Low-risk auditee status.
Another tricky area for auditors is the low-risk auditee status. If the data collection form was filed late or not filed at all in either of the previous two years, an auditee cannot be considered low-risk. The same is true if there was a material weakness in internal control reported within the last two years or if the opinion on the SEFA was modified. The impact of making a mistake on the determination of low-risk auditee status is that the auditor might not meet the correct minimum percentage of coverage when selecting major programs. Because the UG made several changes to the criteria for determining a low-risk auditee, auditors need to educate themselves on the changes and maintain up-to-date practice aids.
Internal controls.
Peer reviewers have also identified instances where the auditor did not perform testing on internal control over compliance or did not properly perform or document those tests. Unless the auditee does not have controls (in which case the auditor is required to report a material weakness), the auditor must test internal controls of all compliance requirements that are direct and material to a major program, to the extent that if the test turns out as planned, a low control risk is achieved. The AICPA has issued guidance in the Government Auditing Standards and Single Audits: Audit Guide that summarizes minimum sample sizes that must be tested in order for an auditor to reach the conclusion that control risk is low. Testing five or ten items, or doing a walkthrough, is not sufficient.
Often there is an explanation or a compensating control that provides a valid reason why the problem is not required to be reported.
In addition, many auditors do not understand the difference between testing a control and testing whether a term of an award has been complied with. Before auditors can determine an appropriate sample size to test compliance with an award, they need to make a proper determination of risk by testing internal controls. While dual-purpose tests are not prohibited, auditors must clearly document 1) which attributes tested relate to testing of controls to draw a proper conclusion about control risk, and 2) which relate to compliance with the award. For this reason, it is often recommended that auditors do not perform dual-purpose tests, so that documentation clearly exists to separately indicate the objective and results of each test. Lastly, if the auditor is using the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework for documenting internal controls, it is important that testing of internal controls include at least one control for each internal control component.
Reporting.
The last area this article will discuss that is often identified by peer reviewers as a common problem is reporting. While there is little excuse for an auditor to use outdated wording, not include all the required elements in a report, or use the wrong date, it still happens frequently. Using the report illustrations in the aforementioned AICPA audit guide should eliminate these problems. A more challenging issue arises when members of the audit team find potential errors, but the workpapers do not document their resolution and why they might not be included in the audit report. Because single audits typically include detailed testing in several areas, it is not uncommon for potential problems of noncompliance to be noted. Often there is an explanation or a compensating control that provides a valid reason why the problem is not required to be reported. The potential for auditors to not properly evaluate whether a problem noted during testing needs to be included in the audit report can be rectified by having a separate workpaper for each engagement, summarizing potential issues and including a column for how the issue was resolved. This will clearly document why a potential problem was not included, plus highlight for a manager or partner the issues that need to be included as a finding in the final report.
Next Steps
With increased scrutiny being placed on auditors who perform single audits in accordance with the UG and the high rate of nonconformity for these types of audits, CPAs need to evaluate whether they have the dedication to invest in the CPE required to properly perform these highly regulated audits. Auditors should accept only engagements that they have the expertise to perform or the time and resources to gain the necessary proficiency for. Learning the nuances of government auditing and staying abreast of current developments is a commitment that a firm and its partners and staff must undertake if they want to be sucessful. Those who accept this challenge must establish an effective quality-control system; provide adequate training for partners, managers, and staff; and subscribe to professional publications to stay aware of new regulations and related interpretations.
