Since the beginning of the pandemic, CPAs have expected the single audit season to be tougher than usual. With so many uncertainties and final guidance not available in a timely manner, it created significant challenges for the planning and performance of 2020 single audits; many audits were put on hold.
As expected, when the Office of Management and Budget’s (OMB) Compliance Supplement addendum was released in December 2020, it provided a three-month audit submission extension to allow sufficient time for the recipients of COVID-19 funding and their auditors to go through the audit process. In addition, on March 19, 2021, OMB issued M-21-20, which further extended the audit submission deadline and expanded the scope of recipients. The extension provides for additional six months beyond the normal due date and applies to all recipients and subrecipients that have fiscal year-ends through June 30, 2021. It is an automatic extension, and the only requirement is for recipients and subrecipients of federal funding to maintain documentation of the reason for the delayed filling. If an NFP organization decides to take advantage of this extension, it should document the reason in a memo.
With COVID-19 related complexities, it is critical for auditors who perform single audits to stay current to have an efficient and quality audit done this season. Because the changes impact every step in the single audit process, auditors should review the latest available guidance and carefully go through the planning process to avoid testing requirements that are not applicable or writing up a finding for something that is not noncompliant.
The audit process should start with discussing relief funding.
With the significant infusion of relief money, chances are that many NFPs received some sort of relief funding, whether a Paycheck Protection Loan (PPP), Provider Relief, Coronavirus Relief, or Education Stabilization funding. Much of the new relief funding is subject to the single audit requirements.
Funds that are not subject to the single audit requirements are still important to the single audit risk assessment process when assessing the risk of material noncompliance due to fraud. Assessing the risk of material noncompliance due to fraud is an important part of the single audit—one that is often overlooked. One of those risks is that a recipient of federal awards has charged the same expense to multiple federal awards. Auditors should consider whether an NFP has identified each individual federal award separately within its general ledger system using cost centers. During COVID-19, this presents a higher risk, one that auditors should pay close attention to. As an example, although PPP awards are not subject to the single audit, consideration needs to be made to ensure that an entity has an adequate expense tracking system in place to reduce the risk of double dipping. Auditors should develop procedures to address this fraud risk.
Focus on SEFA Accuracy
To start out the planning of a single audit, it is very important to have a complete and accurate Schedule of Expenditures of Federal Awards (SEFA). Because SEFA is the basis for the major program determination, auditors should pay special attention to the testing of SEFA completeness due to COVID-19–related funding challenges.
Many NFPs, recipients of COVID-19 funding, are struggling to prepare their 2020 SEFA. Because the awarding of relief funds did not follow the normal process, it might be unclear when those federal funds were awarded, and whether the cost should be included on the 2020 SEFA or on a future year. Expenditures are generally reported on SEFA when there is an award in place and underlying activities have occurred.
In many cases during the COVID-19 pandemic, NFPs received federal cash payments first and the awarding process occurred later. Further complicating matters is that there might not be a traditional signed award agreement available to determine an award date.
In addition, costs should typically be reported on SEFA in the year the costs were incurred and applied to an award. Auditors should know that some of the new programs allow for the application of costs incurred before or after the award existed.
Auditors should consider all facts and circumstances with respect to the new funding; discuss with management to get an understanding of client’s position on the “award date” and activities covered under the award; review board minutes and any available correspondence with the funding agency; and review funding agency website for the award description and frequently asked questions.
For example, recipients of Provider Relief Funding (PRF) are required to report expenditures (or lost revenue) on SEFA, starting with December 31, 2020, year-end. PRF provides funding to hospitals and other healthcare organization to cover healthcare expenses or lost revenue attributable to COVID-19. The funds are distributed by the Department of Health and Human Services (HHS). This approach to reporting expenses at a later period is intended to link SEFA reporting for PRF to the amounts to be reported directly to HHS by funding recipients at calendar year-end. Consequently, even if the expenses were incurred and revenue was recognized for GAAP purposes, the NFP should not report PRF expenses on their SEFA in a fiscal year ending before December 31, 2020. This changes the auditor’s mindset of what they know and are comfortable with on SEFA.
Once auditors determine which expenses should be included on the SEFA, it is important to document the basis for the conclusion reached. Auditors should not have a problem defending their conclusion if it is documented to be based on the best available information at the time.
There are a few other considerations that auditors should keep in mind when reviewing the SEFA:
- COVID-19 funding is required to be presented separately on the SEFA and the data collection form for both new programs and existing programs. There might be some challenges in identifying COVID-19 funding, especially where additional funding is added to existing programs. Auditors should start communicating with clients early in the process and consider confirming funding with the awarding agencies.
- Organizations that received donated personal protective equipment (PPE) should include the fair market value of the PPE at the time of receipt in a stand-alone footnote to the SEFA. The donated PPE should not be counted by an auditor for purposes of determining the threshold for a single audit, nor for determining the type A/B program threshold for being audited as a major program.
Low Risk Auditee
Once auditors are comfortable with the SEFA, the next step in the single audit planning process is to determine whether an auditee meets the low risk criteria. For an auditee to be considered a low risk in the current year, the two prior years’ audits must have met the specified criteria, including report submission to the Federal Audit Clearinghouse (FAC) by the due date (see 2 CFR section 200.520).
When auditors review the report submission dates for their clients, they should consider that OMB automatically extended the submission dates by initially issuing Memo M-20-17 and then again by issuing M-20-26. M-20-17 (issued on March 19, 2020), allowed recipients and subrecipients with fiscal year-ends through June 30, 2020, which had not filed their single audits with the Federal Audit Clearinghouse as of the date of issuance, to delay the completion and submission of the single audit reporting package for six months beyond the normal due date. On June 18, 2020, this memo was rescinded by OMB Memo M-20-26, changing some of the extension dates. As a result of those two memoranda, many entities with year-ends from June 30, 2019, through December 31, 2019 were granted between three and six months of additional time to submit their single audit packages.
Auditees that timely filed their 2018 single audit packages and took advantage of extensions for their 2019 audit submissions and filed within the period of allowed extension will qualify as “low-risk auditees” if they met all other criteria.
COVID-19 Funding Impact on Major Program Determination
The presence of new COVID-19 funding is critical to the major program determination process. With significant amounts distributed to government agencies and NFPs, auditors should pay attention to type A/B program thresholds, as these potentially may increase compared to prior years. When working with recurring clients, it might have been easy for auditors to identify major programs that required to be audited, as the awards may have been the same for many years; this might be different this season.
If an NFP received funding from a new COVID-19 program that equals or exceeds the Type A program threshold (typically, $750,000 or more), this program will be considered high risk as it hasn’t been audited before—thus, the auditor is required to treat it as a major program. If the additional funding is allocated to the existing Type A program, an auditor should remember that inherent risk is not a criteria for identifying a Type A program high risk; therefore, the size of the program will not have an impact on the risk level. If there are significant changes in personnel and systems, however, these could potentially increase the status to high risk. Auditors should review the changes with their clients to understand the extent, as there could be fundamental changes in the way they operate programs; these will result in the increase in risk level, or just a few processes changed that might not be significant.
When considering the internal controls over federal awards, auditors should remember that the internal control procedures could have changed during the year due to the pandemic.
For Type B programs (typically under $750,000), it is important for the auditors to carefully examine the risk assessment process by reviewing each risk factor. COVID-19 funding may trigger new risk factors that could impact the risk level. There might be changes in the operation of the programs, and the use of subrecipients, size, or program maturity that might increase risk. For example, if additional COVID-19 funding is added to an existing type B program and this incremental funding has additional requirements to use subrecipients, and if the entity never passed funds to subrecipients before, the inherent risk for this program would be higher. In this case, if there are other changes in the operation of the program in moving to a remote environment, overall inherent risk might be high.
Auditors should consider if the changes in systems and personnel and other risk factors are significant enough to increase the status to high risk. Documenting the thought process and conclusion will be very important to support a determination of low risk.
Testing Internal Controls
When considering the internal controls over federal awards, auditors should remember that the internal control procedures could have changed during the year due to the pandemic. COVID-19 has had a significant effect on just about every aspect of an NFP’s operations, causing dramatic changes in the way the services are provided and how people work for NFPs. Many organizations furloughed or laid off employees, which may have impacted internal control practices as the responsibilities of remaining employees shifted. Moving to a remote environment and restructuring existing programs have potentially impacted the control environment and procedures. Auditors should acquire an understanding of the changes in design and implementation of the internal controls over federal awards as part of their internal control risk assessment process. If NFPs had two different sets of controls before the pandemic started and during COVID-19, auditors would have to test both sets if both are determined to be properly designed and implemented.
In general, operating remotely may create additional challenges, especially for small not-for-profits. Some organizations might not be sophisticated enough with the use of technology and were not prepared to move to remote operations. In this case, we might see that internal control procedures set perfectly before the pandemic are not being followed. This may result in internal control findings and will increase a sample size for the compliance testing.
Generally, auditors should expect that internal control risk assessment areas will require more time and attention in order to gain an understanding of the changes due to COVID-19 and related new requirements, as well as to perform additional testing where necessary and report the findings.
Many COVID-19 related programs were included in the OMB Compliance Supplement Addendum, providing details on what needs to be tested. There are programs that were not included, however. For new COVID-19 programs that were not included in the addendum, auditors should use the framework provided in Part 7 of the Compliance Supplement to determine which of the compliance requirements to test.
When auditing an existing program with incremental COVID-19 funding, auditors should keep in mind that the original terms and conditions may have been modified to include additional compliance requirements that may not be marked “Yes” in Part 2 of the Matrix of Compliance Requirements (Matrix) in the Compliance Supplement or Addendum. The new funding could be uniquely different, potentially triggering other types of requirements that would have been marked “Yes” on the Matrix if it had been updated. Appendix VII of the Compliance Supplement Addendum requires auditors to use Part 1 of the Compliance Supplement outlined framework and perform reasonable procedures to ensure compliance requirements identified as subject to audit on the Matrix are current. The reasonable procedures would include an inquiry of client’s management about communications from federal agencies modifying requirements, a review of any updated terms and conditions on federal agencies’ websites, and the latest frequently asked questions. If during their reasonable effort procedures, auditors were to identify additional direct and material requirements that are not on the Matrix, the requirements would need to be added to the six already identified on the Matrix. It is important to document the procedures performed to identify the compliance requirements.
Some existing programs that didn’t receive additional COVID-19 funding were granted significant flexibility by federal agencies in order for the programs to run uninterrupted.
Some existing programs that didn’t receive additional COVID-19 funding were granted significant flexibility by federal agencies in order for the programs to run uninterrupted; for example, some received waivers of compliance by federal agencies. It is important to review the guidance for those programs, as it will impact compliance testing if the program is selected as a major program.
In an effort to provide short-term administrative, financial management, and audit requirement relief, OMB issued four memoranda during 2020 (M-20-11, M-20-17, M-20-20, and M-20-26) and one memoranda in 2021 (M-20-21), which allow federal agencies to provide certain flexibility to the recipients of federal funds. Among other provisions, federal agencies were given the authority to grant case-by-case exceptions for individual federal awards, to allow recipients to delay the submission of financial and performance reporting, and to provide exemptions of certain procurement requirements. More importantly, federal agencies could allow recipients to continue to charge salaries and benefits to the federal awards, even if the programs could not continue providing services due to government-mandated shutdowns. In addition, certain costs related to the cancellation of events, travel, and other activities that are not normally chargeable to federal awards were allowed if they were necessary and reasonable for the performance of grant-funded activities. Although it is important to become familiar with these OMB memoranda, auditors should remember that each federal agency should have adopted the provisions before they become effective. Therefore, auditors should refer to specific federal agency’s guidance to ascertain the applicable flexibility.
With the significant impact the COVID-19 pandemic has had on the not-for-profit sector, auditors should stay abreast of current developments as the federal government continues to release new federal funding and change and update related regulations. The pandemic is not over yet. The single audit environment remains challenging and constantly changing. Audit firms should commit to training their teams and educating their clients. Working collaboratively will minimize surprises and will contribute to a smooth and successful audit.