Governor’s Grants Office

Governor’s Grants Office

OMB Circular A-133Rules To The Game

Audits of States, Local Governments and Universities

Presented by Alicia Foster, Graylin Smith and Donna Dancy for Governor’s Grants Office

Presenters

Alicia Foster, Audit Director Abrams, Foster, Noles & Williams, PA 410-433-6830 Graylin Smith, Managing Partner

SB & Company410-584-1401

Presenters

• Donna Dancy

• Director, Internal Audit Services

• Maryland Department of the Environment

• 410-537-3429

Presentation Objectives

• Recap OMB A-133 Circular Overview - Donna Dancy

• Clarify why we care about OMB A-133 compliance – Donna Dancy

• Define key terms and roles & responsibilities – Donna Dancy

Presentation Objectives

• Explain internal controls reviewed during the A-133 audit and the internal control questionnaire - Graylin Smith

• Purpose, Process, Outcomes : An Auditor’s Prospective - Alicia Foster

LET’S RECAP

Recap A-133 Overview

• Single Audit Act was enacted in 1984

• Annual audit required for Non-Federal Entities that receive Federal funds

• Shows the “whole picture”


• Single Audit is two-fold - Financial and Compliance

• Uses a risk-based audit approach

• Cost effective way to obtain audits

because one audit is conducted instead

of multiple audits of individual programs


• OMB Circular A-133 was issued in 1990

• Extended Single Audit process to universities and non-profits

• Set standards for consistency and uniformity for audits. Provided specific policy, procedures and criteria

Federal Circulars

Grantee

Type

Administrative

Requirements

Cost

Principles

Audit

Requirements

State & Local

Governments A-102 A-87 A-133

Educational

Institutions A-110 A-21 A-133

Non-Profit

Organizations A-110 A-122 A-133

Where to Find the Rules• OMB Circular A-133 - http://www.whitehouse.gov/omb/circulars/

a133/a133.html

• Single Audit Act - http://thomas.loc.gov/cgi-bin/query/ z?c104:S.1579.ENR:

• CFR - http://gpoaccess.gov/cfr/index.html

A-133 COMPLIANCEWHY…DO WE CARE?

A-133 Compliance WHY . . . Do We Care?

• Findings are reported to Federal government and become public

record, distributed to all Federal

Agencies through a clearing house.

• Federal and Non-Federal sponsors look at

A-133 as a ‘report card’ of how we spend their money.


• It strengthens the relationship of trust

that exists between the sponsor and recipient

• It suggests a presence of the stewardship necessary to properly safeguard the Federal Government’s investment in programs


• Negative publicity, may cause harm to reputation and prestige

• May cost $ millions in payback

• Loss of Federal expanded authorities, additional oversight burden

What Does Compliance Mean?

• Effective management of public funds to maximize outcomes

• The avoidance of fraud, mismanagement, and poor management of Federal funds

• Adherence to laws, rules and regulations

• Check and balances - internal controls

• Stewardship of Federal funds

Compliance Pitfalls

• Misuse of funds

• Unallowable costs

• Misallocation of costs

• Excessive cost transfers

• Delinquent financial reporting

• Inaccurate effort reporting/improper allocation of staff time

• Inadequate subrecepient monitoring

Why We Have Problems With Compliance

• Lack of understanding by staff of

roles and responsibilities

• Inadequate resources

• Incomplete, outdated or nonexistent

policies and procedures

• Inadequate staff training and education

Why We Have Problems With Compliance

• Inadequate systems

• Lack of documentation and audit trail to support claimed expenses

• Perception that internal control systems are not necessary

Compliance - Back to the Basics

• Do the right thing…from the start!!!

• Keep policies current with Federal requirements

• Perform risk assessments and implement

adequate internal controls

Compliance - Back to the Basics

• Develop a continuing training program

• Monitor first, audit second

COMMUNICATE, COMMUNICATE, COMMUNICATE!!!

with employees and Federal agency.

DOCUMENT, DOCUMENT, DOCUMENT!!!

Always remember, if you didn’t write it down, it didn’t happen.

KEY DEFINITIONS

Terms You Should Know

• Assistance• Procurement• Award• Sub-Award• Grant• Cooperative Agreement• Contract

• Pass-Through Entity• Recipient• Sub-recipient• Vendor• Direct Costs• Indirect Costs• Internal Control

Assistance vs. Procurement

• Financial Assistance– Provides support or stimulation to accomplish a public purpose. Award can be a grant or cooperative agreement.

• Procurement – Purchase of goods and services to accomplish a government purpose; services can include research. Award is a contract.

Definition of Award

• Financial assistance that provides support to accomplish a public purpose.

• Includes grants and other agreements

in the form of money or property in

lieu of money by the Federal

Government

Awards Do Not Include:

• Technical assistance

• Loans, loan guarantees, interest subsidies, insurance

• Direct payments of any kind to individuals

• Contracts, which are required to be entered into and administered under procurement laws and regulations

Definition of Subaward

• Financial assistance made by a

recipient to an eligible subrecipient

• Includes any financial assistance when provided by legal agreement, even if the agreement is called a contract

• Does not include the purchase of goods and services

Definition of Grant

• Purpose is to transfer money, property,

services or anything of value to recipient in

order to accomplish a public purpose.

• No substantial involvement is

anticipated between government

and recipient during performance

of activity.

Definition of Cooperative Agreement

• Purpose is to transfer money, property, services or anything of value to recipient in order to accomplish a public purpose.

• Substantial involvement is anticipated

between government and recipient

during performance of activity.

Definition of Contract• Primary purpose is to acquire property or

services for direct benefit or use of the

Federal Government.

• Government determines whether

procurement contract is appropriate.

• Allowable activities based on terms and conditions of contract

• Governed by terms of the contract and State law

Definition of Pass-Through Entity

• A Non-Federal Entity that provides a Federal award to a subrecipient to carry out a Federal program

Definition of Recipient

• Organization receiving financial assistance from a Federal Agency to carry out a project or program

• Term may include commercial, foreign or international organizations which are recipients and subrecipients

Subrecipient Versus Vendor

Subrecipent:

• A Non-Federal Entity that expends Federal awards received from a pass-through entity to carry out a Federal program

• Has performance measured against whether the objectives of a Federal program are met


Subrecipient:

• Has responsibilities for programmatic decisions

• Is responsible for complying with Federal program requirements

• Uses Federal funds to carry out a program as compared to providing goods or services for a program


Vendor:

• Provides goods and services within normal business operations

• Operates in a competitive environment

• Provides similar goods or services to

many different purchasers

Subrecipient Versus VendorVendor:

• Retains no rights to intellectual property

• Provides the goods or services that are required for the conduct of a Federal program but are ancillary to the operation of the Federal program

• Is not subject to compliance requirements of the Federal program

Direct Versus Indirect CostsDirect Costs:

• Can be identified with a specific project or activity relatively easily with a high degree of accuracy

Direct Salaries & WagesMaterials & SuppliesConsultants & Subcontractors

Direct Versus Indirect CostIndirect Costs:

• Referred to as Facilities & Administrative costs

• Indirect costs are those that are incurred for common or joint objectives and therefore cannot be identified readily and specifically with a particular project or activity

Fringe Benefits Overhead G & A

Internal Control

A process designed to provide reasonable

assurance of achieving the following:

• Effective and efficient operations

• Reliable financial reporting

• Compliance with laws, rules, regulations and guidelines

Roles and Responsibilities

The Players:

• Principal Investigator (PI)/Project Manager

• Department/Unit Administrator

• Department Chair/Program Manager

• Dean/Division Director

• Central/Grant Administration


PI/Project Manager:

• Awareness of requirements

• Monitor and oversight of day-to-day

aspects of the project

• Prepare required progress reports


PI/Project Manager:

• Authorize all project expenditures and payments to consultants and subcontractors

• Adhere to terms and conditions of award

• Retain project data and materials as required

Roles and ResponsibilitiesDepartment/Unit Administrator:

• Provide administrative support to the

project

• Assist in complying with award terms

and conditions, regulations and policies

• Monitor expenditures of award funds, obtain necessary authorized signatures


Department/Unit Administrator:

• Coordinate with Central/Grant Administration on reporting

• Assist Central/Grant Administration

with closeout and audit activities


Department Head/Program Manager:

• Overall administrative and financial operation of the department/program

• Oversight of all project activity and

staff & other resources

Roles and ResponsibilitiesDean/Division Director:

• Management support, sets tone at top,

broad oversight of projects/programs

• Provide divisional/unit concurrence in negotiation and acceptance of awards

• Provide divisional/unit oversight for compliance with regulatory requirements

Roles and ResponsibilitiesCentral/Grant Administration:

• Management of all aspects of an award throughout its life cycle frompre-award through closeout activities.

• Liaison with Federal Agencies

• Assistance in locating funding opportunities

• Negotiation and acceptance of awards


Central/Grant Administration:• Prepare billings, financial reports

and other electronic submittals

• Maintain time reporting and grant accounting system

• Provide advise on financial matters

• Coordinate A-133 and other audits

INTERNAL CONTROLS REVIEWED/INTERNAL

CONTROL QUESTIONNAIRE

Single Audit Test of Controls is Built On Foundation of Government Audit

GAAS- Obtain understanding of internal controls over financial reporting sufficient

to plan audit-Understand controls; whether in place; whether operating

- Report oral or written significant deficiencies and material weaknesses

GAS- Added requirement on safeguarding controls and controls over

compliance with laws and regulations

- Require report and written significant deficiencies and material weaknesses

Single Audit-Understanding controls over Federal compliance

requirements to support a low assessed level of control risk over major programs

- Required report and schedule of findings

OMB Compliance Supplement (Part 6) Follows the COSO Model of Internal

Controls

• Control Environment

• Risk Assessment• Control Activities• Information and communications• Monitoring

COSO = Committee of Sponsoring Organizations of the Treadway Commission

• Report on how to look at controls, assess risk and the limitations of controls

• Widely used as a framework to understand controls but is not the only one

• Framework:

- Definitions - Monitoring- Control environment - Limitation of internal controls- Risk assessment - Information and communications

- Roles and responsibilities

Following COSO Model, OMB Selected Control Activities for Each of the Compliance RequirementsA. Activites allowed or unallowed

B. Allowable costs/cost principles

C. Cash management

D. Davis-Bacon Act

E. Eligibility

F. Equipment & real property mgmt

G. Matching level of effort,

earmarking

H. Period of availability of Federal

Funds

Note: Does not have to use those in the

compliance supplement or

I. Procurement and suspension

and debarment

J. Program Income

K. Real property acquisition/

relocation assistance

L. Reporting

M. Subrecipient monitoring

N. Special test and provisions

(control procedures not listed)

all of them and should use

others if more are appropriate.

Assessment of Risk

• General Risk Consideration

- Experience

- Length of time

- Effect of non compliance

- Routine/non-routine transaction

- Estimate or judgment

Assessment of Risk• Inherent Risk - risk that material noncompliance with

a major program’s compliance requirements could occur, assuming there are no related controls.

- Factors to consider:

- Size of the program - Subrecipients - Program maturity - Level of oversight - Complexity - Prior audit findings - Extent of contracting - Identified as high risk - Other factors

Assessment of Risk• Control Risk - risk that material noncompliance that

could occur in a major program will not be prevented or detected on a timely basis by the program’s internal control.

- Preliminary control risk

- Final control risk

• Fraud Risk - risk that intentional material noncompliance with a major program’s compliance requirements could occur.

Assessment of Risk

• Detection Risk - risk that the audit procedures will lead to the conclusions that noncompliance that could be material to a program doesn’t exist when in fact it does exist.

- Factors to consider:

- Inherent risk

- Control risk

- Fraud risk

Assessment of Risk

• Risk of Material Misstatement - combination of inherent risk and control risk. Based on professional judgments.

• Audit Risk - risk that the auditor may unknowingly fail to appropriately modify his or her opinion on compliance. It is comprised of inherent risk, control risk, fraud risk and detection risk.

What Are We Looking for Controls to Do?

• Prevent or detect material noncompliance

• Initial assessment to be at low controlled risk

• Final analysis does not need to be at a low level of controlled risk

Types of ControlsPervasive Controls - Controls around the process, i.e.,

separation of duties, supervision,

hiring, training, skills

Specific Controls -

Preventative -

Detective -

Stop error from occurring

Identify and notify that an error has occurred

Monitoring Control - Identify when a preventative or detecting control is not working

Process to Test Single Audit Controls

A. Identify the Control Objectives or “What Can Go Wrong”

B. Understand the Mitigating Controls

C. Walk Through of the Control Process

D. Assess the Design Effectiveness

E. Test Controls

F. Assess Operating Effectiveness

G. Report Findings


A. Identify the Control Objectives or “What Can Go Wrong” -

• Can use the compliance supplement

• Only need to access those requirements that are direct and material

• Can develop on your own control procedures


B. Understand the Risk Prevention Process

Using the COSO Model -

• Control Environment - sets the tone of an organization influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.



Using the COSO Model (cont’d) -

• Risk Assessment - is the entity’s identification and analysis of risks relevant to achievement of its objectives, forming a basis for determining how the risks should be managed.



Using the COSO Model -

• Control Activities - are the policies and procedures that help ensure that management’s directives are carried out.

• Information and Communication - are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.



Using the COSO Model (cont’d) -

• Monitoring - is a process that assesses the quality of internal control performance over time.

Process to Test Single Audit ControlsControl Environment

• Sense of conducting operations ethically, as evidenced by a code of conduct or other verbal or written directive.

• If there is a governing Board, the Board has established an Audit Committee or equivalent that is responsible for engaging the auditor, receiving all reports and communications from the auditor, and ensuring that audit findings and recommendations are adequately addressed.

Process to Test Single Audit ControlsControl Environment (cont’d)

• Management’s positive responsiveness to prior questioned costs and control recommendation.

• Management’s respect for and adherence to program compliance requirements.

• Key managers’ responsibilities clearly defined.

• Key managers have adequate knowledge and experience to discharge their responsibilities.

Process to Test Single Audit ControlsControl Environment (cont’d)

• Staff knowledgeable about compliance requirements and being given responsibility to communicate all instances of noncompliance to management.

• Management’s commitment to competence ensures that staff receive adequate training to perform their duties.

• Management’s support of adequate information and reporting system.

Process to Test Single Audit ControlsRisk Assessment

• Program managers and staff understand and have identified key compliance objectives.

• Organizational structure provides identification of risks of noncompliance:

- Key managers given responsibility to identify and communicate changes.

- Employees who require close supervision (e.g. inexperienced) are identified.

Process to Test Single Audit ControlsRisk Assessment (cont’d)

• Organizational structure provides identification of risks of noncompliance: (cont’d)

- Management has identified and assessed

complex operations, programs, or projects.

- Management is aware of results of monitoring, audits, and reviews and considers related risk of noncompliance.

- Process established to implement changes in program objectives and procedures.


Control Activities• Procedures in place to implement changes in laws,

regulations, guidance, and funding agreements affecting Federal awards.

• Management prohibition against intervention or overriding established controls.

• Adequate segregation of duties provided between performance, review, and recordkeeping of a task.


Control Activities (cont’d)

• Computer and program controls should include:

- Data entry controls, e.g., edit checks. - Exception reporting.

- Computer general controls and security controls.

- Reviews of input and output data.

- Access controls.


Control Activities (cont’d)

• Operating policies and procedures clearly written and communicated.

• Supervision of employees commensurate with their level of competence.

• Personnel with adequate knowledge and experience to discharge responsibilities.

Process to Test Single Audit ControlsControl Activities (cont’d)

• Equipment, inventories, cash, and other assets secured physically and periodically counted and compared to recorded amounts.

• If there is a governing Board, the Board conducts regular meetings where financial information is reviewed and the results of program activities and accomplishments are discussed. Written documentation is maintained of the matters addressed at such meetings.


Information and Communication

• Accounting system provides for separate identification of Federal and non-Federal transactions and allocation of transactions applicable to both.

• Adequate source documentation exists to support amounts and items reported.


Information and Communication (cont’d)

• Recordkeeping system is established to ensure that accounting records and documentation retained for the time period required by applicable requirements; such as the A-102 Common Rule, 0MB Circular A-133, and the provisions of laws, regulations, contracts or grant agreements applicable to the program.



• Reports provided timely to managers for review and appropriate action.

• Accurate information is accessible to those who need it.

• Reconciliations and reviews ensure accuracy of reports.



• Established internal and external communication channels.

- Staff meetings. - Bulletin boards. - Memos, circulation files, e-mail. - Surveys, suggestion box.

• Employees’ duties and control responsibilities effectively communicated.



• Channels of communication for people to report suspected improprieties established.

• Actions taken as a result of communications received.

• Established channels of communication between the pass-through entity and subrecipients.


Monitoring

• Ongoing monitoring built-in through independent reconciliations, staff meeting feedback, rotating staff, supervisory review, and management review of reports.

• Periodic site visits performed at decentralized locations (including subrecipients) and checks performed to determine whether procedures are being followed as intended.


Monitoring (cont’d)

• Follow up on irregularities and deficiencies to determine the cause.

• Internal quality control reviews performed.

• Management meets with program monitors, auditors, and reviewers to evaluate the condition of the program and controls.


Monitoring (cont’d)

• Internal audit routinely tests for compliance with Federal requirements.

• If there is a governing Board, the Board reviews the results of all monitoring or audit reports and periodically assesses the adequacy of corrective action.

C. Walk Through the Control Process to Understand What It is and Whether It is Operational

• One transaction from start to finish

• Have the processors show what they do, what they review, exceptions uncovered and how exceptions are handled

• Observe and review documentation


D. Assess if the Procedures in Place As Designed Are Effective at Reducing the Risk on Non Compliance to A Low Level

• Requires judgment• Believe no material errors would occur undetected• If the procedures are designed effectively, must test

to ensure operating throughout the period• If not designed effectively, no need to test as you

can write your finding


E. Test the Controls Throughout the Period to Determine if They Were Operating As Desired

• Perform test in compliance supplement or design a test to ensure controls were working throughout the period

• Sample size is a matter of judgment

• Suggested sample size of 40 or 60 because of low level of assessed risk while some firms use 25 for moderate level risk


Types of Control Tests

• Observation

• Inspection

• Knowledge assessment

• System query

• Reconciliation

• Physical examination

• Review

• Inquiry

• Re-performance

• Corroborative inquiry

• Confirmation

• Computation

• Operating test


F. Assess the Operating Effectiveness

Number of Expected or Actual Deviations

Planned Assessed Level of Control Risk 0 1 2 3

Low 60 * * *

Moderate 25 40 60 60

Slightly Below Maximum * 25 25 40

Maximum * * * *

* Omit test because tests of controls would most likely be inefficient or ineffective


G. Reporting Findings

Identify the following:

• Finding or non compliance

• Compliance requirement

• Known dollars of non compliance

• Likely dollars of non compliance

• Cause

• Effect


G. Reporting Findings

Type of Finding:

-Control-• Deficiency• Significant deficiency• Material weakness

-Specific Test-• Material non compliance• Non compliance

Type of Report:

• Unqualified• Qualified• Adverse• Disclaimer

Type of Control WeaknessesSignificant Deficiency Quantitative Deficiencies - Any internal control related findings

quantitatively less than the Program Tolerable Noncompliance should be classified as a Significant Deficiency to the program.

Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.

Material Weakness Quantitative Considerations - Any internal control related findings quantitatively equal to or greater than the Program Tolerable Noncompliance should be classified as a Material Weakness in the program.

Qualitative Considerations - There may be instances, based on auditor judgment, where internal control related findings that quantitatively would not be considered material, may be deemed material weaknesses by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.

Type of Compliance FindingMaterial Noncompliance Quantitative Considerations - Any noncompliance quantitatively equal

to or greater than the Program Tolerable Noncompliance should be classified as Material Noncompliance to the program.

Qualitative Considerations - There may be instances, based on auditor judgment, where noncompliance that quantitatively would not be considered material, may be deemed material noncompliance by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.

Noncompliance Quantitative Considerations - Any internal control related findings quantitatively less than the Program Tolerable Noncompliance should be classified as Noncompliance to the program.

Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.

Examples of Strong Internal Controls

A. Activities Allowed or Unallowed and

B. Allowable Costs/Cost Principles

Control Environment

• Management sets reasonable budgets for Federal and non-Federal programs so that no incentive exists to miscode expenditures.




Risk Assessment

• Key manager has a sufficient understanding of staff, processes, and controls to identify where unallowable activities or costs could be charged to a Federal program and not be detected.




Control Activities

• Supporting documentation compared to list of allowable and unallowable expenditures.

• Adequate segregation of duties in review and authorization of costs.





• Reports, such as a comparison of budget to actual

provided to appropriate management for review on

a timely basis.


C. Cash Management

Control Environment

• Budgets for drawdowns are consistent with realistic cash needs.


C. Cash Management (cont’d)

Control Activities

• Appropriate level of supervisory review of

cash management activities.

• Written policy that provides:

- Procedures for requesting cash advances as

close as is administratively possible to actual

cash outlays


C. Cash Management (cont’d)


• Variance reporting of expected versus actual cash disbursements of Federal awards and drawdowns of Federal funds.


D. Davis-Bacon Act

Control Activities

Contractors informed in the procurement documents of

the requirements for prevailing wage rates.

Monitoring

Management reviews to ensure that certified payrolls

are properly received.


E. Eligibility

Control Environment

• Staff size and competence provides for proper making

of eligibility determinations.

Risk Assessment

• Conflict-of-interest statements are maintained for

individuals who determine eligibility.

Examples of Strong Internal ControlsE. Eligibility (cont’d)

Control Activities

• Eligibility objectives and procedures clearly

communicated to employees.• Authorized signatures (manual or electronic)

on eligibility documents periodically reviewed.• Manual criteria checklists or automated process

used in making eligibility determinations.


E. Eligibility (cont’d)

Monitoring

• Program quality control procedures performed


F. Equipment and Real Property Management

Control Activities

• Accurate records maintained on all acquisitions and dispositions of property acquired with Federal awards.

• A physical inventory of equipment is periodically taken and compared to property records.


F. Equipment and Real Property Management (cont’d)

Monitoring

• Management reviews the results of periodic inventories and follows up on inventory discrepancies.

Examples of Strong Internal ControlsG. Matching, Level of Effort, Earmarking

Control Environment• Budgeting process addresses/provides adequate

resources to meet matching, level of effort, or

earmarking goals.

Risk Assessment• Identification of areas where estimated values will be

used for matching, level of effort or earmarking.


H. Period of Availability of Federal Funds

Control Activities

• Accounting system prevents obligation or expenditure

of Federal funds outside of the period of availability.

• Cancellation of unliquidated commitments at the end of

the period of availability.


H. Period of Availability of Federal Funds (Cont’d)

Monitoring

• Periodic review of expenditures before and after cut-off date to ensure compliance with period of availability requirements.


I. Procurement and Suspension and Debarment

Risk Assessment• Procedures to identify risks arising from vendor inadequacy, e.g., quality of goods and services, delivery schedules, warranty assurances, user support.

Control Activities• Contractor’s performance with the terms, conditions and specifications of the contract is monitored and documented.


I. Procurement and Suspension and Debarment (cont’d)

Monitoring

• Management periodically conducts independent reviews of procurements and contracting activities to determine whether policies and procedures are being followed as intended.


J. Program Income

Control Environment

• Realistic performance targets for the generation of program income.

Risk Assessment

• Mechanisms in place to identify the risk of unrecorded or miscoded program income.


J. Program Income (cont’d)

Monitoring

• Internal audit of program income.


L. Reporting

Control Environment• Management’s attitude toward reporting promotes

accurate and fair presentation.

Control Activities• Tracking system which reminds staff when reports

are due.


M. Subrecipient Monitoring

Control Environment

• Sufficient resources dedicated to subrecipient monitoring.

• Appropriate sanctions taken for subrecipient noncompliance.


M. Subrecipient Monitoring (cont’d)

Risk Assessment

• Key managers understand the subrecipient’s environment, systems, and controls

sufficient to identify the level and methods of monitoring required.


M. Subrecipient Monitoring (cont’d)

Monitoring

• Supervisory reviews performed to determine the adequacy of subrecipient monitoring.

Walk Through the Internal Controls Questionnaire of Part 6 of the

Compliance Supplement

PURPOSE, PROCESS, OUTCOMES: AN AUDITOR’S

PROSPECTIVE

Purpose - As Described By Donna’s

Presentation• Single Audit enacted 1984 – Circular A-133 1990

• Non-Federal Entities receiving Federal Funds

• Set standards for consistency and uniformity

• Provided specific policy, procedures and criteria

Process - An Auditor’s Prospective

• Understanding the entity and their internal controls over financial reporting and compliance by discussions, observations, and testing and assessing risk for audit planning

• Following GAAS, GAS, And OMB A-133 Standards

Process - An Auditor’s Prospective

• Providing clear guidance to auditees about audit requirements, testing criteria & needs and documenting results of audit procedures

• Concluding and reporting results

Outcomes – Auditor’s Findings & Reports

Controls in place, documented, and good audit trails exist

• Controls effective?

• Are you prepared?


GAS – Report on internal controls over financial

reporting and on compliance & other matters

Control Objectives – Environment, risk assessment, and control activities (attributes an auditee strives to achieve)

Control Component – Information, communication & monitoring (attributes needed to achieve the objectives)

• Finding? Significant deficiency or material weakness


Compliance and Other Matters – GAS

• FINANCIAL STATEMENTS – Reasonable assurance is obtained - they are free of material misstatement due to compliance with certain provisions of laws, regulations, contracts, and grant agreements – AND free of fraud and abuse concerns?

• FINDINGS? Compliant or Non-compliant?


OMB Circular A-133 – Report on compliance with requirements applicable to major programs and on internal control over compliance in accordance with Circular A-133 COMPLIANT with the 14 types of compliance requirements

in the compliance supplement?

INTERNAL CONTROL over compliance effective?

• FINDINGS? Significant Deficiency or Material Weakness?

Universities – How to Manage Single Audit From A Practical Viewpoint –

Your Internal Controls

I. Understanding Applicable State and Local Compliance and Reporting Requirements – Steps to be Considered for audit preparation:

• Each Department Head should complete the internal control questionnaire for the CFDA’s under their responsibility and fully understand control objectives as they relate to each specific grant. Review prior year submitted information and update the questionnaire. Conduct meetings with auditors for clarification.


Your Internal Controls• Have annual, or more frequent, meetings with all

individuals who have a part in grant disbursements, reporting and other compliance requirements to discuss the relevant controls for better understanding of all parties. Monitor compliance by timely review of all relevant procedures and reports prior to audit.

• Read and understand the Compliance Supplement for the CFDA for advance awareness of what will be tested. Typically, this does not change annually, so being prepared is essential to the audit.



• Communicate with grantor agencies for better understanding of what is significant about the grant and determine if they are aware of any overall control deficiencies experienced with grant funds. This may assist in avoiding such experiences.



• Subscribe to Federal single audit references and circulate relevant information to the department – this could have a significant impact on the identification of controls that are missing from your process. Meet and discuss how to address the requirements specified in the relevant literature.



• Monitor your compliance

• Supervision, reviews and approvals are essential to your success.



Be aware of the applicable federal law and requirements using the Compliance Supplement and applicable references.

• Part 2 – Matrix of Compliance Requirements (14 types identified)

• Part 3 – Compliance Requirements Applicable to the CFDA



Compliance Supplement and applicable

references (Cont’d)

• Part 4 – Specific additional requirements of the federal program pertaining to provisions of contracts or grant agreements that are unique to a particular CFDA



Compliance Supplement and applicable

references (Cont’d)• Part 5 – Specific to Clusters of Programs (closely related

programs with similar compliance requirements) - ( i.e) SFA

• Part 6 – Internal control requirements and guide

• Part 7 – Use of other specific industry or federal department guides to identify program objectives, procedures and compliance requirements



• Universities have significant references to Title IV Programs for SFA, and as such follow the guidance of 34 CFR section 691….



• While Department of Education’s (DOE) Audit Guide is not a requirement for the Single Audit, program objectives, procedures and compliance requirements provide additional understanding to the auditor for single audit compliance procedures

• R&D Program requirements are very specific and monitoring is essential for success



• The Federal Register (November 1, 2006) provided guidance in 34 CFR Parts 668, 682, and 685 regarding SFA, Final Rule. This literature provides guidance to auditors as well as the auditee.

• Familiarity with such federal department literature is also noteworthy for SFA audits.



• These items are just reminders of the need for timely meetings and communications to those individuals working with SFA to keep abreast of updates and to be prepared for the audit process.



II. Materiality Considerations – Compliance Testing

Auditors may use judgment in materiality considerations resulting from findings (or exceptions) noted during the audit. (Case-by-Case basis and is usually dependent on the impact on grant objectives).



Materiality is Affected By:

• The nature of the compliance requirements, which may or may not be quantifiable in monetary terms

• The nature and frequency of non-compliance identified with an appropriate consideration of sampling risk; and



Materiality is Affected By: (Cont’d)

• Qualitative considerations, such as the needs and expectations of federal agencies and pass-through entities



Qualitative Factors Include:

• Low risk of public or political sensitivity

• A single exception that has a low risk of being pervasive



Qualitative Factors (Cont’d)

• An indication, based on auditor’s judgment an experience, that the affected federal agency or pass-through entity normally would not need to resolve the finding or take follow-up action




• The single audit process is lengthy.

• The compliance requirements are to be tested as provided for in the Compliance Supplement.



Recap A-133 Overview (Cont’d)

• The auditee’s familiarity and understanding of Grants, is essentially the most important facet in achieving a smooth audit.

• The preparations undertaken to achieve your internal control objectives are important, and to a great extent, the means to reducing compliance findings.

Questions???

Documents

Governor’s Grants Office