PowerPoint · PPT file · Web viewEmphasis paragraph in auditor ... Obtain the plan documents used by the actuary for the valuation and ... All items above and on previous slide are

Audit / Yellow Book / Single Audit Update

Audit/Yellow book / Single Audit UpdateMay 11, 2017

Presented by Eric Berman – Eide Bailly

Hosted by State of Maine Department of Administrative and Financial

Services Office of the State Controller

Day 2 of 2

www.e ideba i l l y. c om

This presentation is presented with the understanding that the information contained does not constitute legal, accounting or other professional advice. It is not intended to be responsive to any individual situation or concerns, as the contents of this presentation are intended for general informational purposes only. Viewers are urged not to act upon the information contained in this presentation without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and additional information can be submitted to your Eide Bailly representative, or to the presenter of this session.

As a Reminder…


Agenda

• New Auditing Standard - SAS 132 The Auditor’s Consideration of An Entity’s Ability to Continue as a Going Concern (AU-C Section 570)

• What the OPEB Audit May Look like…• Blockchain – The Game Changer for Auditing, Financial

Reporting and Compliance?• Cyber Security – A Focus Area this Year• Do We Have a New Yellow Book Coming?• Single Audit Update

• What We Know About the 2017 Compliance Supplement• Revisiting Subrecipient Monitoring – Do We Get it Yet?• COSO and Internal Controls• Contractor Integrity – How Far Do We Go in Procurement?• To Document or Not To Document – That is the Question…• Developing and Reporting Audit Findings


Going Concern – new SAS-132 (AU-C Section 570)

• Effective for periods ending on or after 12/15/17

• Clarifies Auditor’s objectives / conclusions• Appropriateness of using going concern basis• Whether substantial doubt exists for a

reasonable period of time based on evidence• New requirements on third party support (e.g.

State support of local government)• Emphasis paragraph in auditor’s report if

substantial doubt is alleviated (close-call) situations

• SAS applies whether general purpose financial statements or special purpose framework (SPF) (e.g. Statutory Basis)



• Going concern assumes the entity will continue operations for a reasonable period of time

• Standard applies even if SPF does not require assessment• For now, auditors of governments and management use

GASB-56, par. 16 as a basis • Limit is 12 months and consideration of period ‘shortly

thereafter’• Most preparers use 3 months as that’s in GASB’s example

• Management judgment will vary based on:• GASB provisions• Size and complexity of government• Nature of operations• Degree it is affected by external factors that may affect

outcome (what are some?)• Judgment based on conditions / events known and reasonably

knowable at the date of financial statement issuance• Watch for subsequent events!



• What is a reasonable period of time?• For non-GASB entities (due to GASB-56) –

within one year after the date the financial statements are issued or available to be issued

• GASB entities – 12+3 months (could change in the future)

• Auditors will consider this as part of risk assessment and be alert for going concern issues throughout the audit

• Auditors will inquire beyond management’s evaluation



• If a going concern issue exists – auditors should

• Request management to make an evaluation when management has not performed one

• Evaluate management’s plan if it is probable to succeed

• If a cash flow forecast has been prepared, evaluate the reliability / support of the forecast

• Consider additional facts / information that has come to light since the evaluation

• Obtain written representation on the going concern

• Modify the auditor’s report as necessary



• If there is a significant delay in issuing financial statements, the auditors will ask why

• If delay related to management’s evaluation of going concern, additional procedures may be necessary

• Documentation includes• Conditions that led to going concern• Elements of management’s plans that are

significant to overcome the going concern• Audit procedures performed to evaluate the

going concern• Conclusion regarding the substantial doubt

(and if alleviated)• Conclusions / effects on the auditor’s report

What the OPEB Audit May Look Like

Until the AICPA Issues the Audit and Accounting Guide for State and Local Governments for 2017 – this is speculative…


Understanding the Differences Between Pensions and OPEB – Key Differences

Pensions OPEBSalary and time are vital in projection of benefits (longer you work, the more your salary, the more benefit)

Based on healthcare claims – years of service do not impact in many cases

Pension actuaries are common

OPEB actuaries must have experience in both pensions and healthcare claims development or have 2 certifications

Actuarial assumptions are relatively stable

Actuarial assumptions include pension assumptions, plus healthcare cost trend rate, effects of taxation, insurance and Medicare (as well as law) – pension assumptions may not be that significant in OPEB

Benefits are well documented and change infrequently

Much more informal – may change annually based on budget / healthcare trends / laws / bargaining


Understanding the Differences Between Pensions and OPEB – Key Differences

Pensions OPEBBase benefit is defined in advance with potential COLAs (if allowed)

Benefit may be adjusted by administrative policy, collective bargaining, etc.

Usually a separate plan, usually an irrevocable trust

Most often part of the employer, potentially part of HR – irrevocable trust is not common

Annual valuations most often done

Biennial (or triennial) valuations performed

Data sources / internal controls are usually well documented, even if some is at the employer(s) and some at the plan

Data sources / internal controls less documented, especially if a third-party administrator / insurer is involved

Actuarial valuations use entry-age normal method – focusing on projecting the future benefits, discounting payments to present value and attribute amounts to future periods

Same method as pensions, but adds healthcare claims development and effect of laws, insurance etc.


Understanding the Differences Between Pensions and OPEB – Key Differences in Assumptions

Pensions OPEBLong-term investment rate of return is usually key driver in discount rate

Investment rate of return is usually immaterial due to lack of funding and no trust available

Mortality rate is critical in projection of liability

Mortality rate is less critical as plan is usually pay as you go (PAYGO) meaning much of the liability is pre-age 65 / 67 (after that age – Medicare or other insurance?)

Retirement age is where liability is to be ready to be paid

Retirement age is crucial to determine cash flows, but years of service harder to determine

Inflation and COLAs may be present

Healthcare cost trend rate may be a larger driver than investment return

Multiple retirement benefit options may exist for survivors

Plan choice, number of dependents / beneficiaries may significantly change liabilities


Understanding the Differences Between Pensions and OPEB – Key Differences in Assumptions

Pensions OPEBNot a factor Utilization by Age is key – the older

you get, the more healthcare costs

Not a factor Retirees may have to pay for / share in costs of healthcare (premiums). Higher premiums = lower participation rates. May convert to Medicare or other insurance after age 65 / 67

Not a factor unless GASB in the future revisits decision not to include social security as a liability

Excise tax exists (ACA “Cadillac Tax”)


As a Result…

• Detailed Plan documentation and ensuring that the plan as documented is the plan as administered is critical

• HR and Finance (and others) must talk to each other!

• Interfacing the OPEB valuation with the pension valuation is important

• Certain assumptions should be the same such as mortality, retirement rates, etc.

• The plan may be the only source of key information such as total years of service


As a Result…

• Audit procedures that worked well for pensions may be totally ineffective for OPEB

• Truly understanding the benefits, key assumption drivers, sources of data, and key census data will be critical to designing procedures and gathering audit evidence.

• What do you think the key reason why the model for allocating pension costs from cost-sharing multiple-employer plans to employers may not work for OPEB multiple-employer plans?


Audit Procedures Focus on What Could Go Wrong… (Risks)

• Actuaries may not have proper qualifications / experience• Current health plan document or administrative policy not

given to actuary for valuation• HR may administer the policy differently than what is

understood in budgetary documents• Many plans are self-insured with little or no segregation of

records for premiums or claims for retirees or active members

• Difference between where ‘the plan’ ends and ‘the employer’ begins not well defined in book of record

• Assumptions may be inconsistent from valuation to valuation

• Census data is not well defined• TPA used in claims processing and recordkeeping


Potential Scenario from AICPA

• Audit will likely parallel pensions as much as possible

• New chapter in the Audit and Accounting Guide State and Local Governments for 2017

• Will include different procedures to focus on risks than pensions

• AU-C 500 Audit Evidence section on using the work of a management’s specialist will be key for auditors

• AU-C 620 Using the Work of an Auditor’s Specialist will likely also be used as many auditors do not understand OPEB



• Determine the whether auditor will rely solely on management’s specialist or also utilize their own auditor specialist

• Obtain the plan documents used by the actuary for the valuation and perform test and interviews to ensure that the plan as documented is the plan as administered

• Obtain census data that was provided to actuary and perform appropriate tests based on internal control assessment and determination of which data is most significant

• Review/discuss actuarial assumptions and methodology for reasonableness



• Review employer’s processes and internal controls regarding tracking of retiree healthcare expenses separately from active healthcare expenses, including the allocation to specific months, test as appropriate

• Review GAAP conversion (GASB-45 to 75 / 85) journal entries to ensure that:

• Prior period adjustment to reverse off any GASB 45 net OPEB obligation and to record initial beginning net or total OPEB liability are correct

• OPEB related expenditures/expenses as tested above are properly identified and included

• OPEB related expenditures/expenses occurring after the measurement date have been recorded as a deferred outflow

• The change in the net or total OPEB liability is properly reflected• Current period deferred inflows or outflows are properly recorded• Amortization of prior year deferred inflows and outflows are correct

and tie to previous year’s schedules


Reminder about Management’s Specialists

• To use the work of Management’s Actuary as audit evidence, the auditor must:

• Evaluate the competence, capabilities and objectivity of the specialist

• Obtain an understanding of the work of that specialist• Evaluate the appropriateness of the work of that

specialist for audit evidence for the relevant assertions• Additional considerations not in the

standard:• Actuaries are not independent – but are they objective?• Is there compliance with GASB-74 / 75 or are there

actuarial deviations?


Reminder about Auditors’ Specialists• Auditors may need a specialist if

• The engagement team does not possess the skills, knowledge and experience.

• Team may gain the experience / understanding through CPE and other engagements

• The evaluation of the management specialist created concerns regarding:

• Nature and scope of the management specialist’s work• The extent to which management (plan or employer)

can exercise control or influence• The competence and capabilities of the management

specialist• The auditor’s ability to evaluate the work and findings

without assistance from the auditor specialist


Questions Auditors May Ask an OPEB Actuary

• If the actuarial communication is not addressed to the government

• Is the government the intended user? (If not, additional procedures needed to place reliance)

• If qualifications not affirmed in report – does the actuary have the qualifications?

• If the responsible actuary did not sign the valuation, do they have the knowledge and access to the data to respond or are they authorized?


• What internal review or other quality control processes exist within the actuary firm to ensure a complete and properly performed valuation?

• When was the last experience study performed for this valuation?*

• Does the principal actuary have a policy regarding study frequency?

• Does the principal actuary have a policy on prescribed assumptions or the valuation itself that affect how you perform the valuation?

• Has an actuarial audit (particularly a full replication audit) been performed on this engagement?*

• If yes, is it available for inspection?• Does the principal actuary have a policy on the frequency of

actuarial audits?* Both experience studies and actuarial audits will be far more common for pensions vs. OPEB

23



• If the employer changed their health plan offerings:

• Did the actuary reflect the plan changes in their valuation?• If updating, why do the changes not warrant a new valuation?

• Will the actuary confirm or supply the plan documentation that was used for the valuation?

• Confirmed documentation should be tested to determine if actuary had complete, updated and accurate description of the plan.

• Assumption questions:• If not discussed in an actuarial communication-What was the

rationale for the participation rate, utilization rate, and health care trend rate assumptions?

• If the employer forces 65 year olds off the plan, what allowance was made for spouses and dependents who are under 65?

24




• Who performed the age adjusted claims development and do they meet the qualification standards for claims development?

• If the responsible actuary is not qualified, they could have the claims development portion of the valuation performed and certified by a qualified health care actuary.

• If future cash flow projections are disclosed, how do they compare to actual experience?

• GASB does not require cash flow projections to be disclosed in the financials so they will often not be included in the valuation report either. However, if they are, this can be one of the best ways to assess the reasonableness of the valuation.

• For implicit rate subsidy plans that are not self-insured, what methodology was used to determine the subsidy?

25


• If plan changes occurred, what was the rationale for not conducting a new valuation?

• If assumption changes occurred, what was the rationale for not conducting a new valuation?

• If significant investment losses or a contribution holiday occurred, (trusted plans) has the actuary considered a new valuation or at least performed a new cash flow projection to update the discount rate?

• Have changes in the AA municipal bond index since the valuation date significantly impact the preset value calculation?

• Is the actuary aware of any significant actuarial losses or gains on the liability side that could warrant a new valuation?

• PLUS MANY OTHERS…26

Questions Which May Come from the Auditors to Management


As a Result…

• Few, if any, governments and OPEB plans may implement GASB-75, 85 and 74, early

• Conversion from GASB-43 to 74 and 45 to 75 and 85 may be more difficult than implementing GASB-68

• Liabilities, plan provisions, trends may be more volatile than pensions

• If OPEB is material, for those under long-term contract with external auditors, OPEB represents a major change

Blockchain – The Game Changer for Auditing,

Financial Reporting and Compliance?


What is a Blockchain?

• Underlying code for Bitcoin• Simply defined – a Blockchain is a distributed,

secured, logfile• Bitcoin was the first widespread use

• Protocol for decentralized, pseudo-anonymous, peer-to-peer digital currency contained in a digital wallet

• Key is a publicly disclosed linked ledger of transactions stored in a blockchain

• Developed in the last decade (2008 was first technical whitepaper on it and patent)

• Transactions are heavily encrypted


Every Viable Transaction is Stored in a Public Ledger in Blocks, Linked by Hashes

Scale is Trillions of Hashes per Second on the Network


Why Does this Matter for Accountants and Auditors?

• As each “hash” is a list of compliance items with the longest path being an accepted chain by consensus of the users

• All transactions can be coded with all • Accounting• Financial Reporting and• Compliance elements

• Since all transactions can be pre-coded• Records verification can be performed without

any trusted central authority using blocks and ‘fingerprints’ to the previous block in the chain

• Cannot be modified / altered retroactively


Saying this in English – (well… almost)• Blockchain could be as disruptive as UBER / LYFT

was to Taxis• Accountants and auditors should not overlook it

• Has traceable audit trail• It’s automated• It authenticates instantaneously• It tracks ownership of assets• It allows ‘smart contracting’ through the use of

trusted parties to the contract• Can be used for any asset registry / inventory• It is real time

• Can be used as a central ledger – both sides of a transaction are in a shared ledger


Saying this in English – (well… almost)• During an AICPA meeting in February 2017:

“In the future, virtually every function in the world of financial services will be displaced, disintermediated and decentralized. The Internet gave us a powerful way to share and access information. Blockchain now gives us a powerful way to share and access value” - Chairman of the Wall Street Blockchain Alliance

• This means• Greatly reduced errors when reconciling complex and

disparate information from multiple sources• Records are not alterable once committed in the Blockchain –

even by the owners of the accounting system• Every transaction is recorded and verified – integrity of records

is guaranteed• May reduce or eliminate the need for auditing

resources – potentially disrupting the profession as a whole?


The Disruption Vision…

• Financial reporting may largely be the result of pre-coded transactions with GASB provisions embedded in the blocks

• Reporting personnel may become consultative, interpreting the data and the results to decision-makers

• Reporting personnel will focus on managing the code• For grants (if any…) eligibility would be predetermined

• Auditors may focus on • Testing the code to see if it complies

• How far off?• Some say in 5 years, you’ll start to see it• CNBC poll in March showed 4 in 10 workers may be

replaced by robotic transactions by 2030

Cybersecurity – A Key Focus Area


Top Risks for the United States per Department of Defense

1. Let’s not go down the Politics Rat-hole!2. Cyber threats

March 25, 2016 Headline – 7 Iranians charged with hacking attacks on US Banks and a dam in Westchester County NY2. Terrorism3. Transnational Organized Crime

“The severity and impact of cyberthreats have changed the landscape in which governments, corporations, individuals and, specifically, financial institutions of all sizes and complexities operate”.

http://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy

36




This is a bit scary…

37


How to Hack a Dam per the Wall Street Journal

• Hamid Firoozi used a readily available Google search process known as Google Dorking

• Identifies unprotected computers – found one that controlled sluice gates and operations

• Technique has been around for 10 years and is neither illegal nor always malicious

• Often used by certified ethical hackers

• Computers that control industrial / infrastructure systems often predate the internet and are not protected 38


Why is it Important?DATA has VALUE

• Many organizations feel they have nothing worth stealing or they are too small and invisible.

• Data has value to an attacker• 40M records X $2/record = $80M

attacker profit• Exponential Rise in Ransomware

Think of the data you possess on your person, in your home, your job…

39


All Data Has Value – What’s Your Data Worth?

40


• Recent breaches • Anthem (97,000,000 impacted)• Staples (theft of 1,100,000 debit/credit cards)• JP Morgan Chase (76,000,000 households impacted)• Home Depot (56,000,000 cards)• Goodwill (868,000 cards; 330 stores in 20 states)• Dairy Queen (600,000+ cards’ 395 locations)• Community Health Systems (4,500,000 patients’ data)• State of New York (22,800,000 private citizen records)• Michaels (3,000,000 cards)• Target (70,000,000 customers’ data)• Sony (2011 – 100,000,000 customers’ data)• US Office of Personnel Management – (Top secret

clearances, aliases, informants, SSN’s, full PII, - 3,700,000 initial victims, 21,500,000 when fully disclosed)

41




• Is OPM Data Breach the “new normal?”• Per Identity Theft Resource Center – 2005-2016

Data• Total of 6,903 reported data breaches

(cumulative)• Estimated loss of 884,409,769 known

compromised records• 99.9% of breaches – MOST could be prevented• 1,600 security sensors – 96% detected breach

traffic• Per Boston Fed (3/24/16) – even though financial

services hacks declining – more devastating –banks are all connected to the Fed



2007 2008 2009 2010 2011 2012 2013 2014 2015 20160%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

10 Years of Hacks

Business Education Government Health Financial


Types of Cyber Threats

Most common cyber-threats or cyber-related risks to most organizations:• Malicious software or "malware"• Distributed denial of service attacks• Data leakage• Third-party/cloud vendor risks• Mobile/web application vulnerabilities• Weaknesses in project management or change

management• Ransomware

44


Types of Hacks and What Was Stolen in 2016

7%

57%5%

9%

7%9%6%

Insider TheftHacking / Skimming / PhishingHack during movement of dataAccidental Email / Internet LinkSubcontractor / 3rd PartyEmployee Error / NegligencePhysical Theft

6%

38%

39%

10%8%

PaperKnown / Unknown RecordsSSNsExposed Credit / Debit CardsCombinations

45


Who is Behind These Cyberthreats?• Cyber-threats come from numerous sources

per CIA / NSA / Interpol: • Organized crime groups

• Drug Gangs, La Cosa Nostra, Shadow operations• Foreign intelligence services

• Iran, North Korea, China, Russia are all known • Hackers

• Anonymous, those who want to prove it can be done

• Terrorists• ISIS and similar groups

• Insiders• Employees who are disgruntled

46


Then there’s the time involved to find the source and remediate…

• According to a 2015 SANS Institute (Escal Institute of Advanced Technologies) Survey:

• 36% spend an average of 24 hours or less to remediate an incident

• 28% remediate in two to seven days• 66% cited a skills shortage as an impediment to effective

Incident Response• According to a 2014 M-Trends Survey (Mandiant / Fireeye,

Inc.):• In 2012 it took an average of 243 days to discover a breach• In 2013 it took an average of 229 days to discover a breach• 33% found the intrusion themselves• 37% had help finding the intrusion

47


External Threats

• Who should you be worried about?

• Everyone including YOU!• Internet is global• Information access is

handheld / mobile• Information have value• The last time you changed

your password is?• And I bet I know where

you wrote it down…• Google your name or go onto

http://www.familytreenow.com to see how exposed you are

48

http://www.familytreenow.com/

http://www.familytreenow.com/


Phishing, Skimming and Spam

• An average of 904 new and unique phishing attempts are developed EVERY day globally per NSA / CIA.

• Phishers send out most mail on Mondays.

• Spam makes up 59% of monitored e-mail traffic.

• Spam typically accounts for 1.2 billion messages a week.

• Spam associated with financial goods and services was the most common type of spam. 49

• Typical Skimmer found at ATMs

• Duplicate card readers common at gas stations, retail and other points of transfers


The Cost of the Target Breach

• Costs to Target Include:• $148 million for the breach• $100 million for better security• $86 million to settle with VISA & MasterCard

• Total Cost $500+ million• PLUS Lost their CEO• PLUS Class-Action Litigation against the Board

of Directors for negligence • PLUS lost unknown number of customers• PLUS made themselves a prime target for

hackers to claim the new trophy• http://

www.latimes.com/business/la-fi-target-breach-settlement-20150818-story.html 50

http://www.latimes.com/business/la-fi-target-breach-settlement-20150818-story.html




Federal Cybersecurity Act of 2015• Step toward helping health care sector defend against

breaches• As government is a recipient of HHS grants, could be

applicable• Sets “rules of the road” for how cyber-threat

information should be shared – Threat Intelligence.• 3 main provisions relative to health care sector:

• Provides for development of:• Plan within each division of HHS defining responsibilities

for addressing cyber-threats.• HHS task force to examine cyber challenges facing sector.• Common set of guidelines, best practices and

methodologies to help sector address cyber-threats (NIST Cybersecurity Framework).


NIST Cybersecurity Framework – HOW TO PROTECT YOUR ORGANIZATION• Common processes to manage

cyber-risk- 5 Functions to develop / implement agency-wide:

• Identify –understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

• Protect –safeguards to ensure delivery of critical infrastructure and services.

• Detect –activities to identify occurrence of cybersecurity event.

• Respond –activities to take action regarding detected cybersecurity event.

• Recover –activities to maintain plans for resilience and to restore capabilities or services impaired due to cybersecurity event.

Identify

Protect

Detect

Respond

Recover

52


NIST Cybersecurity Framework

53


NIST Cybersecurity FrameworkCategories and Subcategories

• Protect• Access Control

• Physical / logical – concentric rings of security

• Awareness and Training• Should be ongoing – risks change daily

• Data Security• Must be updated daily (or continuously)

• Information Protection Processes and Procedures

• Redundant systems for continuity of operations

• Systems must be tested from cold boots regularly

• Maintenance• Beware of system upgrades / repairs

• Protective Technology• Firewalls and redundancies are a must

54


NIST Cybersecurity FrameworkCategories and Subcategories

• Detect• Anomalies and Events• Security Continuous

Monitoring• Detection Processes

• Respond• Response Planning• Communications• Analysis• Mitigation• Improvements

• Recover• Recovery Planning• Improvements• Communications

55


Cyber Risk Management

Key Takeaways• Set the tone from the top and build a security culture.• Identify, measure, mitigate and monitor risks.• Develop risk management processes commensurate with

your institution's level of risk and complexity.• Align IT strategy with business strategy and account for

how risks will be managed both now and in the future.• Create a governance process to ensure ongoing

awareness and accountability.• Ensure reports to you and those charged with

governance are meaningful and timely with metrics on vulnerability to cyber risks and potential governance / operational impacts.

56


Basic Security Concept

Cyber Security Operations• Prevention• Detection• Response

57

CultureGovernance Evaluatio

n

Infrastructure

Intelligence

Forensic Response

Continuity of

Operations


Prevent

• Establish budgets• Include Insurance and Deferment costs

• Follow best practices• National Institute of Standards and Technology (NIST)

• Obtain advance training

• Employ appropriate expertise

• Operationalize security into everyday duties of everyone

• Strategize to prevent every ATTEMPT

58


Monitor & Detect

• Establish centralized logging / reporting• Be prepared to prove the loss for insurance claims (if

cyber insurance purchased) or deferment• Collect logs from all systems, networks, applications and

all reported issues• Correlate and aggregate all logs• Setup rules and signature databases for alarms and

alerts• Collection should have no filters – no hack is too small• Establish robust search, filtering and reporting capability• Strategize to detect every ATTEMPT

59


Respond

• Establish a response capability / team• Include members from agency / multi-agency

executive, IT, HR, security, legal • Don’t forget about public relations especially with

Citizen’s PII• Review reports from monitoring activities• Meet regularly to make informed decisions /

updates / budgets• Strategize to respond to EVERY ISSUE• Making an informed decision to do nothing is

acceptable but beware of the consequences… (don’t be immune)

60


Key Takeaways –Why It Matters to the Audit

• Each of you can have a significant impact on security culture within your organization.

• Security is NOT a one-size-fits-all proposition.• Build a security strategy into your controls framework

• Build a monitoring plan into your ongoing process.

• This process never sleeps!• If the underlying data is not secure, lower reliance, higher risk of noncompliance

61

What the Yellow Book Exposure Draft Looks

Like

OVERALL CAUTION

The Next 2 Sections (GAGAS) and the Single Audit Update Assume No Changes in the

Current Single Audit Act Coming from Congress and Enacted by

the President


Just In Case…

• The “Yellow Book” = GAGAS• GAGAS = Generally Accepted Government Auditing

Standards• Overlay of Generally Accepted Auditing Standards (GAAS)

issued by the Auditing Standards Board• GAGAS contains the framework for ensuring that auditors

possess competence, integrity, objectivity, and independence in planning, conducting, and reporting on their work

• GAGAS is required when audits of states, local governments, tribal nations and not for profits meeting certain criteria in the Uniform Guidance (Title 2, Code of Federal Regulations, Part 200) (Uniform Guidance or UG)

• Applying for federal grants may require GAGAS


Proposed Revisions

• Format and organization of GAGAS• Auditor preparation of financials is a

significant threat to independence• 3 party arrangements in government

• State auditor engages independent auditor for separate auditee

• Specialists• CPE

• 4 Hours Required CPE each time new version of GAGAS released

• Quality control and peer review• Clarified definition of waste• SSAE 18 and SSARS 21 (Reviews)

incorporated into GAGAS• Application of COSO to GAGAS


Chapters in the Proposed GAGAS

• Chapter 1 – Government Auditing: Foundation and Principles for the Use and Application of Generally Accepted Government Auditing Standards

• Chapter 2 – General Requirements for Complying with Government Auditing Standards

• Chapter 3 – Ethics, Independence and Professional Judgment

• Chapter 4 – Competence and Continuing Professional Education

• Chapter 5 – Quality Control and Peer Review• Chapter 6 - Standards for Financial Audits• Chapter 7 - Standards for Attestation Engagements

and Reviews of Financial Statements• Chapter 8 – Fieldwork Standards for Performance Audits• Chapter 9 – Reporting Standards for Performance Audits


What is Going on in the Proposed GAGAS• Chapter 1

• The types of GAGAS users are addressed• Alignment to Integrated Audits (if necessary)

due to SAS-130• Expanded Descriptions of Attestation

Engagements, Reviews of Financial Statements and Performance Audits

• Definitions of common terms used in GAGAS• Engaging Party• Audited Entity• Responsible Party• Specialist


Types of GAGAS Users

• GAGAS includes standards that are used by• Auditors• Audit organizations that audit government entities (example -

state auditors / inspectors general)• Entities that receive government awards and other entities

• Types of users that may be required or may elect to use GAGAS include

• Contract auditors – focus on government acquisitions and contracts

• CPA firms• Federal Inspectors General• Federal Agency Internal Auditors• Municipal Auditors – (elected or appointed at cities, county other)• State Auditors (includes DC and territories)• “Supreme Audit Institutions” – In the US and elsewhere – includes

GAO and similar internationally


Financial Audits that May be Required or May Elect to use GAGAS

• Most common is financial statement audit• Other financial audits with various scopes including:

• Obtaining sufficient, appropriate evidence to form an opinion on a single financial statement or specified elements, accounts, or line items of a financial statement (AU-C 805)

• Issuing Letters for underwriters and other parties (Comfort letters – AU-C 920)

• Auditing applicable compliance and internal control requirements relating to one or more government programs (AU-C 935 – aka the Single Audit)

• Conducting an audit of internal control over financial reporting integrated with an audit of financial statements (integrated audit) (SAS-130 – not really applicable for government but is for not – for –profits)


Attestations, Performance Reviews and Performance Audits

• Attestations can be financial or nonfinancial – includes• Examinations• Reviews• Agreed-upon Procedures (AUP)

• Uniform Guidance allows AUP’s to be billed if performed under GAGAS

• Reviews may be a strong alternative when an audit is not required

• But - no internal control testing, fraud risk or similar• Performance Audits used to provide analysis on how to

improve operations, reduce costs etc.• Important tool for Social Impact Bonds (Pay for Performance)• Objectives will be specified in the engagement but are

typically program effectiveness, program internal controls or compliance


Common Definitions – Use for Your Reference

• Attestation Engagement – Examination, review, AUP conducted under GAGAS attestation standards related to subject matter or an assertion that is the responsibility of the other party

• Audit – Financial or performance audit in accordance with GAGAS• Audit Organization – Government audit entity or Public

Accounting or Other Audit Entity that performs GAGAS engagements

• Audit Entity – The entity subject to a GAGAS engagement, no matter what type of engagement

• Auditor – An individual performing work in a GAGAS engagement regardless of job title. May include auditor, IT auditor, analyst, practitioner, evaluator, inspector or similar

• Control objective – The aim of specific controls addressing risks related to objectives

• Engagement – Financial audit, attestation, review, performance audit in accordance with GAGAS


Common Definitions – Use for Your Reference

• Engagement Team (or Audit Team) – Professional staff members that plan, direct, perform fieldwork or report under GAGAS

• Engaging Party – Party requesting or requiring a GAGAS audit• Entity Objective – The audit entity’s goals, mission, strategic plan,

compliance with laws and regulations• External Audit Organization – Audit organization that issues

reports to 3rd parties external to the Audited Entity• Internal Audit Organization – Entity that is accountable to senior

management & those charged with governance – does not issue reports to external parties

• Responsible Party – Party in a GAGAS engagement responsible for subject matter

• Review of Financial Statements – Engagement under GAGAS for a Review (SSARS-21 Section 90)

• Specialist – Individual / Organization with expertise other than in auditing but assisting in the engagement



• Expanded guidance on how GAGAS does not incorporate the AICPA’s Code of Conduct for audits and attestations

• Recognizes that CPAs may use or may be required to use the Code• Chapter 3

• Independence requirements of the auditor are explained when the engaging party differs from the responsible party

• Example – State Auditor engages Independent Auditor to audit a State Agency

• Additional guidance addressing situations in which government auditors work in conditions that do not permit independence

• Expanded guidance on reevaluating threats to independence as a result of applying framework

• Expanded guidance on professional services in government• The big deal – expanded standard on preparation of financial

statements by auditors – it’s a significant threat and needs to be documented how it is remediated


What Happens When a Engaging Party is Different From Audited Party?

• Common occurrence• Independence requirements of GAGAS will

apply to the relationship between the auditors and the responsible party

• Not the auditors and the engaging party• Examples:

Engaging Party Responsible Party

Legislative Body Executive Agency required to have a performance audit of program operations. Auditors must be independent of the executive agency

State Agency Local government required to have an examination level attestation by a CPA firm to gauge the validity of information provided to the state agency. CPA firm must be independent of the local government.

Government Department

Government agency (state auditor) conducts examination level attestation of contractor compliance with the terms and conditions of agreements between the department and the contractor. Auditor must be independent of the contractor


What About Auditors in Government (State Auditors etc.)?

• May work under conditions that do not permit independence in accordance with GAGAS

• Could have statutory requirements to serve in official roles that have a conflict with independence

• Civil service statutes permit staff members to seek employment with audited entities (e.g. teach at colleges)

• If exists – may have to modify GAGAS compliance in reporting – modify either:

• Auditors conducted engagement in accordance with GAGAS except for specific applicable requirements that were not followed or

• Because of the significance of the departures from the requirements – the audit was not conducted in accordance with GAGAS.

• When used – should disclose reasons why and how not following the requirement(s) affected or could have affected the engagement and the assurance provided


Other Stuff in Chapter 3

• If there is new information, changes in facts and circumstances in the engagement that could affect whether a threat has been eliminated or reduced to an acceptable level

• Reevaluate and document• Threats to independence • Safeguards applied


Other Stuff in Chapter 3

• If State Auditor (or similar) provides professional services• Auditors act on behalf of a governing body (legislature)• State auditor evaluates actions of a responsible party

(management of a state agency)• Professional services may include (but not limited to)

• Fraud investigation• Reducing risk of management override of controls, • Improving governance

• Auditors cannot set direction or accept responsibility for key processes or controls

• If yes – no management participation threat• No threat to 2 party arrangement (auditors to public or

auditors to governing body) such as estimating the fiscal impact of legislation at a hearing – no threat to independence in that case


The Biggest Deal In Chapter 3 – 3.88-3.90• Auditors should conclude the following services involving

preparation of accounting records impair independence• Determining or changing journal entries, account codes,

classifications etc., without obtaining management’s approval

• Authorizing or approving entity’s transactions• Preparing or making changes to source documents without

management’s approval• In preparing financial statements based on information in the

trial balance• Document threats and safeguards applied to eliminate and

reduce threats to an acceptable level or• If cannot reduce - decline to perform the services

• Management is ultimately responsible for the preparation and fair presentation of the financial statements even if auditor drafts


Updated GAGAS Conceptual Framework for IndependenceAssess condition or activity for threats to independence

Threat Identified

?

Threat Related to Non-audit Service?

Threat Significant

?

Apply Safeguard(s)

Threat Eliminated or Reduced to Acceptable

Level?

Document Threat, Safeguards

PROCEED!No

Yes

Specifically

Prohibited in GAGAS?

Yes

No

No

Yes Yes

INDEPENDENCE IMPAIRED – DO NOT PROCEED!

No

Yes NO



• Auditors that conduct the engagement must possess the competence needed for their assigned roles at the time of assignment (no more attaining it during the engagement)

• Clarifications on levels of GAGAS proficiency expected for different levels of auditors

• Competence of specialists clarified• Requirements for CPE revised

• 4 hour requirement each time a new GAGAS is issued• Clarification of topics that are required for 80 hours of

CPE • Exemptions detailed for auditors in certain

circumstances• Common questions on CPE answered


Competency

• Management must assign auditors to conduct the engagement who

• At the time of the assignment collectively posses the competence needed to address the audit objectives and to perform work in accordance with GAGAS

• Management must assign auditors who at the time of the assignment possess the competence needed for their assigned roles

• Recruitment, hiring, CPE, Assignment, Evaluation focused on the essential knowledge, skills and abilities necessary for the engagement

• Specialists must be qualified and competent in their areas of specialization


Competency

• Addressed by role in the engagement

Roles Definition of DutiesLevel of

Ambiguity, Complexity & Uncertainty

Required Level of

Proficiency

Entry LevelPlan or perform engagement procedures on engagement

Low Basic level

Supervisory

Plan engagements, perform engagement procedures, or direct engagements

Moderate At least an intermediate

Partners and Directors

Plan engagements, perform engagement procedures, or direct or report on engagements also responsible for reviewing engagement quality prior to issuing the report, for signing the report, or both

High At least an advanced


Competency of Specialists

• Includes guidance for actuaries, appraisers, attorneys, engineers, environmental consultants, medical professionals, statisticians, geologists, IT experts (among others)

• Qualifications relate to their professional certifications, reputation, previous work in subject matter

• Relevant factors still include bias, conflict of interest, management influence

• Sources of competence include, but not limited to• Professional certification(s) / license(s)• Reputation / standing among peers• Experience• Auditor’s prior experience using their work• Knowledge of industry requirements• Competence of specialist with respect to GAGAS• Assessment of unexpected events that would cause

reconsideration of the specialist – (example – change in certifications / licenses)


CPE and GAGAS Qualification• Auditors who plan, direct, perform, report

GAGAS engagements• At least 4 hours of CPE in GAGAS topics prior to first GAGAS

engagement for supervisory, partners, directors• Entry level staff should attain qualification by the end of

their first two year period• CPE should align to relevant GAGAS topics (see

following)• 4 Hours required with each revision of GAGAS

• Should be completed by end of next 2 year CPE period• Documentation must be maintained by audit organization

• 80 Hours of CPE every 2 years – required as follows (minimum 20 hours per year):

Hours Subject Matter

24 Hours

Standards, statutes, regulations, criteria, guidance applicable to GAGAS

56 Hours

Subject matter or topics that directly enhance professional expertise to conduct GAGAS engagements


GAGAS Topics that Qualify For CPE• Initial GAGAS Topics for 4 hour Qualification to do

GAGAS engagements• Follow Up GAGAS Topics

• Standards for ethics, independence, professional judgment, CPE, quality control, peer review as established in GAGAS

• Types of GAGAS engagements• Relationship between GAGAS and other standards• Stating compliance with GAGAS in the auditors’ report• Additive GAGAS requirements for

• Financial audits / examinations• Reviews and agreed-upon procedures

• GAGAS fieldwork standards for performance audits• GAGAS reporting standards for performance audits• Internal control as addressed in GAGAS


GAGAS Topics that Qualify For CPE• US GAAP or the applicable financial reporting

framework, AICPA Statements on Auditing Standards• AICPA Attestation Criteria, SSAEs, SSARs• GAO Green Book• COSO• Uniform Administrative Requirements, Cost Principles

and Audit Requirements for Federal Awards• Programmatic Audit Requirements (ex: HUD)• Relevant Audit Standards / Guides• Regulations etc. specific to the industry / environment /

subject matter• Audit methodologies, surveys, actuarial, statistics• Performance auditing topics, evidence, skepticism• Ethics and independence


GAGAS Topics that Qualify For CPE• If conducting engagements

• All previous 2 slides• CPE in communicating clearly and effectively oral

and written• Managing time and resources• IT• Economics, human capital management, social and

political sciences and academic disciplines• Exceptions from 56 hour requirement but not 24 if

• Charge less than 20% of time to GAGAS engagements

• Are only in performing but not planning, directing or reporting


Exceptions to CPE Provisions

• Exceptions from 56 hour requirement but not 24 if• Charge less than 20% of time to GAGAS

engagements• Are only in performing but not planning, directing

or reporting• Entry level auditors who charge less than 40

hours of time to GAGAS exempted from all GAGAS CPE provisions

• Auditors hired or initially assigned in 2 year period can prorate

• Interns may be exempted• Over 20 paragraphs of clarifications and

application guidance



• Requires audit organizations at least annually obtain written affirmation of compliance with policies and procedures on independence from all audit personnel required to be independent

• Requires policies and procedures on engagement acceptance only if it has the capability to succeed

• New guidance provided for engagement performance, documentation, reporting

• Audit organizations affiliated with a ‘recognized organization” comply with that organization’s peer review requirements

• Additional peer review guidance• 37 paragraphs of application guidance and details



• First time – discusses qualification requirements for auditors conducting financial audits of entities outside the US

• Discussion of auditor procedures on waste• Expanded consideration of internal control deficiencies• Expanded findings on waste• Modification of requirements when reporting separately

from a financial audit to make available to all users on internal control over financial reporting

• Includes compliance with laws, regulations, contracts, grants in the same manner as financial audit reports

• Findings related to waste must be in writing• Further explanation about comparative financial statements

when findings apply to one period but not the other


Focus on Waste and Abuse

• In GAGAS audit, auditors may become aware of waste or abuse that could be quantitatively or qualitatively material to the financial statements or data significant to audit objectives

• Perform procedures to ascertain potential effect• Consider potential effect on operations

• Waste - act of using or expending resources carelessly, extravagantly, or to no purpose

• Taxpayers not receiving reasonable value for money in connection with any government-funded activities

• Involves inappropriate act or omission by parties with control over or access to government resources

• May not involve violation of law• Relates primarily to mismanagement, inappropriate

actions or oversight


Focus on Waste and Abuse

• In GAGAS audit, auditors may become aware of waste or abuse that could be quantitatively or qualitatively material to the financial statements or data significant to audit objectives

• Perform procedures to ascertain potential effect• Consider potential effect on operations

• Abuse – behavior deficient or improper in comparison to a prudent person considering reasonable necessary business practices given facts and circumstances

• Excludes fraud and noncompliance with laws etc.• Includes misuse of authority for personal interest• Subjective – auditors not required to perform

procedures to detect abuse, but may be discovered


Findings and Reports

• Expanded requirement to consider potential internal control deficiencies when significant to audit objectives

• GAGAS finding structure is mostly unchanged• Reporting on Internal Controls, Compliance

Provisions of Laws, Regulations, Contracts, Grant Agreements and Instances of Fraud, Waste or Abuse – include

• Findings on instances of above• Fraud that is material quantitatively or

qualitatively• Waste or abuse that is material quantitatively

or qualitatively, to the financial statements or to other financial data that are significant



• If integrated audit (including separate reports in the same document) (SAS-130)

• Include a reference in the audit report on the financial statements to those additional reports

• State in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity’s internal control over financial reporting and compliance

• If separate reports used, should make the report available in the same manner as the financial report (website etc.)



• Findings are in writing to audited entity officials when detection of potential instances of

• Noncompliance with provisions of laws, regulations, contracts, or grant agreements or

• Fraud, waste, or abuse that have an effect on the financial statements or other financial data significant to the audit objectives that are less than material but warrant the attention of those charged with governance

• For comparative statements, the audit report on internal control and compliance with provisions of laws, regulations, contracts, and grant agreements relates only to the most recent reporting period included



• SSAE 18 (Attestation Standards: Clarification and Recodification) incorporated by reference

• SSARS 21 (Section 90) on reviews of financial statements in accordance with GAGAS

• SSAE 18 and SSARS 21 are beyond the scope of today!

• Qualification requirements for auditors engaged for SSAE 18 engagements outside the US

• Waste and internal control provisions similar to Chapter 6


Waste or Abuse Found in an Examination• Similar to Chapter 6 provisions but now would be required

in an examination• Examination report will include information about

• Noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the subject matter or an assertion about the subject matter

• Fraud that is material, either quantitatively or qualitatively, to the subject matter or an assertion about the subject matter that is significant to the engagement objectives; or

• Waste or abuse that is material, either quantitatively or qualitatively, to the subject matter or an assertion about the subject matter that is significant to the engagement objectives or the entity’s operations.

• If less than material – communication to those charged with governance in writing



• Revised requirement – management assertions not required when conducting a performance audit under GAGAS

• Updated suitable criteria (attributes and examples)• Internal control alignment to COSO and the Green Book• Waste and internal control deficiencies elements similar

to Chapter 6• Chapter 9

• Revised reporting for audit organizations that are independent under IIA standards

• Report discussion on when internal control is significant• New report element when all internal control elements

not considered• Findings of waste reporting similar to Chapter 6


Performance Audits and GAGAS

• Includes measurement or evaluation of the subject matter of the engagement and presenting the resulting information as part of, or accompanying, the audit report

• In a performance audit, assertions by audited entity management with respect to the subject matter of the engagement do not affect the auditors’ conclusions on that subject matter

• Auditors are responsible for measuring or evaluating the subject matter

• GAGAS does not require auditors to obtain management assertions with respect to the subject matter when conducting a performance audit


Suitable Criteria In a Performance Audit• Identifies required / desired state / expectation for the

program or operation• Provide context for evaluating findings / conclusions• Must be relevant, reliable, objective and understandable

within the context of the audit objectives• Examples

• Applicable laws and regulations• Goals, policies, and procedures • Technically developed standards or norms• Expert opinions• Prior period performance• Defined business practices• Contracts / grant agreements• Benchmarks for performance base don other entities /

sectors


Performance Audit Reporting in the GAGAS ED

• If reporting on internal controls – performance audit focuses on

• Scope of work on internal control, including• Consideration of the concept of accountability for use of

public resources and • Government authority while assessing audit risk associated

with internal control, and • Any deficiencies in internal control that are significant

within the context of the audit objectives and based upon the audit work performed

• Insignificant deficiencies include in a written report to those charged with governance

• If not reporting on internal controls – must state it in the report

• Fraud, waste, abuse reporting similar to other chapters


What is Going on in the Proposed GAGAS• Other Stuff

• 9 Questions to be Answered• Responses due by July 6, 2017 by email to GAO

• No provisions for public hearings• No Effective Date in Exposure Draft – could be

for audit periods beginning after December 15, 2017?

• Hopefully not ending after December 15, 2017!

Single Audit Update


What We Know About the 2017 Compliance Supplement

• 10 New Programs in the Draft• 5 at Interior – all focused on Tribal Nations• 1 at Transportation (20.224 – Federal Lands Access

Program)• 2 at Gulf Coast Ecosystem Restoration Council• 2 at HHS (93.594 – Tribal Work Grants and (93.870 –

Maternal, Infant, and Early Childhood Home Visiting Grant Program)

• 7 programs with name changes (5 at Interior, 2 at HHS)

• Remember – names must match in audit reports and data collection form

• 3 deleted programs (agriculture, commerce and HHS)• Dozens of other programmatic changes


What We Know About the 2017 Compliance Supplement

• The usual cluster suspects proposed to change in the Draft

• Student Financial Assistance – likely following the annual audit requirement sent from US-ED (along with other Title IV funds)

• Waivers allowed but must go through US - ED• R&D• 7 Tribal Nation – focused clusters at Interior• TANF• CSBG• CCDBG

• Compliance Matrix (Part 2) will have changes• Compliance Requirements (Part 3) – the removal of

3.1 (old OMB A-133 tests?)


New AICPA Practice Aids for the Schedule of Expenditures of Federal Awards

• Auditors practice aid includes• Audit plan supplement documenting the procedures

performed on the SEFA• Imperative to follow by Auditors

• Disclosure Checklist for the SEFA to assure including all elements required by the Uniform Guidance

• Auditor’s Report Checklist for the In-Relation-To Opinion on the SEFA

• Auditees also have a practice aid in preparing the SEFA in GAQC Alert 327

• Includes how to accumulate the information for the SEFA

• Disclosure Checklist for the SEFA• See http://www.aicpa.org/gaqc

http://www.aicpa.org/gaqc


Focus Area Continues to be Audit Quality in Advance of 2018 Study Required by Uniform Guidance• Key Areas Identified by AICPA for Auditors (and

Auditees)• Auditors may not be able to perform single

audits if they have never performed one• Planning must include

• Risk assessment of the auditee • Understanding of compliance requirements of

federal award programs• How federal awards are being used

• Independence cannot be compromised (see Ethics section)

• Management’s skills, knowledge and experience will be reviewed and documented

• Major programs must be chosen properly


Focus Area Continues to be Audit Quality in Advance of 2018 Study Required by Uniform Guidance• Key Areas Identified by AICPA for Auditors (and Auditees)

• Design of Internal Controls Over Compliance is Key – common questions for auditees:

• How do you make sure costs are allocated to the right federal program?

• How do you know you have complied with eligibility?• What do you do when you find an error?

• Dual-purpose testing may be adjusted to focus on the controls, not the process

• All relevant aspects of in the OMB Compliance Supplement need to be tested – no more ‘same as last year’

• Sample items may be different than in prior years• Audit finding process will be different (see later today)• Audits may require an independent quality review prior to

issuance

Revisiting Sub-recipient Monitoring – Do We Get

it Yet?


Who is a Sub-Recipient vs. Contractor (200.330)

• A nonfederal entity may concurrently receive federal awards as a:• Recipient• Subrecipient• Contractor

• Pass-Through Entity (PTE) must make case-by-case determination whether each agreement it makes for disbursement of federal program funds casts the party receiving the funds in the role of a:

• Subrecipient, or• Contractor

• All characteristics need not be present• Judgment should be used in the determination process • Substance of the agreement is more important than the form


Just in case you were wondering…

Sub-recipient Contractor• Creates a federal assistance relationship • Purpose is to obtain goods and services

for the nonfederal entity's own use and creates a procurement relationship

• Determines who is eligible to receive what federal financial assistance

• Provides the goods and services within normal business operations

• Has its performance measured in relation to whether objectives of a federal program were met

• Provides similar goods or services to many different purchasers

• Has responsibility for programmatic decision making

• Normally operates in a competitive environment

• Is responsible for adherence to applicable federal program requirements specified in the federal award; and

• Provides goods or services that are ancillary to the operation of the federal program

• In accordance with its agreement, uses the federal funds to carry out a program for a public purpose specified in authorizing statutes, as opposed to providing goods or services for the benefit of the PTE

• Is not subject to compliance requirements of the federal program as a result of the agreement, though similar requirements may apply for other reasons


In Summary

• Governments can be Prime Recipients or Sub-Recipients or Contractors

• Primes are responsible for sub-recipients as• Prime recipients determine who is eligible to

receive federal grant• Primes have performance measured by the

federal agency – therefore the sub also will have performance measures

• Primes have responsibility for program decision-making

• Primes have to adhere to federal grant conditions

• Primes have to carry out purpose of grants


In Summary

• Contractors• Provides goods and services as part of normal

business operations• Similar goods and services provided to many

purchasers• Normally operates in competition with others• Provides goods / services ancillary to federal

operations• Not subject to compliance requirements as a

result of the agreement, but may have other requirements

• Judgment is needed on sub-recipient vs. contractor

• Pass-throughs to sub-recipients may be in fixed amount awards


It is Up to the Pass Through Entity to Evaluate the Risk of Sub-Recipients and DOCUMENT IT! (200.331(b))• How to evaluate Sub-recipient risk to

determine nature, timing and extent of monitoring – consider the following:

1. Sub-recipient experience with the same or similar sub-awards;

2. Results of previous audits, including whether the sub-recipient receives a single audit and the extent to which the sub-award has been audited as major;

3. Whether sub-recipient has new personnel or substantially changed systems; and

4. Extent and results of federal awarding agency monitoring.


Once You’ve Done the Risk Assessment – What are the Required Monitoring Activities? (200.331(d))• Review financial and programmatic reports • Follow-up and ensure that the sub-recipient takes

timely and appropriate action on all deficiencies pertaining to the federal award through audits, on-site reviews, and other means

• Issue management decisions for audit findings pertaining to the federal award provided to the sub-recipient

• These are baseline – the more risk, the more required


What are the Additional Tools You Have? (200.331(e))

• Providing training and technical assistance• Performing on-site reviews of program

operations• Arranging for agreed-upon procedures (AUP)

engagements that meet certain requirements• Must be performed under GAGAS to be

federally eligible costs• Verifying that every Sub-recipient is audited as

required by the Uniform Guidance


Common Issues Found In Sub-Recipient Monitoring by PTE

• Lack of existing, written policies and documentation standards

• Sub-award agreement missing key terms • Lack of documented sub-recipient risk assessment• Sub-recipient monitoring plans not “linked” to

related sub-recipient risk assessment• Sub-recipient single audit reviews

• Annual review of sub-recipient single audits not performed or documented

• Lack of revised process to obtain single audit reports directly from the Federal Audit Clearinghouse


Required Elements to Pass Through to Subs (200.331)

• Sub-award ‘package’ must have:• Federal award identification (Federal agency, CFDA No, etc.)

(aka the “FAIN”)• Sub-recipient information (name, DUNS, etc.)• Total Amount of award• Identification of whether the award is for Research and

Development• Requirements imposed by pass‑through entity

• Based on prior audits and state / local laws• Provision for indirect costs – either negotiated or a de-

minimus rate of 10%• Access to records as required in the grant / state / local laws• Closeout terms contained in the grant

• Best practice – have a checklist and signoff pages from PTE and Sub-recipient


What Happens if Your Sub Goes Rogue..• Pass-Through Entities can and should…

• Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the awarding agency or pass-through entity.

• Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance.

• Wholly or partly suspend (suspension of award activities) or terminate the Federal award.

• Initiate suspension or debarment proceedings as authorized under awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by an awarding agency).

• Withhold further Federal awards for the project or program.• Take other remedies that may be legally available.


If All Else Fails…

• Federal award can be terminated to Sub-recipient in whole or in part if:

• Fail to comply with terms and conditions• For cause• By consent if both agree to terms / conditions / dates• Material failure to perform

• Reporting is through SAM / FAPIIS when challenges / appeals exhausted (usually within 30 days)

• PTE must notify recipient• Public notification lasts for 5 years on system, but

comments can be made by recipient to explain issue• Opportunities for appeals / hearings• Once terminated / suspended- additional costs not

allowed unless incurred prior to suspension / termination and would have been allowable costs


Can You Collect Amounts Due from Subs? - YES

• If Sub-recipient is overpaid• Overpayment is a debt to the federal

government• Must be paid within 90 days• You can use intercept process (many states

already do) or• Withhold payment or any other action

• Interest may be charged on overdue debt• Collection agency costs are allowable if

recovering federal funds / improper payments – encouraged in fact

COSO and Internal Controls


Why Are Internal Controls Important? (200.303)

• The non-federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.

• Also take prompt action to remediate noncompliance• Take reasonable measures to protect PII / other sensitive data

• These internal controls should be in compliance with • Guidance in “Standards for Internal Control in the Federal Government”

[Green Book] issued by the Comptroller General of the United States and • “Internal Control Integrated Framework”, issued by the Committee of

Sponsoring Organizations of the Treadway Commission (COSO).• Detailed in Part 6 of Compliance Supplement

• COFAR FAQ 303-1, 2, and 3 clarifies that should indicates a “best practice” and is not a presumptively mandatory requirement.


What is in Part 6 of the OMB Compliance Supplement? – Key Definition -

• Internal control is generally defined as a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved

• Objectives of internal control• Transactions are properly recorded and accounted for

to permit reliable reporting, maintain accountability and demonstrate compliance

• Transactions are executed in compliance with laws, regulations, terms and conditions of award and any other applicable statutes and regulations

• Funds, property and other assets are safeguarded against loss from unauthorized use or disposition


What is in Part 6 of the OMB Compliance Supplement?

• Internal controls are at ALL levels in ALL operations (planning, budgeting, management, accounting, monitoring, reporting…)

• Continuous, never-ending process of improvement

• Consider balance between controls and risk in programs and operations, cost vs. benefit

• Pages 6-3 to 6-7 of Compliance Supplement detail individual controls that may / should be present


Best Practices To Test Internal Controls• Audit Standards (and likely new Yellow Book)

IC testing based on COSO• Testing compliance gives indirect evidence on

controls, but cannot serve as the basis for assessing controls as operating effectively

• 2-step testing process1. Controls are designed effectively and placed

into operation2. Key controls are operating effectively (low

control risk)• Key controls to test for operating effectiveness are

often found in the Control Activities COSO bucket• Remember to include Information Technology• Remember to document your assessment / testing

(see later)

An Emerging Issue Related to Internal

Controls - Contractor Integrity


Why It is Necessary

• COSO Principle #1 –• The Organization Demonstrates a Commitment

to Integrity and Ethical Values• Strong push from federal agencies to ensure

that PTEs are only doing business with contractors that meet COSO

• Pre-screening minimizes fraud• Reduces improper payments


Important Elements

• Scan for / Inquire / Document• Criminal indictments• Judgments and convictions• Previous suspensions from any jurisdiction• Debarments• Penalties / sanctions• Health, safety, labor, environmental, ethical

violations• Tax delinquencies• Prior findings of non-responsibility related to integrity

• Best practice – background questionnaire• Submitted information needs to validated from third

party sources (use a checklist)


Important Elements

• Perform a media search but be careful of the source – • Public filings are the best source as they usually have a

penalty of perjury• Criminal history check (also look at Federal Bureau of

Prison’s website) (https://www.bop.gov/inmateloc/)• Prosecutor’s offices• Sex offender registry (also look at federal site –

http://www.nsopw.gov) • Federal excluded parties list (SAM) (

https://www.sam.gov/portal/SAM/#1) • OSHA databases (

http://www.osha.gov/pls/imis/establishment.html) • US Treasury Sanctioned entities – Specially Designated

Nationals List• Terrorism, narcotics, trafficking etc.

https://www.bop.gov/inmateloc/

http://www.nsopw.gov/

https://www.sam.gov/portal/SAM/#1

http://www.osha.gov/pls/imis/establishment.html


Important Elements

• Perform a media search but be careful of the source –

• PACER Program – public access to court electronic records

• Case and docket information from federal courts (including bankruptcy) – https://pacer.psc.uscourts.gov/pscof/registration.jsf

• Beware – • Files before 1999 are only in paper• Fees charged

https://pacer.psc.uscourts.gov/pscof/registration.jsf

https://pacer.psc.uscourts.gov/pscof/registration.jsf


How Does it Tie to the UG?

• Procurement policies in the UG, even if using 1 year delay kick in for the year ending June 30, 2017

• Procurement policies / procedures / law for Recipients must be the same for federal and non-federal activities

• If procurement policy / procedure / law has lower thresholds, more scrutiny than federal provisions, policy / procedure / law continues as it exceeds federal policy

• If doesn’t –policy / procedure / law may need to be changed

• Good idea to review as soon as possible as State Law may be more stringent than federal – if yes – use State law


Remember the Methods of procurement in the UG

• A prescriptive list of 5 procurement methods is provided

• Micro-purchases, small purchase procedures, sealed bids, competitive, sole source

• Micro-purchase” category up to $3,000 ($2,000 for Wage Rate Determination [Old Davis Bacon]) for which competition not required

• By default, purchases > $3K would requires competition

• Sole source justification definition is updated

• Likely Scenario- Follow State Law / Regulation First as it is likely more stringent

To Document or Not to Document… That is the

Question


UG has Multiple Sections on Documentation• Common theme in Documentation:

• Document compliance with all federal terms, conditions etc., to prepare required reports, including:

• Records retention• Records transfer• Storage• Access• Restriction of public access to records

• Identify federal awards, including required information (CFDA number, name of agency etc.)

• Have accurate, current and complete disclosure of financial results• Identify the source and application of federally funded activities• Effectively control assets / funds etc.• Allow comparison of expenditures with budget amounts• Have written procedures for payments and allowable costs

• ALL = INTERNAL CONTROLS• If it isn’t documented… it doesn’t exist

These are not just financial by the way…


Other Areas of Documentation in the UG• Section 302 elements:

• Records that identify the source and application of funds for federally funded activities

• Effective control over and accountability for all funds, property, and other assets

• Written procedures to implement the cash management requirements

• Written procedures for determining the allowability of costs in accordance with cost principles and terms and conditions of the federal awards.

• Procurement (Sections 317-321)• Conflict of interest policy – Section 318• Written documentation of monitoring and risk

assessment on subrecipients – Section 331• Compensation – Section 430


COSO Documentation Requirements• Chapter 4 of the COSO requires documentation

• To provide clarity around roles and responsibility, promoting consistency in adhering to practices, policies and procedures

• To capture the design of internal control and communicating the who, what, where, when, why and how of expectations of performance and conduct

• To assist in training• To provide evidence of internal control and proper monitoring

when evaluated by regulators, auditors or customers• To retain organizational knowledge if needed for continuity of

operations or disaster recovery• Checklist included in your handouts of mandatory

vs. best practice documentation referenced to UG and COSO

Developing and Reporting Audit Findings


Where do Audit Findings Go?

• Contents of the Single Audit Submission• Auditor’s report on the financial statements of

the entity• Auditor’s in-relation-to reporting on the

Schedule of Expenditures of Federal Awards (SEFA)

• Auditee’s financial statements• Auditee’s SEFA• Auditor’s report(s) on internal control over

financial reporting and on compliance and other matters to meet Government Auditing Standards requirements

• Relates to audit of financial statements139


Where Do Audit Findings Go?• Contents of Single Audit Submission

• Auditor’s report on compliance and internal control over compliance – major programs

• Auditor’s schedule of findings and questioned costs (SFQC)

• Includes summary of auditor results and findings• Auditee’s summary schedule of prior audit

findings (SSPAF)• Auditee’s corrective action plan (CAP)

• All items above and on previous slide are referred to as “reporting package”

• Reporting package and the Data Collection Form (DCF) are submitted electronically to the Federal Audit Clearinghouse (FAC) by the auditee

140


Keep in Mind the Life Cycle of a Finding

Finding Occurs(June 30, 2017

year-end)

Audit report with finding issued

(March 31, 2018)

Management decision issued

by federal agency

(September 30, 2018)

Auditor reviews status of prior

finding as part of next single audit

(March 31, 2019)

If finding corrected, cycle ends. If not, it

repeats.

141


Current Yellow Book Findings Require:

• Yellow Book incorporates Generally Accepted Auditing Standards (GAAS) requirements

• Yellow Book requirements:• Significant deficiencies and material

weaknesses in internal control over financial reporting

• Instances of fraud and noncompliance with provisions of laws or regulations that have a material effect on the financial statements

• Any other instances that warrant the attention of those charged with governance

• Abuse that has a material effect, either qualitatively or quantitatively

142


What about the UG? (200.516)• Significant deficiencies and material weaknesses over a type

of compliance requirement for a major program.• Significant instances of abuse relating to a major program. • Material noncompliance in relation to a type of compliance

requirement for a major program.• Likely or known questioned costs are greater than $25k for a

major program.• Known questioned costs are greater than $25k for any federal

program.• BE CAREFUL – Some states have lower thresholds

• Unless addressed in another finding, a finding explaining why a major program did not obtain an unmodified opinion.

• Unless addressed in another finding and not prohibited by GAGAS, a finding for known or likely fraud affecting a federal award.

• Summary Schedule of Prior Audit Finding materially misrepresents the status of any prior audit finding.

143


What Details Should be Included and How Clear Should they Be?

• Current Yellow Book• Auditors should develop the elements of the

findings to the extent necessary. • Clearly developed findings assist management

or oversight officials of the audited entity in understanding the need for taking corrective action, and assist auditors in making recommendations for corrective action

• Uniform Guidance• Audit findings must be presented in sufficient

detail and clarity for the auditee to prepare a corrective action plan and take corrective action, and for Federal agencies and pass-through entities to arrive at a management decision.

144


Uniform Guidance Finding Elements (200.516)

145

Finding Elements

Program information

Criteria

Condition Found

Context

Questioned Costs

Whether Sampling was Statistically

Valid

Repeat Finding From

Prior Year

Cause and Effect

Recommendation

Views of Responsible

Officials


Yellow Book Versus UG

146

GAGAS UGFederal program information XCFDA title XCFDA number XFederal award identification and year XName of federal agency XIf applicable, name of pass-through entity XCriteria X XCondition X XCause X XEffect or potential effect X XKnown questioned costs by CFDA number or federal identification number XProvide proper perspective XFinding a repeat of PY finding? (Y/N); If yes, provide prior year finding reference number XRecommendation XViews of responsible officials* X XFinding reference number X

*Requirement between Yellow Book and UG slightly different


More Detail on UG Finding Elements

• Federal program and specific federal award identification

• the CFDA title and number• federal award identification number and year, name of

federal agency, and name of the applicable pass-through entity

• When above is not available, the auditor must provide the best information available to describe the federal award

• The criteria or specific requirement upon which the audit finding is based, including the Federal statutes, regulations, or the terms and conditions of the Federal awards.

• Criteria generally identify the required or desired state or expectation with respect to the program or operation.

• Criteria provide a context for evaluating evidence and understanding findings.

147


More Detail on UG Finding Elements• The condition found

• Including facts that support the deficiency identified in the audit finding.

• Statement of cause • The reason or explanation for the condition or the factors

responsible for the difference between condition and criteria

• The possible asserted effect • To provide sufficient information to the auditee and

federal agency, or pass-through entity to determine the cause and effect to facilitate prompt and proper corrective action.

• Should provide a clear, logical link to establish the impact or potential impact of the difference between the condition and the criteria.

148


More Detail on UG Finding Elements• Questioned costs and how they were computed

• Known questioned costs must be identified by applicable CFDA number and applicable federal award identification number

• Information to provide proper perspective for judging the prevalence and consequences of the audit findings, such as whether the audit findings represent an isolated instance or a systemic problem

• Where appropriate, instances identified must be related to the universe and the number of cases examined and be quantified in terms of dollar value.

• The auditor should report whether the sampling was a statistically valid sample.

• Whether the audit finding was a repeat of a finding in the immediately prior audit and if so any applicable prior year audit finding numbers

149


More Detail on UG Finding Elements

• Recommendations to prevent future occurrences of the deficiency identified in the audit finding

• Views of responsible officials of the auditee (see later slide)

• Finding reference numbers are required to be in the format meeting the requirements of the data collection form to allow for easy referencing of the audit findings during follow-up

• Finding reference number format is the fiscal year being audited, a hyphen, and a three digit sequence number

• For example, findings reported in the audit of fiscal year 20X1 would be assigned reference numbers 20X1-001, 20X1-002…20X1-999) 150


How to Write a Good Finding

• Write findings from the perspective of the federal agency and what they need to know

• Too much is better than too little• Make sure findings do not include protected

personally identifiable information (PPII)• Consider using a template outlining each of the

required criteria to ensure all required elements are included

• Be specific, particularly in criteria and condition• Do not include too much duplication in the

descriptions of the condition, effect, and cause• Be practical with recommendations

www.e ideba i l l y. c om 152

Finding*

Financial Statement (CAFR)* Both?* Federal/Major Program or Questioned Costs§200.516(a)(1)-(7)*

Compliance or Other Matters*

Internal Control*

Noncompliance* Internal Control*

Material Weakness*

Significant Deficiency*

Significant Deficiency*

Material Weakness*

Other Matters*

Modify Opinion*

Legend:

Major Program Next

Year

Compliance or Other Matters (AAG-GAS Table 4-1):*Fraud and noncompliance with provisions of laws or regulations: Has a material effect on the financial statements and any other instances that warrant the attention of those charged with governanceNoncompliance with provisions of contracts and grant agreements: Has a material effect on the determination of financial statement amountsAbuse: That is material, either quantitatively or qualitatively

Findings Flowchart Used by Virginia State Auditor (Non-authoritative)

* Auditor to apply their judgment and the applicable standards in making their evaluation to determine if reporting a finding is warranted.

Both?*Both?*


Schedule of Findings and Questioned Costs – 200.515

• Auditor reporting must include a SFQC that includes the following:

• Summary of Auditor Results• Findings relating to the financial statements

which are required to be reported in accordance with GAGAS.

• Findings and questioned costs for federal awards which must include audit findings as defined in §200.516 Audit findings, paragraph (a).

153


SFQC – Part 1, Summary of Auditor’s Results

• Financial Statement Opinion Information

• GAGAS Reporting• Internal Control over Financial Reporting

• Material weaknesses identified?• Significant deficiencies identified?

• Noncompliance material to financial statements noted?

154


SFQC – Part 1, Summary of Auditor’s Results

• Federal Awards• Internal Control over Major Programs

• Material weaknesses identified?• Significant deficiencies identified?

• Type of auditor’s report issued on compliance for major programs [unmodified, qualified, adverse, or disclaimer]

• Any audit findings disclosed that are required to be reported (see earlier slides)

• Identification of major programs including CFDA number and name of federal program or cluster

• Dollar threshold used to distinguish between type A and type B programs

• Auditee qualified as low-risk auditee? 155


SFQC – Part 2 (Financial Statements) and Part 3 (Federal Awards)

• Part 2• This section includes all findings related to the

audit of the financial statements that are required to be reported by GAAS and GAGAS (see prior slides)

• Include required GAGAS finding elements• Part 3

• This section includes all findings required to be reported by 200.516

• Include required Uniform Guidance audit finding elements

156


Best Practices - SFQC

• Educate staff and partners about the importance of the SFQC

• Start with a blank “pro forma” of the SFQC• Include a “cold” review as part of the

reporting procedures to review the SFQC and major program documentation

• For efficiency, ensure staff in the field use a findings template to capture all required elements

• Use illustrative SFQC in Chapter 13 of GAS-SA Guide as an example

157


Best Practices – SFQC

• Summary of Auditor’s Results Section• Identification of major programs –

Ensure identification matches workpapers and DCF

• Type A/B dollar threshold• Cross-check to major program workpapers

• Low risk auditee status• Based on prior years’ analysis• Nothing to do with current year findings

158


Auditor Has Some Responsibility for the Summary Schedule of Prior Audit Findings

• Important issue as Federal agencies have flagged audit reports

• Auditees not preparing separate corrective action plan• Summary schedule of prior audit findings not prepared

• Both required by 200.511 of the Uniform Guidance• Auditor must follow up on prior audit findings,

perform procedures to assess the reasonableness of the summary schedule of prior audit findings

• Auditor must report as a current-year finding when the auditor concludes the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding

159


Auditee Corrective Action Plan – 200.511

• At the completion of the audit, the AUDITEE must: • Prepare a CAP to address each auditing finding included

in the current year auditor’s report (including Yellow Book findings)

• The CAP must be in a document separate from the SFQC• Must include reference numbers the auditor assigns to

audit findings in the SFQC• Must provide:

• Contact person(s) responsible for corrective action

• Corrective action planned for each audit finding• Anticipated completion date• Explanation and specific reasons why auditee

disagrees with the audit findings (in cases where the auditee does not agree with the audit findings or believes corrective action is not required) 160


Some “Bottom Lines” on 200.511 and 200.512

• The auditor may reference or summarize the CAP for the purpose of presenting the views of responsible officials

• But the auditee must still prepare a CAP in a document that is separate from the schedule of findings and questioned costs (SFQC)

• The CAP and the SFQC must• Address Yellow Book (GAGAS) findings• Address Federal Awards findings

• Best Practices • The CAP and the Summary Schedule of Prior Audit Findings

should be on the auditees letterhead (not the auditors)• Use the Federal Desk Review Guide for Single Audits at

http://www.ignet.gov • Auditees and auditors should work together to assure audit

reporting package is properly submitted

http://www.ignet.gov/


Data Collection Form and Findings

• The DCF is the auditee’s “Tax Return”• Findings are summarized in DCF

• Ensure consistency between DCF and SFQC• Use Form instructions to ensure findings

are appropriately entered on DCF• Findings worksheet available from the AICPA

Governmental Audit Quality Center• May need additional information handy

(e.g., type of compliance requirement information)

162


Questions and Thank You!

12 Stedman Street, Apt. 2Brookline, MA 02446

Eric S. Berman, MSA, CPA, CGMAPartner

Eide Bailly LLP

T 208.424.3524M 626.375.3600

E [email protected]

Experience the Eide Bailly Difference

http://www.eidebailly.com/

Documents

PowerPoint · PPT file · Web viewEmphasis paragraph in auditor ... Obtain the plan documents used by the actuary for the valuation and ... All items above and on previous slide are