Date post: | 21-May-2015 |
Category: |
Education |
Upload: | dannynelson |
View: | 1,464 times |
Download: | 2 times |
SAS 117 Compliance Audits
A&A UPDATES
H. Kyle Anderson, CGMA, CMA, CPA
Bill Ellis, CPA
John Kunst, CPA
A & A Update and Review, Inc
6514 Dobbins Bridge RoadAnderson, SC 29626
(864) 933-3815 Fax: (888) 411-7668Website: www.aandaupdate.comE-mail: [email protected]
Skype: hkacpa
SAS 117 Compliance Audits
Compliance Audits
Supersedes SAS No. 74
Effective for periods ending on or after June 15, 2010
A&A UPDATES H. Kyle Anderson, CMA, CPA
Objectives
What are the audit requirements when Governmental agencies establish compliance requirements.
Authoritative guidance:
Governmental Auditing Standards (GAGAS)
Circular A-133, Audits of States, Local Governments & Non-Profit Entities
Generally Accepted Auditing Standards (GAAS)
Auditor’s professional responsibilities
Required procedures
Reporting requirements
A&A UPDATES H. Kyle Anderson, CMA, CPA
Objectives
What are Management’s Responsibilities for:
Compliance requirements
Internal controls
Identifying & disclosing noncompliance
Providing written representations to auditors
A&A UPDATES H. Kyle Anderson, CMA, CPA
Objectives
Review of Resources and updates available for:
Governmental Auditing Standards (GAGAS)
Circular A-133, Audits of States, Local Governments & Non-Profit Entities
Generally Accepted Auditing Standards (GAAS)
A&A UPDATES H. Kyle Anderson, CMA, CPA
Update from Clarity Project released October 2011
SAS 117 was issued using Clarity project standards and is currently effective.
SAS 122, Statements on Auditing Standard:
Clarification and Recodification,
SAS 123, Omnibus Statement on Auditing Standards – 2011, Released October 2011 amends SAS 118.
The effective date for SAS 123 is for audits of financial statements for periods ending after 12/15/2012.
A&A UPDATES H. Kyle Anderson, CMA, CPA
Update from Clarity Project released October 2011
SAS No. 117, Compliance Audits
Issued December 2009
Effective June 15, 2010.
Early Application permitted.
Currently AU 801 / New AU-C 935.
A&A UPDATES H. Kyle Anderson, CMA, CPA
Reference Material to download for webinar Today, we will cover material available on the AICPA website at: http://
www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx
Please download AU 801 prior to the start of the webinar.
The material covered will be referenced to the current AU section and the new Clarity Project section AU-C.
Office of Management and Budget at: http://www.whitehouse.gov/omb/circulars_default/
Please download OMB Circular A-133, Compliance Supplement 2011 (see bottom of page for complete download)
Government accountability Office at: http://www.gao.gov/yellowbook
Please download Government Auditing Standards, December 2011 Revision (GAO-12-331G)
Summary of Major changes
Listing of Technical Changes
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Compliance Audits
Introduction and ApplicabilityAuditor’s engaged or required by law to perform compliance audits in accordance with:
GAAS Generally Accepted Auditing Standards
GAGAS Governmental Auditing Standards
Governmental requires an auditor to express an opinion
While all AU sections are applicable to financial statement audits, not all AU sections are applicable to Compliance Audits
Effective DateEffective for fiscal periods ending on or before June 15, 2010 with early application permitted.
AU 801.01 - .09 / AU-C 935.01 - .09A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Compliance Audits
AU 801.01 - .09 / AU-C 935.01 - .09
Management’s ResponsibilitiesManagement should:
Identify and comply with compliance requirements
Establish and maintain internal controls
Evaluate and monitor compliance requirements
Take corrective actions for non-compliance
Auditor’s Objectives
Obtain sufficient evidence to form an opinion on compliance with applicable compliance requirements
Identify required supplementary audit, reporting and performance procedures
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Definitions
Applicable compliance requirements. Requirements subject to a compliance audit.
Compliance audit. Program-specific or organization-wide audit of compliance with compliance requirements.
Compliance Requirements. Applicable laws, regulation, rules, contracts or grant agreements required for government programs.
Deficiency in internal control over compliance. Internal control design, operation or control deficiency that does not prevent, detect or correct noncompliance on a timely basis.
AU 801.11 / AU-C 935.11A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Definitions
Government Auditing Standards. Issued by Comptroller General of United States, U.S. Government Accountability Office. Known as Generally Accepted Government Auditing Standards (GAGAS) or the Yellow Book.
Material noncompliance. A failure to follow compliance requirements that results in material impact, individual or in the aggregate to the government program.
Material weakness in internal control over compliance. A deficiency where there is a reasonable possibility that material will not be prevented, detected and corrected on a timely basis. Reasonably possible: The chance is more than remote but less than likely. Remote: The chance is slight. Probable: The event or events are likely to occur.
AU 801.11 / AU-C 935.11A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Definitions
Program-specific audit. A compliance audit performed in conjunction with an audit of the entity’s or program’s financial statements.
Risk of material noncompliance. Two components of noncompliance existing prior to the audit:
Inherent risk of noncompliance. Susceptibility of noncompliance before considering related controls
Control risk of noncompliance. Risk noncompliance will not be prevented, detected, or corrected on a timely basis by internal controls
A significant deficiency in internal control over compliance is less severe but still warrants attention.
AU 801.11 / AU-C 935.11A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Auditor’s use of Professional Judgment
Auditors should exercise professional judgment adapting AU sections for compliance audits:
Specific excluded sections are listed in AU 801.A41 / AU-C 935.A41
OMB and GAGAS contain additional guidance
AU 801.12 / AU-C 935.12A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Establishing Materiality Levels
Materiality levels are based on Governmental Audit requirements.
Auditor should establish materiality levels to :
Determine risk assessment procedures
Assess risk of noncompliance
Determine further audit procedures
Evaluate compliance with requirements
Report noncompliance and other matters
Management is responsible for identifying and complying with compliance requirements.
AU 801.13 / AU-C 935.13AU 801.A6-A8 / AU-C 935.A6-A8
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Identifying Government Programs and Applicable Compliance Requirements
Management is responsible for identifying and complying with compliance requirements.
Auditor is responsible for determining programs and compliance requirements to test
Part 3, Circular A-133 Compliance Dated 12/2011 identifies 14 compliance requirements that should be considered in every Cir. A-133 Compliance audit:
A—Activities allowed or not allowed
B—Allowable costs/cost principles
C—Cash management
D—Davis-Bacon Act
E—EligibilityAU 801.14 / AU-C 935.14
AU 801.A10-A10 / AU-C 935.A10- A10Circular A-133 Compliance Supplement, Part 3
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Identifying Government Programs and Applicable Compliance Requirements
Cir. A-133 14 compliance requirements continued:
F—Equipment and real property management
G—Matching, level of effort, earmarking
H—Period of availability of federal funds
I—Procurement and suspension and debarment
J—Program income
K—Real property acquisition and relocation assistance
L—Reporting
M—Sub recipient monitoring
N—Special tests and provisions AU 801.14 / AU-C 935.14AU 801.A10 - A11 / AU-C 935.A10 -A11
Circular A-133 Compliance Supplement, Part 3A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Identifying Government Programs and Applicable Compliance Requirements
Additional procedures to assess requirements where guidance is not available:
Read laws, regulations, rules, contracts or grant agreements
Inquiry within entity
Inquiry outside the entity
Minutes of governing boards
Prior auditors
AU 801.15-.17 / AU-C 935.15-.17AU 801.A12 - A18 / AU-C 935.A.12 –A18
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Performing Risk Assessment Procedures
The Auditor should:
Gain understanding of internal controls
Assess risk
Determine
Nature,
Timing, and
Extent of audit procedures
Inquire of prior findings, recommendations or reports and management’s response
The auditor should assess risk of pervasive fraud or error in assessing risk of material noncompliance
AU 801.15-.17 / AU-C 935.15-.17AU 801.A12 - A18 / AU-C 935.A.12 –A18
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Risk Assessment factors
Compliance Requirements
Newness, length of applicability and/or complexity
Judgment required for compliance
Nature
Entity’s services provided
Internal controls
Auditor’s knowledge
Control environment and activities
Design and implementation
MonitoringAU 801.15-.17 / AU-C 935.15-.17
AU 801.A12 - A18 / AU-C 935.A.12 –A18A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Risk Assessment factors
Prior years findings
Oversight by grantor or pass-through entities
Management’s response
Risk related to noncompliance
Potential impact of noncompliance
Impact in financial statement audits
Entity’s financial condition
Entity’s recordkeeping
Risk evaluation can be individual areas or in combination with other areas.
AU 801.15-.17 / AU-C 935.15-.17AU 801.A12 - A18 / AU-C 935.A.12 –A18
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Further Audit Procedures in Response to Assessed Risk
Pervasive Risk of Noncompliance
Tests of details
Tests of transactions
Tests of controls if:
Risk assessment includes expectation of effectiveness of controls
Substantive procedures insufficient
Governmental requirement
AU 801.18-.22 / AU-C 935.18-.22AU 801.A19 – A27 / AU-C 935.A.19 –A27
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Further Audit Procedures in Response to Assessed Risk
Relevant Guidance:
AU 318, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained in:
Response to risk of noncompliance
AU 350 Audit Sampling, AICPA Audit Guide Government Auditing Standards, and OMB Circular A-133 for:
Planning, designing and evaluating audit samples
Identifying major programs
Additional audit requirements supplementary to:
GAAS
GAGAS
AU 801.18-.22 / AU-C 935.18-.22AU 801.A19 – A27 / AU-C 935.A.19 –A27
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Further Audit Procedures in Response to Assessed Risk
Compliance testing can utilize tests of details and transactions for:
Grants disbursements & expenditures
Eligibility files
Cost allocation plans
Reports filed with grantor agencies
Substantive Analytical procedures can be used in combination with tests of transactions and other audit procedures.
AU 801.18-.22 / AU-C 935.18-.22AU 801.A19 – A27 / AU-C 935.A.19 –A27
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Written Management Representations:Written management representations should acknowledge responsibility for:
Compliance requirements
Compliance related internal controls
Identifying programs and activities subject to requirements
Providing all contracts and grant agreements and compliance documents for auditor
Disclosing all noncompliance issues, including grantors and pass-through entities
AU 801.23 - .24 / AU-C 935.23 - .24A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Written Management Representations:Written management representations should acknowledge responsibility for:
Belief of compliance with requirements
Interpretations of compliance requirements
Disclosure of corrective actions from prior engagements of compliance activities.
Disclosure of all known noncompliance issues subsequent to the audit report
Responsibility for corrective actions for noncompliance
Additional guidance can be found at AU 333, Management Representations.
AU 801.23 - .24 / AU-C 935.23 - .24A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Subsequent Events:Subsequent events procedures should be performed up to the date of the report
Subsequent event inquiry of managements should include:
Internal Auditor’s reports
Other auditors’, grantors and pass-through entities noncompliance issues
Other professional engagements noncompliance issues
Auditors have No responsibility to perform audit procedure during subsequent events other than discussion with management or those in charge of governance.
AU 801.25 - .27 / AU-C 935.25 - .27A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Sufficiency and Appropriateness of Audit Evidence and Forming an Opinion
Sufficiency and appropriateness is determined at the governmental level and should include:
Likely questioned costs
Material noncompliance issues
Frequency of noncompliance
Nature
Adequacy of monitoring system
Likelihood of noncompliance of a material likely questioned cost
AU 801.28 - .29 / AU-C 935.28 - .29AU 801.A31 – A32 / AU-C 935.A31 – A32
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Reporting: Additional GAGAS Standards
GAGAS contains eight additional reporting standards different from GAAS as follows:
1. Reports should state the audit was performed in accordance with Generally Accepted Governmental Audit Standards
2. Auditors must report on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grants when providing an opinion on financial statements.
3. In financial audits, auditors must report significant deficiencies and material weaknesses in internal controls, fraud and illegal acts, violations of provisions of contracts or grant agreements having a material impact on financial statements
AU 801.30 - .38 / AU-C 935.30 - .38A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Reporting: Additional GAGAS Standards
Additional GAGAS reporting standards different from GAAS:
4. An auditor may emphasize the following matters under GAGAS:
1) Significant concerns or uncertainties about fiscal sustainability that may have a material financial impact
2) Unusual or catastrophic events that will likely have a significant future financial impact
3) Significant uncertainties regarding projections or estimates in the financial statements
4) Other matters deemed significant to users and oversight bodies
5. Auditors are required to advise management to make appropriate disclosures and perform additional procedures for new information that materially impacts previously issued financial statements
AU 801.30 - .38 / AU-C 935.30 - .38A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Reporting: Additional GAGAS Standards
Additional GAGAS reporting standards different from GAAS:
6. Auditor must obtain a response from responsible officials regarding disclosures of deficiencies in internal control, fraud, illegal acts or contract and grant agreement violations
7. Information omitted from public disclosure must be noted with the reasons for omission in the auditor’s report
8. Report distribution is required to those charged with governance, officials, oversight bodies and organizations requiring or ordering the audit. Public accounting firms must clarify specific arrangements for distribution.
AU 801.30 - .38 / AU-C 935.30 - .38A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Reporting Examples: coverage in webinar
Please go to Exhibits in AU 801.A42 / AU-C 935.A42
We will cover the Combined Report on Compliance and Internal Control Over Compliance because it contains all the provisions of section .30 for Compliance Only requirements as well as additional Internal Control Over Compliance requirements.
I have separated those reporting requirements in the next slides for your reference.
AU 801.30 / AU-C 935.30AU 801.A42 / AU-C 935.A42
A&A UPDATES H. Kyle Anderson, CMA, CPA
SAS 117
Reporting Requirements: Compliance only report
AU 801.30 / AU-C 935.30A&A UPDATES H. Kyle Anderson, CMA, CPA
Auditors report should include:
Title with the word independent
Government programs covered by the compliance audit
Applicable compliance requirements
Period covered by the report
Management’s responsibility for compliance requirements
Auditor's responsibility for opinion on the entity's compliance with the compliance requirements
Audit conducted in accordance with GAAS and GAGAS
Audit examined evidence on a test basis and other procedures the auditor considered necessary
SAS 117
Reporting Requirements: Compliance only report
AU 801.30 / AU-C 935.30A&A UPDATES H. Kyle Anderson, CMA, CPA
Auditors report should include:
Auditor believes the audit provided a reasonable basis for opinion
Compliance audits do not provide a legal determination of the entity's compliance
Auditor's opinion whether the entity materially complied with the compliance requirements
Description of noncompliance or a reference to a description of such noncompliance if:
Results in opinion modification
Required to be reported by the governmental audit requirements and does not result in opinion modification
SAS 117
Reporting Requirements: Compliance only report
AU 801.30 / AU-C 935.30A&A UPDATES H. Kyle Anderson, CMA, CPA
Auditors report should include:
If Compliance evaluation criteria are established by contractual agreement or regulatory provisions solely for the parties to the agreement or regulatory agency or available only to specified parties.
Statement report intended solely for the information and use of specified parties, identification of specified parties, and report not intended to be used by anyone else
Auditor’s firm signature
Auditor's report date
SAS 117
Reporting Requirements: Combined Report on Compliance and Internal Control Over Compliance
AU 801.31 / AU-C 935.31AU 801.A42 / AU-C 935.A42
A&A UPDATES H. Kyle Anderson, CMA, CPA
Additional requirements for combined reports:
Management’s responsibility for internal control over compliance with applicable laws, regulations, rules, contracts or grant agreements.
Auditor’s consideration of entity’s internal control in planning and performance of the audit to express an opinion on compliance but not to express an opinion on the effectiveness of internal control over compliance.
Auditor is not expressing an opinion on internal control over compliance.
Auditor's consideration of the entity's internal control not designed to identify all deficiencies that might constitute significant or material weaknesses.
SAS 117
Reporting Requirements: Combined Report on Compliance and Internal Control Over Compliance
AU 801.31 / AU-C 935.31AU 801.A42 / AU-C 935.A42
A&A UPDATES H. Kyle Anderson, CMA, CPA
Additional requirements for combined reports:
Definition of deficiency and material weakness in internal control over compliance.
A description or reference to schedule of any identified material weaknesses in internal control over compliance.
A description or reference to schedule of any significant deficiencies in internal control over compliance.
Statement that no material weaknesses in internal control were identified if none found.
Statement report intended solely for the information and use of specified parties, identification of specified parties, and report not intended to be used by anyone else
.
SAS 117
Reporting Requirements: Separate Report on Internal Control Over Compliance
AU 801.32 - .38 / AU-C 935.32 - .38A&A UPDATES H. Kyle Anderson, CMA, CPA
Requirements in addition to AU 801.31 / AU-C 935.31 for Separate Report:
Title with the word independent
Governmental program and period audited
Signature
Date
Material noncompliance issues or scope limitations require report modifications
AU 508 Reports on Audited Financial Statements / AU-C 705, Modifications to the Opinion in the Independent Auditor’s Report
Scope limitations require
Qualification or disclaimer of opinion
.
SAS 117
Reporting Requirements: Separate Report on Internal Control Over Compliance
AU 801.32 - .38 / AU-C 935.32 - .38AU 801.A35 / AU-C 935.A35
A&A UPDATES H. Kyle Anderson, CMA, CPA
Requirements in addition to AU 801.31 / AU-C 935.31 for Separate Report:
Significant or material weaknesses in internal controls over compliance require written notification by auditor regardless of governmental requirements
GAGAS requires response from responsible officials
SAS 117
Documentation Requirements
AU 801.39 - .42 / AU-C 935.39 - .42A&A UPDATES H. Kyle Anderson, CMA, CPA
Internal Control Over Compliance documents include:
Risk assessment procedures
Response to assessed risks
Testing procedures
Results
Materiality levels
How the auditor complied with governmental requirements supplemental to
GAAS
GAGAS
SAS 117
Reissuance of Compliance Reports
AU 801.432 / AU-C 935.43AU 801.A39 / AU-C 935.A39
A&A UPDATES H. Kyle Anderson, CMA, CPA
An explanatory paragraph should include:
Reasons for reissuance
Changes
Additional procedures, if any
Updated report date
Examples where report might be reissued
Quality review found applicable compliance requirement not tested
Subsequent discovery that a another program was required to be tested
SAS 117
Adapting and Applying the AU Sections to a Compliance Audit
AU 801.A41 / AU-C 935.A41A&A UPDATES H. Kyle Anderson, CMA, CPA
Auditors should use professional judgment in determining necessary and relevant audit procedures:
Appendix A41 lists the AU sections and paragraphs that are not applicable to compliance audits
SAS 117
2011 Government Auditing Standards Summary of Major Changes
2011 Government Auditing Standards Summary of Major Changes
A&A UPDATES H. Kyle Anderson, CMA, CPA
Conceptual framework for independence added for auditors to assess independence
Specific references to personal, external, and organizational impairments and overarching independence principles removed and replaced with conceptual framework
New documentation requirements for auditor independence added
Nonaudit services that always impair independence but may be permitted under appropriate conditions revised
Auditors performing nonaudit services for entities they audit must assess & document management’s possession of suitable skill, knowledge, and experience to oversee services
SAS 117
2011 Government Auditing Standards Summary of Major Changes
2011 Government Auditing Standards Summary of Major Changes
A&A UPDATES H. Kyle Anderson, CMA, CPA
Examinations, reviews and agreed-upon procedure engagements now separately discussed.
SAS and SSAE requirements repeated in GAGAS removed
Fraud reporting only required if significant within the context of the audit objectives for performance audits.
Reference Materials for webinar Today, we will cover material available on the AICPA website at: http://
www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx
AU Section 801 / AU-C 935
The material covered was referenced to the current AU section and the new Clarity Project section AU-C.
Office of Management and Budget at: http://www.whitehouse.gov/omb/circulars_default/
OMB Circular A-133, Compliance Supplement 2011 (see bottom of page for complete download)
Government accountability Office at: http://www.gao.gov/yellowbook
Government Auditing Standards, December 2011 Revision (GAO-12-331G)
Summary of Major changes
Listing of Technical Changes
A&A UPDATES H. Kyle Anderson, CMA, CPA
Thank you.
A&A UPDATES
H. Kyle Anderson, CMA, CPA
Bill Ellis, CPA
John Kunst, CPA