SAS 117 Presentation

SAS 117 Compliance Audits

A&A UPDATES

H. Kyle Anderson, CGMA, CMA, CPA

Bill Ellis, CPA

John Kunst, CPA

A & A Update and Review, Inc

6514 Dobbins Bridge RoadAnderson, SC 29626

(864) 933-3815 Fax: (888) 411-7668Website: www.aandaupdate.comE-mail: [email protected]

Skype: hkacpa

http://www.aandaupdate.com/

mailto:[email protected]

SAS 117 Compliance Audits

Compliance Audits

Supersedes SAS No. 74

Effective for periods ending on or after June 15, 2010

A&A UPDATES H. Kyle Anderson, CMA, CPA

Objectives

What are the audit requirements when Governmental agencies establish compliance requirements.

Authoritative guidance:

Governmental Auditing Standards (GAGAS)

Circular A-133, Audits of States, Local Governments & Non-Profit Entities

Generally Accepted Auditing Standards (GAAS)

Auditor’s professional responsibilities

Required procedures

Reporting requirements


Objectives

What are Management’s Responsibilities for:

Compliance requirements

Internal controls

Identifying & disclosing noncompliance

Providing written representations to auditors


Objectives

Review of Resources and updates available for:

Governmental Auditing Standards (GAGAS)

Circular A-133, Audits of States, Local Governments & Non-Profit Entities

Generally Accepted Auditing Standards (GAAS)


Update from Clarity Project released October 2011

SAS 117 was issued using Clarity project standards and is currently effective.

SAS 122, Statements on Auditing Standard:

Clarification and Recodification,

SAS 123, Omnibus Statement on Auditing Standards – 2011, Released October 2011 amends SAS 118.

The effective date for SAS 123 is for audits of financial statements for periods ending after 12/15/2012.


Update from Clarity Project released October 2011

SAS No. 117, Compliance Audits

Issued December 2009

Effective June 15, 2010.

Early Application permitted.

Currently AU 801 / New AU-C 935.


Reference Material to download for webinar Today, we will cover material available on the AICPA website at: http://

www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx

Please download AU 801 prior to the start of the webinar.

The material covered will be referenced to the current AU section and the new Clarity Project section AU-C.

Office of Management and Budget at: http://www.whitehouse.gov/omb/circulars_default/

Please download OMB Circular A-133, Compliance Supplement 2011 (see bottom of page for complete download)

Government accountability Office at: http://www.gao.gov/yellowbook

Please download Government Auditing Standards, December 2011 Revision (GAO-12-331G)

Summary of Major changes

Listing of Technical Changes


http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx



http://www.whitehouse.gov/omb/circulars_default/


http://www.gao.gov/yellowbook


SAS 117

Compliance Audits

Introduction and ApplicabilityAuditor’s engaged or required by law to perform compliance audits in accordance with:

GAAS Generally Accepted Auditing Standards

GAGAS Governmental Auditing Standards

Governmental requires an auditor to express an opinion

While all AU sections are applicable to financial statement audits, not all AU sections are applicable to Compliance Audits

Effective DateEffective for fiscal periods ending on or before June 15, 2010 with early application permitted.

AU 801.01 - .09 / AU-C 935.01 - .09A&A UPDATES H. Kyle Anderson, CMA, CPA

SAS 117

Compliance Audits

AU 801.01 - .09 / AU-C 935.01 - .09

Management’s ResponsibilitiesManagement should:

Identify and comply with compliance requirements

Establish and maintain internal controls

Evaluate and monitor compliance requirements

Take corrective actions for non-compliance

Auditor’s Objectives

Obtain sufficient evidence to form an opinion on compliance with applicable compliance requirements

Identify required supplementary audit, reporting and performance procedures


SAS 117

Definitions

Applicable compliance requirements. Requirements subject to a compliance audit.

Compliance audit. Program-specific or organization-wide audit of compliance with compliance requirements.

Compliance Requirements. Applicable laws, regulation, rules, contracts or grant agreements required for government programs.

Deficiency in internal control over compliance. Internal control design, operation or control deficiency that does not prevent, detect or correct noncompliance on a timely basis.

AU 801.11 / AU-C 935.11A&A UPDATES H. Kyle Anderson, CMA, CPA

SAS 117

Definitions

Government Auditing Standards. Issued by Comptroller General of United States, U.S. Government Accountability Office. Known as Generally Accepted Government Auditing Standards (GAGAS) or the Yellow Book.

Material noncompliance. A failure to follow compliance requirements that results in material impact, individual or in the aggregate to the government program.

Material weakness in internal control over compliance. A deficiency where there is a reasonable possibility that material will not be prevented, detected and corrected on a timely basis. Reasonably possible: The chance is more than remote but less than likely. Remote: The chance is slight. Probable: The event or events are likely to occur.


SAS 117

Definitions

Program-specific audit. A compliance audit performed in conjunction with an audit of the entity’s or program’s financial statements.

Risk of material noncompliance. Two components of noncompliance existing prior to the audit:

Inherent risk of noncompliance. Susceptibility of noncompliance before considering related controls

Control risk of noncompliance. Risk noncompliance will not be prevented, detected, or corrected on a timely basis by internal controls

A significant deficiency in internal control over compliance is less severe but still warrants attention.


SAS 117

Auditor’s use of Professional Judgment

Auditors should exercise professional judgment adapting AU sections for compliance audits:

Specific excluded sections are listed in AU 801.A41 / AU-C 935.A41

OMB and GAGAS contain additional guidance


SAS 117

Establishing Materiality Levels

Materiality levels are based on Governmental Audit requirements.

Auditor should establish materiality levels to :

Determine risk assessment procedures

Assess risk of noncompliance

Determine further audit procedures

Evaluate compliance with requirements

Report noncompliance and other matters

Management is responsible for identifying and complying with compliance requirements.

AU 801.13 / AU-C 935.13AU 801.A6-A8 / AU-C 935.A6-A8


SAS 117

Identifying Government Programs and Applicable Compliance Requirements

Management is responsible for identifying and complying with compliance requirements.

Auditor is responsible for determining programs and compliance requirements to test

Part 3, Circular A-133 Compliance Dated 12/2011 identifies 14 compliance requirements that should be considered in every Cir. A-133 Compliance audit:

A—Activities allowed or not allowed

B—Allowable costs/cost principles

C—Cash management

D—Davis-Bacon Act

E—EligibilityAU 801.14 / AU-C 935.14

AU 801.A10-A10 / AU-C 935.A10- A10Circular A-133 Compliance Supplement, Part 3


SAS 117


Cir. A-133 14 compliance requirements continued:

F—Equipment and real property management

G—Matching, level of effort, earmarking

H—Period of availability of federal funds

I—Procurement and suspension and debarment

J—Program income

K—Real property acquisition and relocation assistance

L—Reporting

M—Sub recipient monitoring

N—Special tests and provisions AU 801.14 / AU-C 935.14AU 801.A10 - A11 / AU-C 935.A10 -A11

Circular A-133 Compliance Supplement, Part 3A&A UPDATES H. Kyle Anderson, CMA, CPA

SAS 117


Additional procedures to assess requirements where guidance is not available:

Read laws, regulations, rules, contracts or grant agreements

Inquiry within entity

Inquiry outside the entity

Minutes of governing boards

Prior auditors

AU 801.15-.17 / AU-C 935.15-.17AU 801.A12 - A18 / AU-C 935.A.12 –A18


SAS 117

Performing Risk Assessment Procedures

The Auditor should:

Gain understanding of internal controls

Assess risk

Determine

Nature,

Timing, and

Extent of audit procedures

Inquire of prior findings, recommendations or reports and management’s response

The auditor should assess risk of pervasive fraud or error in assessing risk of material noncompliance

AU 801.15-.17 / AU-C 935.15-.17AU 801.A12 - A18 / AU-C 935.A.12 –A18


SAS 117

Risk Assessment factors

Compliance Requirements

Newness, length of applicability and/or complexity

Judgment required for compliance

Nature

Entity’s services provided

Internal controls

Auditor’s knowledge

Control environment and activities

Design and implementation

MonitoringAU 801.15-.17 / AU-C 935.15-.17

AU 801.A12 - A18 / AU-C 935.A.12 –A18A&A UPDATES H. Kyle Anderson, CMA, CPA

SAS 117

Risk Assessment factors

Prior years findings

Oversight by grantor or pass-through entities

Management’s response

Risk related to noncompliance

Potential impact of noncompliance

Impact in financial statement audits

Entity’s financial condition

Entity’s recordkeeping

Risk evaluation can be individual areas or in combination with other areas.

AU 801.15-.17 / AU-C 935.15-.17AU 801.A12 - A18 / AU-C 935.A.12 –A18


SAS 117

Further Audit Procedures in Response to Assessed Risk

Pervasive Risk of Noncompliance

Tests of details

Tests of transactions

Tests of controls if:

Risk assessment includes expectation of effectiveness of controls

Substantive procedures insufficient

Governmental requirement

AU 801.18-.22 / AU-C 935.18-.22AU 801.A19 – A27 / AU-C 935.A.19 –A27


SAS 117


Relevant Guidance:

AU 318, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained in:

Response to risk of noncompliance

AU 350 Audit Sampling, AICPA Audit Guide Government Auditing Standards, and OMB Circular A-133 for:

Planning, designing and evaluating audit samples

Identifying major programs

Additional audit requirements supplementary to:

GAAS

GAGAS

AU 801.18-.22 / AU-C 935.18-.22AU 801.A19 – A27 / AU-C 935.A.19 –A27


SAS 117


Compliance testing can utilize tests of details and transactions for:

Grants disbursements & expenditures

Eligibility files

Cost allocation plans

Reports filed with grantor agencies

Substantive Analytical procedures can be used in combination with tests of transactions and other audit procedures.

AU 801.18-.22 / AU-C 935.18-.22AU 801.A19 – A27 / AU-C 935.A.19 –A27


SAS 117

Written Management Representations:Written management representations should acknowledge responsibility for:

Compliance requirements

Compliance related internal controls

Identifying programs and activities subject to requirements

Providing all contracts and grant agreements and compliance documents for auditor

Disclosing all noncompliance issues, including grantors and pass-through entities


SAS 117

Written Management Representations:Written management representations should acknowledge responsibility for:

Belief of compliance with requirements

Interpretations of compliance requirements

Disclosure of corrective actions from prior engagements of compliance activities.

Disclosure of all known noncompliance issues subsequent to the audit report

Responsibility for corrective actions for noncompliance

Additional guidance can be found at AU 333, Management Representations.


SAS 117

Subsequent Events:Subsequent events procedures should be performed up to the date of the report

Subsequent event inquiry of managements should include:

Internal Auditor’s reports

Other auditors’, grantors and pass-through entities noncompliance issues

Other professional engagements noncompliance issues

Auditors have No responsibility to perform audit procedure during subsequent events other than discussion with management or those in charge of governance.


SAS 117

Sufficiency and Appropriateness of Audit Evidence and Forming an Opinion

Sufficiency and appropriateness is determined at the governmental level and should include:

Likely questioned costs

Material noncompliance issues

Frequency of noncompliance

Nature

Adequacy of monitoring system

Likelihood of noncompliance of a material likely questioned cost

AU 801.28 - .29 / AU-C 935.28 - .29AU 801.A31 – A32 / AU-C 935.A31 – A32


SAS 117

Reporting: Additional GAGAS Standards

GAGAS contains eight additional reporting standards different from GAAS as follows:

1. Reports should state the audit was performed in accordance with Generally Accepted Governmental Audit Standards

2. Auditors must report on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grants when providing an opinion on financial statements.

3. In financial audits, auditors must report significant deficiencies and material weaknesses in internal controls, fraud and illegal acts, violations of provisions of contracts or grant agreements having a material impact on financial statements


SAS 117


Additional GAGAS reporting standards different from GAAS:

4. An auditor may emphasize the following matters under GAGAS:

1) Significant concerns or uncertainties about fiscal sustainability that may have a material financial impact

2) Unusual or catastrophic events that will likely have a significant future financial impact

3) Significant uncertainties regarding projections or estimates in the financial statements

4) Other matters deemed significant to users and oversight bodies

5. Auditors are required to advise management to make appropriate disclosures and perform additional procedures for new information that materially impacts previously issued financial statements


SAS 117


Additional GAGAS reporting standards different from GAAS:

6. Auditor must obtain a response from responsible officials regarding disclosures of deficiencies in internal control, fraud, illegal acts or contract and grant agreement violations

7. Information omitted from public disclosure must be noted with the reasons for omission in the auditor’s report

8. Report distribution is required to those charged with governance, officials, oversight bodies and organizations requiring or ordering the audit. Public accounting firms must clarify specific arrangements for distribution.


SAS 117

Reporting Examples: coverage in webinar

Please go to Exhibits in AU 801.A42 / AU-C 935.A42

We will cover the Combined Report on Compliance and Internal Control Over Compliance because it contains all the provisions of section .30 for Compliance Only requirements as well as additional Internal Control Over Compliance requirements.

I have separated those reporting requirements in the next slides for your reference.

AU 801.30 / AU-C 935.30AU 801.A42 / AU-C 935.A42


SAS 117

Reporting Requirements: Compliance only report


Auditors report should include:

Title with the word independent

Government programs covered by the compliance audit

Applicable compliance requirements

Period covered by the report

Management’s responsibility for compliance requirements

Auditor's responsibility for opinion on the entity's compliance with the compliance requirements

Audit conducted in accordance with GAAS and GAGAS

Audit examined evidence on a test basis and other procedures the auditor considered necessary

SAS 117




Auditor believes the audit provided a reasonable basis for opinion

Compliance audits do not provide a legal determination of the entity's compliance

Auditor's opinion whether the entity materially complied with the compliance requirements

Description of noncompliance or a reference to a description of such noncompliance if:

Results in opinion modification

Required to be reported by the governmental audit requirements and does not result in opinion modification

SAS 117




If Compliance evaluation criteria are established by contractual agreement or regulatory provisions solely for the parties to the agreement or regulatory agency or available only to specified parties.

Statement report intended solely for the information and use of specified parties, identification of specified parties, and report not intended to be used by anyone else

Auditor’s firm signature

Auditor's report date

SAS 117

Reporting Requirements: Combined Report on Compliance and Internal Control Over Compliance

AU 801.31 / AU-C 935.31AU 801.A42 / AU-C 935.A42


Additional requirements for combined reports:

Management’s responsibility for internal control over compliance with applicable laws, regulations, rules, contracts or grant agreements.

Auditor’s consideration of entity’s internal control in planning and performance of the audit to express an opinion on compliance but not to express an opinion on the effectiveness of internal control over compliance.

Auditor is not expressing an opinion on internal control over compliance.

Auditor's consideration of the entity's internal control not designed to identify all deficiencies that might constitute significant or material weaknesses.

SAS 117

Reporting Requirements: Combined Report on Compliance and Internal Control Over Compliance

AU 801.31 / AU-C 935.31AU 801.A42 / AU-C 935.A42


Additional requirements for combined reports:

Definition of deficiency and material weakness in internal control over compliance.

A description or reference to schedule of any identified material weaknesses in internal control over compliance.

A description or reference to schedule of any significant deficiencies in internal control over compliance.

Statement that no material weaknesses in internal control were identified if none found.

Statement report intended solely for the information and use of specified parties, identification of specified parties, and report not intended to be used by anyone else

.

SAS 117

Reporting Requirements: Separate Report on Internal Control Over Compliance


Requirements in addition to AU 801.31 / AU-C 935.31 for Separate Report:

Title with the word independent

Governmental program and period audited

Signature

Date

Material noncompliance issues or scope limitations require report modifications

AU 508 Reports on Audited Financial Statements / AU-C 705, Modifications to the Opinion in the Independent Auditor’s Report

Scope limitations require

Qualification or disclaimer of opinion

.

SAS 117

Reporting Requirements: Separate Report on Internal Control Over Compliance

AU 801.32 - .38 / AU-C 935.32 - .38AU 801.A35 / AU-C 935.A35


Requirements in addition to AU 801.31 / AU-C 935.31 for Separate Report:

Significant or material weaknesses in internal controls over compliance require written notification by auditor regardless of governmental requirements

GAGAS requires response from responsible officials

SAS 117

Documentation Requirements


Internal Control Over Compliance documents include:

Risk assessment procedures

Response to assessed risks

Testing procedures

Results

Materiality levels

How the auditor complied with governmental requirements supplemental to

GAAS

GAGAS

SAS 117

Reissuance of Compliance Reports

AU 801.432 / AU-C 935.43AU 801.A39 / AU-C 935.A39


An explanatory paragraph should include:

Reasons for reissuance

Changes

Additional procedures, if any

Updated report date

Examples where report might be reissued

Quality review found applicable compliance requirement not tested

Subsequent discovery that a another program was required to be tested

SAS 117

Adapting and Applying the AU Sections to a Compliance Audit

AU 801.A41 / AU-C 935.A41A&A UPDATES H. Kyle Anderson, CMA, CPA

Auditors should use professional judgment in determining necessary and relevant audit procedures:

Appendix A41 lists the AU sections and paragraphs that are not applicable to compliance audits

SAS 117

2011 Government Auditing Standards Summary of Major Changes



Conceptual framework for independence added for auditors to assess independence

Specific references to personal, external, and organizational impairments and overarching independence principles removed and replaced with conceptual framework

New documentation requirements for auditor independence added

Nonaudit services that always impair independence but may be permitted under appropriate conditions revised

Auditors performing nonaudit services for entities they audit must assess & document management’s possession of suitable skill, knowledge, and experience to oversee services

SAS 117




Examinations, reviews and agreed-upon procedure engagements now separately discussed.

SAS and SSAE requirements repeated in GAGAS removed

Fraud reporting only required if significant within the context of the audit objectives for performance audits.

Reference Materials for webinar Today, we will cover material available on the AICPA website at: http://

www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx

AU Section 801 / AU-C 935

The material covered was referenced to the current AU section and the new Clarity Project section AU-C.

Office of Management and Budget at: http://www.whitehouse.gov/omb/circulars_default/

OMB Circular A-133, Compliance Supplement 2011 (see bottom of page for complete download)

Government accountability Office at: http://www.gao.gov/yellowbook

Government Auditing Standards, December 2011 Revision (GAO-12-331G)

Summary of Major changes

Listing of Technical Changes









Thank you.

A&A UPDATES

H. Kyle Anderson, CMA, CPA

Bill Ellis, CPA

John Kunst, CPA

Date post:	21-May-2015
Category:	Education
Upload:	dannynelson
View:	1,464 times
Download:	2 times

SAS 117 Presentation

Education