Findings from Peer Reviews of Governmental Engagements

Governmental audit problem areas

The AICPA has identified governmental engagements as a high-risk area. While governmental accounting is complex, the addition of Yellow Book and Single Audit standards (when applicable) make these engagements even more challenging.

I recall in the pre-GASB 34 days reviewing physical ledger sheets that contained all of the transactions for a local government. There were no Yellow Book or Single Audit requirements. Those idyllic days of simplicity are gone, and the complexity of governmental audits has increased a hundred-fold.

Governmental regulators have complained that CPAs are not performing these audits in conformity with professional standards. In addition, these regulators are saying that the present peer review process is not identifying non-conforming engagements.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

AICPA’s Testing of Peer Review Process

In response to these concerns–and those related to other high-risk areas such as benefit plans–the AICPA performed enhanced oversights to gauge how well peer reviewers are performing.

Here are some of the key takeaways from the oversights performed on that initial sample of engagements:

  • Approximately 40 percent of the engagements selected as part of this pilot program were identified as non-conforming with the applicable professional standards by the industry experts.
  • The peer reviewers on these engagements had identified only around one out of ten as non-conforming.
  • Over the 2012 to 2014 peer review cycle, 8 percent of the must-select engagements reviewed were identified as non-conforming by their reviewers.

Peer review statistics related to governmental engagements reflect similar dynamics:

  • Significantly more GAGAS/single audit engagements were determined to be non-conforming by the oversighters and were not recognized as being non-conforming by the peer reviewers. There was an approximate 40 percent nonconforming rate for oversights of governmental engagements while none of these engagements were identified as nonconforming by the peer reviewers.

Governmental Engagement Deficiencies

The enhanced oversights identified the following governmental engagement deficiencies (many of these are related to Yellow Book and Single Audit):

  • Compliance requirements documented as applicable, but no testing performed for the compliance requirement
  • A lack of testing of internal controls over direct and material compliance requirements
  • A lack of documentation of management’s skills, knowledge, and experience to effectively oversee nonaudit services performed by the auditor
  • A lack of documentation or incomplete documentation related to the risk assessment of type A or type B programs
  • A lack of documentation supporting the assessment that compliance requirements were not applicable for the identified major programs
  • A lack of documentation showing the consideration of fraud risk regarding noncompliance for major programs
  • A lack of documentation of the internal control assessment over the preparation of the Schedule of Federal Awards (SEFA)
  • The Schedule of Findings and Questioned Costs missing required elements
  • Financial statements presented under GAAP instead of GASB
  • No materiality calculation on opinion units
  • A lack of documentation detailing the risk of management override of controls.
  • A lack of documentation to support the client’s designation as a low-risk auditee
  • Type A programs that were designated as low risk when they did not meet all of the requirements
  • An auditor’s report on internal control that did not include all required elements
  • The report on compliance with requirements applicable to each major program and internal controls over compliance that did not contain all of the required elements
  • A data collection form that did not properly summarize the auditor’s results
  • A calculation of amounts tested as major programs that was incorrect
  • The omission of a federal program from a cluster that should have been included when testing major programs

Increased Scrutiny

Expect increased peer review scrutiny of governmental engagements in peer reviews.

The CPA community must take these concerns seriously. If we don’t, we may end up with a complete change of the present peer review process. Without positive improvement, CPA firms could, one day, be reviewed by governmental regulators — think IRS audits. It is imperative that we self-regulate in an effective manner.

Due Dates for Single Audit Submissions Extended (Again)

Due dates between 7/22 – 12/30/2015 are extended to 12/31/2015

The Federal Audit Clearinghouse (FAC) has extended the single audit submission deadline to December 31, 2015. The FAC is working to resolve a security issue.

Here is a screenshot from the website:

Due date extension

As you can see “due dates between 7/22 – 12/30/2015 are extended to 12/31/2015.”

 

2015 Compliance Supplement and the Compliance Matrix

A draft of the 2015 Compliance Supplement is available from the AICPA Governmental Audit Quality Center here. The final issuance of the 2015 Compliance Supplement is expected in late June 2015. The draft should be used just for planning purposes, and auditors need to use the final compliance supplement (once issued).

The 2015 Compliance Supplement is effective for years ending June 30, 2015.

The 2015 Compliance Supplement drops two previous requirements from the matrix; those are:

  1. Davis Bacon
  2. Real Property Acquisition and Relocation Assistance

The slots for these two requirements are titled “Reserved.” See example picture below.

Also the “Period of Availability” requirement has been renamed “Period of Performance.”

Here’s a look at the draft compliance matrix requirements.

Compliance Matrix Requirements

Part 6 Internal Controls Removed

Part 6 (Internal Controls) of the compliance supplement has been temporarily removed for 2015. Part 6 will be updated in future years. The draft of the 2015 Compliance Supplement states the following in Part 6:

IN 2013 COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION (COSO) UPDATED THE “INTERNAL CONTROL – INTEGRATED FRAMEWORK,” AND IN SEPTEMBER 2014, THE GOVERNMENT ACCOUNTABILITY OFFICE (GAO) ISSUED AN UPDATED “STANDARDS FOR THE INTERNAL CONTROL IN THE FEDERAL GOVERNMENT,” COMMONLY REFERRED TO AS “THE GREEN BOOK.” DUE TO THE NEED TO UPDATE OTHER PARTS OF THIS SUPPLEMENT FOR THE UNIFORM GUIDANCE IN 2 CFR Part 200, OMB WAS UNABLE TO ALSO UPDATE PART 6 FOR THE REVISIONS TO COSO AND THE GREEN BOOK WITHOUT DELAYING THE ISSUANCE OF THIS SUPPLEMENT. SINCE THE 2014 VERSION OF PART 6 IS OUT OF DATE, IT WAS NOT CARRIED FORWARD TO THIS SUPPLEMENT. NON-FEDERAL ENTITIES AND THEIR AUDITORS SHOULD LOOK TO THE COSO AND GREEN BOOK FOR GUIDANCE ON INTERNAL CONTROLS UNTIL PART 6 IS UPDATED. OMB PLANS TO UPDATE PART 6 FOR THE 2016 COMPLIANCE SUPPLEMENT.

This does not mean that internal controls will not be tested, just that OMB needs time to update the internal control guidance in the supplement. As the above states, auditors should refer to COSO and to the Green Book.

Data Collection Form Filing Deadline Extended to Feb. 28, 2014

The Federal Audit Clearinghouse has the following “important notice” on its website as of January 2, 2014:

The Form SF-SAC 2013 Data Collection is scheduled for release January 7, 2014. See the November 19, 2013 Federal Register Notice. The Office of Management and Budget (OMB) has granted an extension until February 28, 2014 for all 2013 forms due on or before February 28, 2014. The extension is automatic and there is no approval required. Auditees with findings are encouraged to submit as soon as the 2013 Form becomes available on January 7, 2014.

I’m not sure how many times the deadline has been extended; at this point, I’ve lost count. Hopefully this date sticks.

New Single Audit Threshold: $750,000

Today (December 19, 2013), the AICPA Governmental Audit Quality Center (GAQC) announced that the Single Audit threshold will increase from $500,000 to $750,000. GAQC stated the following:

The threshold for audit will be increased to $750,000 as had previously been proposed. With regard to the effective date of the new rules, it is our understanding that they will be effective for single audits of years beginning on or after January 1, 2015. That is, the first single audits that will be affected by the new rules will be December 31, 2015, year ends.

2013 Data Collection Form Filing Deadline Extended – Again

The Federal Audit Clearinghouse (FAC) has once again extended the 2013 Data Collection Form submission waiver language that is posted on its Web site (https://harvester.census.gov/fac/) through January 31, 2014.  The extension language appearing on the FAC Web site is now as follows:

“If a single audit for a fiscal period ending in 2013 is due before the 2013 Form is available, auditees will not be able to meet the 30 day or 9 month deadlines for submission prescribed by OMB Circular A-133 §_.320(a). Therefore, OMB has granted an extension until January 31, 2014. The extension is automatic and there is no approval required. The extension applies only to single audits for the fiscal periods ending in 2013.”

Click here for prior blog post summarizing forthcoming changes to the data collection form and related process for filing.

New Data Collection Form – Single Audits

To what years will the new data collection form (DCF) apply?

Audit periods ending in 2013, 2014 and 2015

When will the form be finalized?

The form was to be finalized by late November, but the government shut-down may delay this time-frame. (The first Federal Register notice was issued in May with a comment due date of July 8, 2013. A second Federal Register notice was to be issued in mid-October, but, again, the federal shut-down will probably delay this date.)

Has OMB provided an extension for filing due-dates?

The Federal Audit Clearinghouse (FAC) web site states (or at least before the government shutdown stated):

If a single audit for a fiscal period ending in 2013 is due
before the 2013 Form is available, auditees will not be able
to meet the thirty day deadline for submission prescribed
by OMB Circular A-133 §_.320(a). Therefore, OMB has
granted an extension until December 31, 2013, for
reporting packages due to the Clearinghouse before
that date. The extension is automatic and there is no
approval required. The extension applies only to single
audits for the fiscal periods ending in 2013.

(New extended date through January 31, 2014 – as of November 7, 2013; click here for more information.)

When will the new Internet Data Entry System (IDES) be available?

It was suppose to be available on October 7, 2013. I tried to access the site today (October 14, 2013), but, due to the government shut-down, it was not available.

Will there be any changes in registration?

Each user must create one account using one email address; this is true even if you have used the system prior to the update. You will only register once. On the new log-in page, you will see “Register” just under the “Account Log-in” section; click “Register” to access the registration screen.

CaptureOn the registration page, you will enter:

  1. Your name
  2. Your email address

The name entered here will not show up on the data collection form; it is purely for communication purposes with the FAC. Your new account name will be your email address.

Then click the “register” tab.

Now you will receive a confirmation email from govs.fac.ides@census.gov; this email will have a hotlink that you will click. Clicking the link will take you to a password entry screen. Now enter your unique password. These passwords will expire after 60 days, regardless, and 30 days if there is no activity. Passwords cannot be reused.

The passwords must meet the following requirements:

  1. 12 characters in length (minimum)
  2. must contain at least one of each of the following:
    1. Upper case letters (A-Z)
    2. Lower case letters (a-z)
    3. Numbers (0-9)
    4. Special characters from !@#$%^&*()
    5. No character repeated more than 4 times (Charles22222# will not work)

For example: ThisisComplicated2556!  – This works (even though it’s complicated).

Previous submissions will be available (the system matches email addresses used for previous reports).

Once you enter your password, you can go to the “Account Home.”

Capture

From here you will enter, revise or view your report.

You will see new improved data entry formats; I think you will like them. They are cleaner and easier to understand.

There is still a requirement for auditor and auditee certification. On the “Submission Access” page you will need to enter an email address for the auditor and the auditee. (The auditee will receive a password email like the one you – the auditor – received.)

You will also be required to submit an unlocked and unencrypted audit report. You can find instructions for creating a compliant PDF Single Audit Report at: https://harvester.census.gov/fac/create_pdf.pdf (this link may not work until the government shutdown is resolved).

There is a requirement that audit reports be unlocked and unencrypted beginning with the 2014 reports. (The auditor will receive a warning page for 2013 reports that don’t comply, but the report can still be submitted.)

Concerns

I must say it concerns me greatly that CPA firms are being required to submit unlocked and unencrypted files. These reports contain signed CPA firm opinions. Could not someone change the numbers?