Revised OMB Circular A-133

and the Single Audit Act Amendments

By Robert A. Dyson

In Brief

A Risk-Based Approach

The most widely reported change resulting from the issuance of revised OMB Circular A-133, Audits of Institutions of Higher Education and Other Non-Profit Institutions, was the increase in the threshold triggering the audit requirements to $300,000 of Federal awards expended per year. However, the new rules just do not simplify audit requirements, they also add new responsibilities for the auditor.

The most significant new responsibility is the requirement that auditors apply a risk-based approach in performing audits of Federal award recipients. Auditors are responsible for assessing risk in relation to the auditee and Federal programs and are permitted, under certain circumstances, to reduce audit coverage of entities qualifying as low risk and exclude certain low-risk Federal programs from their audit scope. The new risk-based approach requires significant auditor judgment that can best be addressed through increased planning. The author presents a comprehensive example of how to apply the new approach.

New auditing rules for
nonprofit recipients of Federal funds:
finding the bad one more effectively

The promise of major changes in government auditing was fulfilled in 1996. In April, the Office of Management and Budget (OMB) issued its revised OMB Circular A-133, Audits of Institutions of Higher Education and Other Non-Profit Institutions, which applies to not-for-profit organizations (NPOs) receiving Federal awards. In July, the Single Audit Act Amendments Act of 1996 (the act) became law, which is applicable to all nonfederal recipients of Federal awards, including NPOs, state and local governments, and Indian tribal governments. OMB's ultimate goal is to standardize single audit requirements for both NPOs and state and local governments. At the time of this writing, OMB intends to revise Circular A-133 again to make its provisions conform with the act, include state and local governments within its scope, and rescind Circular A-128, Audits of State and Local Governments. Because OMB envisions Circular A-133 to be the implementing regulation for the act, this article focuses on the revised circular.

Basic Audit Requirements

The new rules require recipients expending $300,000 in Federal awards in a fiscal year to have a single or program-specific audit conducted for that year. As currently permitted for NPOs, recipients expending Federal awards under only one Federal program have the option of obtaining a program-specific audit. Both types of audits should be performed in accordance with Government Auditing Standards ("yellow book"), issued by the U.S. General Accounting Office (GAO) and the additional requirements contained in the revised circular.

The revised circular clarifies existing practice by requiring that the auditor obtain an understanding of the recipient's internal control as a whole and over Federal programs sufficient to plan the audit to achieve a low assessed level of control risk for major programs. This provision does not require auditors to achieve a low assessed level of risk; rather, it requires auditors to test the internal controls over Federal programs to determine whether the controls are effective or not. Auditors concluding that controls are ineffective should disclose a reportable condition or material weakness, as appropriate, assess control risk at the maximum, and consider performing additional tests.

The new reporting rules are similar to the current rules that require the auditor to report on--

* whether the financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles;

* whether the schedule of Federal awards is presented fairly in all material respects in relation to the financial
statements;

* internal control related to the financial statements and major programs, including a description of the scope of testing of internal control and results of tests, and, where applicable, reference to the separate schedule of findings and questioned costs;

* compliance with provisions of laws, regulations, contracts, or grants that could have a direct and material effect on determining financial statement amounts, including an opinion on whether the recipient complied with laws, regulations, contracts, or grants that could have a direct and material effect on each major Federal program and/or compliance requirement type (i.e., Federal financial reporting, allowable costs/cost principles, types of services allowed or unallowed, and eligibility), and where applicable, reference to the separate schedule of findings and questioned costs; and

* a schedule of findings and questioned costs that includes a summary of auditor's results and audit findings, such as those pertaining to internal control matters, compliance matters, questioned costs, or suspected fraud.

Identifying Federal Awards Received

The revised circular requires recipients to identify all Federal awards received and expended and the Federal programs under which they were received. The identification of Federal awards should include, as applicable, the Catalog of Federal Domestic Assistance (CFDA) title and number, award number and year, name of the Federal agency and name of the pass-through entity.

A common scenario faced by auditors is that the recipient knows it receives funding from a pass-through entity but does not know the Federal component of that grant. Sometimes this is the result of the recipient's poor recordkeeping practices or misinterpretation of information sent by the grantor or pass-through entity. In these instances, the auditor should consider the internal control and compliance implications by questioning the entity's ability to ensure compliance with laws, regulations, grants, and contracts when it does not know it has a Federal award. In other instances, the grantor or pass-through entity misinforms the recipient of the existence and/or amounts of Federal awards contained in grants provided. In any case, auditors should assess management's identification of Federal awards by performing the following procedures:

* Review revenue accounts for evidence of grants;

* Consider knowledge about types of Federal awards obtained from prior years' audits, a review of the predecessor auditor's workpapers, or audits of other clients;

* Obtain a written representation from management regarding the completeness of management's identification of Federal awards;

* Review relevant portions of award contracts and related laws and regulations; and

* Review minutes of the governing body to identify awards received and the related restrictions.

Determining Amount of
Federal Awards Received

An award is recognized as revenue at the same time the related expenditures are recognized. The value of Federal noncash assistance, such as free rent, food commodities, and donated property, is measured at fair market value at time of donation or the assessed value provided by the grantor agency. The revised circular's rules regarding loans and loan guarantees, endowment funds, and free rent are similar to those currently in effect.

Identifying Major Programs

Auditors should classify awards as major programs using the following risk-based approach:

Identify Type A (Large) and Type B (Small) Programs. The revised circular defines Type A programs as the larger of--

* $300,000 or three percent (0.03) of total Federal expenditures when total Federal expenditures equal or exceed $300,000 but are less than or equal to $100 million;

* $3 million or three-tenths of one percent (0.003) of total Federal expenditures when total Federal expenditures exceed $100 million but are less than or equal to $10 billion; or

* $30 million or fifteen hundredths of one percent (0.0015) of total Federal expenditures when total Federal expenditures exceed $10 billion.

All programs not classified as Type A are classified as Type B.

Identify Low-Risk Type A Programs. Generally, any Type A program audited at least once in the last two audit periods with no findings in the most recent audit is considered a low-risk program. However, the revised circular gives the auditor considerable latitude in classifying Type A programs as low risk and permits the cognizant or oversight entities to grant waivers on auditing certain programs. Auditors should consider the level of control risk assessed during the performance of internal control procedures, the inherent risk related to the type of expenditures and other factors, and the oversight exercised by the Federal or pass-through entity. For example, significant findings resulting from systemic weaknesses corrected prior to the current audit period may not preclude the classification of a program as low risk.

On the other hand, the revised circular does not preclude classifying a Type A program as high risk even if no findings were reported if the auditor determines that a change in personnel or systems affecting one or more Type A programs increases risk. In addition, a Federal grantor agency may obtain authorization from OMB to require auditors not to classify certain programs as low risk to meet certain legal requirements, such as the Government Management Reform Act of 1994. In these cases, the Federal agency is required to notify the recipient and the auditor, if known, at least 120 days prior to the close of the recipient's fiscal year.

Regardless of risk classification, all Type A programs should be audited as major programs at least once every three years.

Identify High-Risk Type B Programs. The criteria in assessing risk of Type B programs is similar to that used in Type A programs, as discussed above. Because the purpose of the revised circular is not to require testing of relatively small Federal programs, except to meet the 50% rule discussed below, the auditor is only required to perform risk assessments on Type B programs that exceed the larger of--

* $100,000 or three tenths of one percent (0.003) of total Federal expenditures when the auditee has less than or equal to $100 million in total Federal expenditures; or

* $300,000 or three hundredths of one percent (0.0003) of total Federal expenditures when the auditee has more than $100 million in total Federal expenditures.

Select the Programs to Be Audited as Major Programs. As a minimum, auditors should audit the following as major programs:

* All Type A programs, except those classified as low risk;

* At least one half of the Type B programs classified as high risk, except the auditor does not have to audit more high-risk Type B programs than the identified number of low-risk Type A programs; and

* Such programs necessary to comply with the 50% rule discussed in the following paragraph.

Fifty Percent Rule. The revised circular requires Federal awards that, in the aggregate, encompass at least 50% of total Federal expenditures be audited as major programs. However, if the entity meets the criteria for a low-risk auditee, as discussed below, the auditor needs to audit, as major programs, Federal awards that, in the aggregate, encompass at least 25% of total Federal expenditures. The auditor does not have to justify the selection of any programs pursuant to this
requirement.

An example of applying the risk-based approach is presented in an accompanying sidebar.

Low-Risk Auditee

The revised circular permits entities meeting all of the following conditions for each of the preceding two years to be eligible for reduced audit coverage as a low-risk auditee:

* Received audits performed in accordance with OMB Circular A-133;

* The auditor's opinions on the financial statements and schedule of Federal awards were unqualified or the cognizant or oversight agency provided a waiver based on a determination that the qualification did not affect the management of Federal awards;

* The report on internal control did not report any deficiencies identified as material weaknesses or the cognizant or oversight agency provided a waiver based on a determination that the material weaknesses did not affect the management of Federal awards; and

* No Type A programs had audit findings regarding internal control deficiencies identified as material weaknesses; noncompliance with the provisions of laws, regulations, contracts, or grants that had a material effect on the program; or known or likely questioned costs that exceed five percent of the total expenditures of a Type A program during the year.

Determining Compliance
Requirements

The auditor has the affirmative responsibility to obtain current compliance requirements, such as audit guides, supplemental guidance, new regulations, and contractual requirements and to modify the audit accordingly. This requirement stems from OMB's failure to keep current its compliance supplements for NPOs and state and local governments. Auditors can no longer defend testing of outdated compliance requirements taken from outdated compliance supplements. At the time of writing, OMB expects to issue a revised compliance supplement for NPOs in January 1997.

Auditors must be careful in identifying compliance requirements. Many recipients know the performance requirements of the award, but do not know specific compliance requirements, particularly those related to documentation. Award documents may be years old and contain outdated references and requirements. Non-federal entities that pass through grants are notoriously uninformed of Federal audit and compliance requirements and, accordingly, should not be the sole source of this information. These entities, however, can be very helpful in providing their own requirements.

Auditors may commence their search for compliance requirements by first reviewing the annual notice from the grantor, which is a one or two page document indicating the amount of the grant, the CFDA number, the period of the grant, and the name of the contact individual at the grantor agency. The auditor should then review the CFDA, which provides citations to applicable laws and regulations, relevant audit manuals, and the names and telephone numbers of program staff who serve as contact persons for each program. The auditor should be able to obtain the compliance requirements from the contact person and/or from the Code of Federal Regulations, which is available online. The CFDA is updated every six months.

Audit Findings

The revised circular clarifies the presentation of audit findings by requiring only a single schedule, with multiple findings related to the same issue presented as a single finding. Some auditors have interpreted the current circular to require that findings be classified as either internal control or compliance matters to be reported in either or both reports. As a result, auditors reported the same findings or different aspects of one finding in both reports, resulting in redundant or piecemeal reporting.

The auditor is required to report the following in a schedule of findings and questioned costs:

* Reportable conditions in internal control over major programs, including those that are individually or cumulatively material weaknesses;

* Material noncompliance with the provisions of laws, regulations, contracts, and grants, with materiality based on the type of compliance requirement (e.g., Federal financial reporting, allowable costs/cost principles, types of service allowed, and eligibility) for a major program or an audit objective identified in the compliance supplement;

* Known or likely questioned costs that are greater than $10,000 for a type of compliance requirement of a major
program;

* The circumstances causing an other than unqualified auditor's opinion on compliance with major programs;

* Known fraud; and

* Instances where the auditee materially misrepresented the status of any prior audit finding.

The exhibit gives an example of determining whether a finding is reportable.

Known and Likely Questioned Costs. Known questioned costs are those specifically identified by the auditor. Likely questioned costs are the auditor's best estimate of total questioned costs developed during the evaluation of the findings. The most common procedure in determining likely questioned costs is projecting known questioned costs to the statistical universe.

Audit Finding Detail. The revised circular requires the following information be presented for each finding to give both the recipient and grantor sufficient detail to determine the cause and facilitate prompt and effective correction action:

* Federal program and specific identification number, including CFDA title and number, Federal award number and year, and names of both the Federal and pass-through entities;

* The criteria applied, including statutory, regulatory, or other citation;

* The condition found, including the facts supporting the identified deficiency;

* The amount of questioned costs, including the method of computing them;

* Information to provide a proper perspective for judging the prevalence and consequences of the audit findings (i.e., an "effect"), such as whether the audit finding represents an isolated instance or a systemic problem. Where appropriate, it should include the number of occurrences compared with the universal and the dollar amount exposed to the risk of misappropriation;

* Recommendations to prevent future deficiencies; and

* Views of responsible officials who disagree with the audit findings.

Monitoring Subrecipients

Even though the increased audit threshold may relieve certain subrecipients of their audit responsibilities and the revised circular does not apply to foreign subrecipients, pass-through entities are not relieved of the responsibility to monitor their subrecipients. Under the current circular, the monitoring was often achieved by simply reviewing the audit reports submitted by the subrecipient and following up on any findings. Because the increased audit threshold may reduce the number of subrecipients required to submit audit reports, pass-through entities may have to perform additional monitoring procedures, such as examining subrecipient records and financial statements or engaging an auditor to report on the subrecipient's compliance with laws and regulations. Auditors performing this service may follow the guidance in the Statements on Standards for Attestation Engagements. In any case, the pass-through entity's auditor is responsible for determining whether the pass-through entity is adequately monitoring subrecipients.

Report Submission Time

All audit reports are required to be submitted within nine months of the close of the recipient's fiscal year, unless a longer period is authorized by the cognizant or oversight entity. Regardless of the nine-month rule, the recipient must submit audit reports within 30 days of issuance by the auditor.

Other Matters

The revised circular provides guidance on the following matters:

For-Profit Subrecipients. Although not specifically applicable to for-profit subrecipients, the new rules give pass-through entities the responsibility of establishing contractual requirements to ensure compliance with the requirements of Federal awards.

Other Audit Requirements. Federal agencies and pass-through entities may request a specific recipient to have a particular program audited as a major program, but must make the request at least 180 days before the close of the recipient's fiscal year and must agree to pay any incremental audit fees incurred as a result of the request.

Other Comprehensive Bases of Accounting. OMB has indicated that the new rules do not preclude the preparation of financial statements on bases of accounting other than generally accepted accounting principles, such as cash basis. The auditor's reports on such statements should follow Statement on Auditing Standards No. 62, Special Reports (AU Section 623).

Program-Specific Audits. The revised circular gives detailed guidance on program-specific audits, which, in the absence of a program-specific audit guide, requires both the recipient and auditor to assume responsibilities similar to those of a single audit of a major program.

Recipient Responsibilities. The revised circular presents the recipient's responsibilities, including identifying all Federal awards received; complying with the laws, regulations, and provisions of those awards; preparing financial statements; following up on audit findings; and submitting reports, including an audit certification (which is a new
requirement).

Subrecipient and Vendor Determination. As payments for goods and services received from vendors are not considered to be Federal awards, the new rules list specific characteristics that distinguish Federal awards and vendors.

Effective Date

The revised circular is effective for audits of fiscal years ending on or after June 30, 1997, except for the requirement to apply the risk-based approach, which is effective for fiscal years ending on or after June 30, 1998. *

Robert A. Dyson, CPA, is a senior manager at Grant Thornton LLP. He is a member of the Government Accounting and Auditing and Financial Accounting Standards committees of the NYSSCPA and wishes to acknowledge the assistance of the following
individuals: Michele Mark Levine, Howard Becker, LeRoy Mitchell, and Ronald Pendergast. His e-mail address is RDYSON@GT.com.

Auditors are required to report known or likely questioned costs totaling $10,000 or more for a type of compliance requirement. Assume that Smith, in Exhibit 1, identifies $9,000 of specific questioned costs related to unallowable costs comprising 10 transactions covering payroll and purchases of supplies and equipment ranging from $700 to $1,200. Based on projections, Smith estimates total likely questioned costs at $20,000 relative to unallowable costs. Smith cannot avoid reporting these unallowable costs because no single transaction exceeds $10,000 and thereby must report $20,000 as likely questioned costs in an audit finding.

EXAMPLE OF APPLYING RISK BASED APPROACH

Smith first identifies the Type A and Type B programs. As NPO receives less than $100 million in Federal awards, a Type A program has, by definition, the larger of $300,000 or three percent of total Federal expenditures (which, in this case, is $106,170). Thus, Smith classifies as Type A programs those that have $300,000 or more of Federal expenditures (Programs 1 through 5) and the remaining programs (Programs 6 through 12) as Type B programs.

Smith then identifies low-risk Type A programs. As a general rule, Smith initially considers all Type A programs to be subject to audit as major programs and identifies low-risk programs as follows:

1. Include in the scope of the current audit those awards not audited as major programs within the last two years. Smith keeps tabs of when Type A programs were last audited. When obtaining a new client, Smith determines the year each Type A program was audited as a major program during the review of the predecessor auditor's workpapers. Smith intends to audit Program 1 as a major program because it has not been audited in the last two years.

2. Determine through review of prior reports and, if appropriate, of the predecessor auditor's workpapers, whether the programs audited during the previous two years had any audit findings related to reportable conditions, material weaknesses, irregularities, illegal acts, or noncompliance with the provisions of laws, regulations, contracts, or grant agreements. As a practical matter, unless a written waiver is received from the cognizant or oversight entity, Smith audits as a major program any Type A program reported having material weaknesses, irregularities, illegal acts, and instances of material noncompliance. As a result of this procedure, Smith intends to audit Program 2 as a major program.

3. During the initial consideration of internal control--

a. determine the inherent risk related to the program. Programs whose nature indicate a low inherent risk are candidates for low-risk classification. Smith uses his standard risk assessment procedures and such sources as OMB and GAO reports in identifying inherently high-risk programs. In addition, Smith reviews those programs where newspaper and television reports allege irregularities, if for no other reason but to address the inevitable questions from the cognizant or oversight entities.

b. determine if changes in personnel or systems administering the program occurred and, if so, the effect of those changes on the risks related to the program.

c. determine if NPO's system of monitoring subrecipients is properly designed.

d. Identify any new programs administered by NPO. Smith classifies Program 3 as high risk because NPO first received this award in 1999.

4. Review recent reports issued by Federal agencies or pass-through entities to see if any significant problems were identified. Programs receiving reviews with no significant findings may be candidates for classification as low risk. As a result of this procedure, Smith classifies programs four and five as low risk.

5. Document the procedures performed in assessing risk and the reasons for assessing risk as either high or low. This procedure is particularly important to reduce audit exposure when assessing Type A programs as low risk.

Smith then performs a risk assessment of Programs 6 through 11 to identify high risk Type B programs. Smith does not perform any risk assessment of Program 12 because it is less than $100,000. As a result of this assessment, Smith classifies Programs 6, 7, 8, and 9 as high risk.

In selecting specific Type B programs to audit as major programs, Smith considers overall risk and audit efficiency. He does not have to justify his selection of particular programs. He bases the number of programs to audit on the rule that permits him to select half of the high risk Type B programs (half of the four high risk programs is two), with the number not to exceed the number of low risk Type A programs (which, coincidentally, is also two). He considers the degree of risk of each program and the potential effect on NPO's overall financial statements. He knows that material noncompliance with laws, regulations, and grant provisions creates the risk that future awards may be reduced or eliminated or current awards be returned to the grantor or pass-through entity. As these matters could have a material effect on the financial statements, Smith concentrates his efforts on programs with the highest risk. For example, Program 9 pays salaries of employees providing services to program participants outside of NPO's office. These employees infrequently visit the office and receive their paychecks in the mail. During the review of NPO's overall internal control, Smith has identified significant internal control deficiencies in paying employees who work outside the office.

Smith also considers the effect of the 50% rule which, in NPO's case, means he must audit as major programs those programs with aggregate expenditures of $1,769,500 (half of the total expenditures of $3,539,000). Smith thus selects high risk Type B programs that will address overall audit risk and will comply with the 50% rule without having to select additional programs. Thus, Smith selects Programs 8 and 9 to audit as major programs.

If Smith's selection of high risk Type B programs does not meet the 50% coverage, he may select any program, including Program 12. He is not required or precluded from selecting a low risk Type A or high risk Type B program in meeting the 50% rule.