A risk-based approach helps auditors find the trouble spots.

In Brief

Type A or Type B, High or Low Risk, Major or Nonmajor?

Single audit requirements have been changed as a result of changes in the law; the issuance of OMB Circular A-133, Audits of State, Local Governments, and Nonprofit Organizations; a new Compliance Supplement; and SOP 98-3, Audits of States, Local Governments, and Not-for-Profit Organizations Receiving Federal Awards. The major changes include the introduction of a risk-based approach to the audit, the application of the single audit to not-for-profit organizations, and the change in the threshold for requiring a single audit from $100,000 of Federal awards received to $300,000 of Federal awards expended.

The authors view the proper implementation of the changes as an opportunity for auditors to perform a more effective audit while arming them to assist clients in improving the administration of Federal programs.

By Venita M. Wood and Deborah A. Koebele

or many years, single audits have been required for many governments and not-for-profit organizations. As a result of various studies and assessments made by the General Accounting Office (GAO) and the President's Council on Integrity and Efficiency (PCIE), the Single Audit Act of 1984 (the 1984 Act) was amended in 1996 (the 1996 Amendments) and the Office of Management and Budget (OMB) issued new single audit regulations in 1997. The new Federal law and regulations are effective for single audits for fiscal years beginning after June 30, 1996.

Background of the
Single Audit Process

The 1984 Act--which applied to state and local governments, including Native American tribes--replaced individual grant-by-grant audits of Federal financial assistance with an organization-wide approach to the audit (hence the term single audit). It also required auditors to test an entity's internal control over Federal programs and its compliance with the requirements for those programs. OMB prescribed implementing regulations for the 1984 Act in its Circular A-128, Audits of State and Local Governments. Although most colleges and universities and other not-for-profit organizations were exempt from the 1984 Act, OMB imposed the single audit process on those organizations through the provisions of Circular A-133, Audits of Institutions of Higher Education and Other Nonprofit Organizations.

Over time, problems with the single audit process emerged. The $100,000 threshold for a single audit resulted in more Federal financial assistance being audited than originally intended. Federal program managers were concerned because single audits did not provide detailed coverage of nonmajor programs. Also, there were significant differences between the single audit requirements for governments and those for not-for-profit organizations. Although studies of the single audit process indicated it had improved financial management practices, they also indicated issues that burdened the process, hindered the usefulness of its reports, and limited its impact.

OMB incorporated many of the changes recommended by those studies into a revised Circular A-133 for not-for-profit organizations, issued on April 19, 1996. However, that circular, which was to be effective for audits of fiscal years ending on or after June 30, 1997, never became effective. Instead, the 1996 Amendments took effect, and OMB revised Circular A-133, which supersedes Circular A-128, to provide uniform guidance for both governments and not-for-profit organizations.

The 1996 Amendments and
Circular A-133

In addition to the revised OMB Circular A-133, Audits of States, Local Governments, and Nonprofit Organizations, OMB also issued on June 30, 1997, a provisional Compliance Supplement to assist auditors in performing single audits. That provisional supplement has since been superceded by a final supplement issued in May 1998. In March 1998, the AICPA issued SOP 98-3, Audits of States, Local Governments, and Not-for-Profit Organizations Receiving Federal Awards, to provide guidance on the 1996 Amendments and Circular A-133. The AICPA has also issued an implementation guide on the single audit.

Exhibit 1 compares certain current and previous single audit provisions. The primary differences are the legislative application of the single audit to not-for-profit organizations and the increase in the threshold for requiring a single audit from $100,000 of Federal awards received to $300,000 of Federal awards expended. Including not-for-profit organizations under the 1996 Amendments results in a single set of audit requirements for Federal assistance. The increase in the dollar threshold reduces the audit burden on thousands of non-Federal entities while ensuring audit coverage over the vast majority of Federal assistance. Also, basing the audit on Federal assistance expended rather than that received eliminates the timing differences that can occur when auditees received Federal awards in a different year than that in which they spent them, thus allowing auditors to better examine an auditee's compliance with a program's spending requirements.

Financial Statements and
Scope of the Single Audit

Circular A-133 requires the auditee to prepare financial statements that reflect its financial position, results of operations or changes in net assets, and, where appropriate, cash flows. It does not require the use of generally accepted accounting principles (GAAP) for those financial statements. The requirement for a full set of financial statements will make presentation changes necessary for some entities. For example, those entities with a single Federal program that previously prepared only program-based statements will have to issue a full set of financial statements.

The auditee and auditor should consider the scope of the entity in preparing the financial statements and conducting the single audit. Circular A-133 does not specify what constitutes the auditee's reporting entity; the reporting entity is defined by GAAP. However, Circular A-133 permits the auditee to limit its single audit coverage to those departments, agencies, and other organizational units that directly or indirectly expend or otherwise administer Federal awards.

Circular A-133 also permits auditees to conduct a series of audits of individual departments, agencies, and other organizational units instead of an entity-wide single audit. If an auditee elects this series of audits option, OMB requires separate financial statements and schedules of expenditures of Federal awards to be prepared for each such organizational unit. Specifically, there must be a one-to-one match between financial statements and single audits of organizational units. (An entity's organization-wide financial statements also may include organizational units that have separate audits and prepare separate financial statements without the organization having an entity-wide single audit. This is permitted so that the entity may both comply with the GAAP requirements for a reporting entity and take advantage of Circular A-133's series of audits option.)

For example, consider an authority that receives Federal awards and is included as a component unit in a city's financial statements. A separate single audit of the authority may be conducted only if separate financial statements and a separate schedule of expenditures of Federal awards are prepared and audited for the authority. If there are no separate financial statements and separate schedule, the authority must be audited as part of the city's single audit. If there is a separate single audit of the authority (with separate financial statements and schedule), the authority can be included in the city's financial statements, without having to be included in the city's single audit.

A single audit is not required unless a non-Federal entity expends $300,000 or more in Federal awards. Continuing the example from above, assume the city expends $500,000 in Federal awards and the authority expends $100,000. If the authority has separate, audited financial statements, it would not be required to receive a single audit. At the same time, the city could receive a single audit on only its $500,000 of Federal expenditures, even though its GAAP financial statements include the authority as a component unit. (The city's schedule of expenditures of Federal awards would not include the authority's Federal expenditures; the notes to the city's schedule would explain the scope of the schedule in relation to the scope of the reporting entity's financial statements.) However, if the only reporting of the authority's financial statements is as a component unit in the city's financial statements or if its separate financial statements are not audited, the authority should be included as part of the city's single audit, which would cover the entire $600,000 of Federal expenditures. In this situation, the schedule of expenditures of Federal awards would include the authority's expenditures.

Risk-Based Approach

Under the 1984 Act, auditors selected major programs for audit testing based only on expenditures. Typically, that dollar-based criterion meant that an auditee's large programs were likely to be tested each year and its other, often numerous, smaller programs were unlikely ever to be tested. The 1996 Amendments require the auditor to select major programs based on a combination of dollar size and program risk. That risk-based approach will increse audit effectiveness by concentrating audit effort on programs that may need managerial improvements.

There generally is a limit on the number of programs that must be selected as major using the risk-based approach based on the amount of the auditee's total Federal expenditures and the dollar size of the program. Also, the Compliance Supplement identifies groups of related programs, or clusters--such as research and development, student financial aid, school breakfast and lunch programs--that are to be considered a single program for audit purposes. Furthermore, major programs must encompass at least 50% of the auditee's Federal expenditures (25% for a low-risk auditee), and there is no requirement to test compliance for transactions selected from nonmajor programs.

The risk-based approach to selecting major programs must be used for all single audits except first-year audits. A first-year audit is the first year the entity is audited under A-133 or the first year of a change of auditors. In a first-year audit, the auditor may elect to select major programs using only a dollar threshold; however, that election may not be used for an auditee more than once every three years.

Circular A-133's risk-based approach is a four-step process that distinguishes between programs based on size, risk assessment, and type (major or nonmajor).

Step 1--Identify Type A and Type B Programs. Circular A-133 requires auditors to distinguish between Type A (larger) and Type B (smaller) programs, based upon a dollar threshold for Type A programs that varies depending on total Federal expenditures as shown in Exhibit 2.

All programs not classified as Type A programs are classified as Type B programs. If loan and loan guarantee programs would significantly affect the number or size of Type A programs, they should be designated as Type A programs and their values excluded in calculating other Type A programs. Clusters of programs should be considered one program for the purpose of identifying them as Type A or Type B.

For biennial audits, the determination of Type A and Type B programs is based on Federal expenditures during the two-year period. Biennial audits are permitted for state or local governments if a legal requirement for such audits was in effect on January 1, 1987, and is still in effect. Biennial audits are permitted for not-for-profit organizations if a biennial audit was conducted for all biennial periods between July 1, 1992, and January 1, 1995.

Step 2--Risk Assess Type A Programs. The auditor should risk assess each Type A program using criteria established in Circular A-133 and shown in Exhibit 3. For a Type A program to be low-risk, it must meet all three of certain criteria. If none of those criteria are met, the auditor should continue the risk assessment process using the other criteria shown in Exhibit 3 and professional judgment. (The presence of the condition indicates higher risk and the nature and preponderance of these conditions indicates that a Type A program is not low-risk.) Those other criteria should be evaluated in the context of the most recent audit.

Step 3--Risk Assess Type B Programs. Next, the auditor may need to risk assess Type B programs. The number of Type B programs to be assessed depends on the number of low-risk Type A programs and the replacement option selected by the auditor, as discussed in step 4. If the auditee has no Type A programs or no low-risk Type A programs, no high-risk Type B programs need to be selected as major programs, and the auditor need not risk assess any Type B programs. However, the percentage-of-coverage requirements discussed in step 4 should be met. Also, smaller Type B programs do not need to be risk assessed, as shown in Exhibit 2.

Circular A-133 provides certain individual criteria that would, by themselves, indicate a Type B program is high-risk (as shown in Exhibit 4). If after those initial criteria are considered, the Type B program has not been found to be high-risk, the auditor should assess the other criteria shown in Exhibit 4 using professional judgment to determine whether the program is high-risk.

Step 4--Select Major Programs. The auditor now selects major programs. All high-risk Type A programs are major programs. In addition, high-risk Type B programs may be designated as major programs. There are two alternatives for designating high-risk Type B programs as major. The option selected is the auditor's choice and may differ each year without justification required.

* Option 1--the auditor selects at least one half of the high-risk Type B programs as major programs, up to the number of low-risk Type A programs.

* Option 2--the auditor selects one high-risk Type B program for each low-risk Type A program, up to the number of high-risk Type B programs.

If there are low-risk Type A programs, option 1 requires risk assessment of all Type B programs whereas option 2 only requires risk assessment of Type B programs until the auditor has identified up to the same number of high-risk Type B programs as there are low-risk Type A programs. In some cases, selecting option 1 may result in selecting fewer Type B programs as major programs than would option 2.

The high-risk Type B programs the auditor selects as major are based only on the auditor's judgment, except that Circular A-133 encourages the auditor to use an approach that provides an opportunity for different high-risk Type B programs to be audited as major over time.

Finally, the auditor should select major programs that encompass at least 50% of total Federal expenditures (or 25% for low-risk auditees, as discussed later). There are no criteria for
selecting additional programs as major programs for this purpose. If the
auditor needs to identify additional major programs to meet this percentage-of-coverage requirement, various factors may be considered, such as--

* the auditor's familiarity with the potential additional major programs,

* the inclusion of potential additional major programs in the Compliance Supplement,

* the size of the potential additional major programs, and

* the fact that Type A programs are required to be audited as major at least every three years.

The percentage of coverage requirements--whether 25% for a low-risk auditee or 50% for others--are coverage minimums, not maximums. For example, if the selection of major programs using Circular A-133 criteria indicates that 45% of a low-risk auditee's total Federal expenditures were made in those major programs, the auditor may not set aside programs selected as major to reduce the coverage to 25%.

In performing risk assessments and selecting major programs, as long as the risk assessment is conducted in accordance with Circular A-133 criteria and is documented in the working papers, the auditor's judgment in applying the risk-based approach will be presumed correct. Challenges to that judgment by Federal agencies or pass-through entities will only be made when the criteria are clearly applied improperly.

A comprehensive case study illustrating the selection of major programs is available in the AICPA's implementation guide on applying OMB Circular A-133 (AICPA product no. 088730).

Low-Risk Auditees. There is potential for reduced audit coverage of Federal expenditures for a low-risk auditee. To be a low-risk auditee, an entity must meet the following conditions for the preceding two audit periods:

* Single audits were performed.

* Unqualified opinions were given on the financial statements and schedule of expenditures of Federal awards. (If the opinions were other than unqualified, a Federal cognizant or oversight agency may judge that the condition does not affect the management of Federal awards and provide a waiver. A pass-through entity cannot provide such a waiver.)

* No material weaknesses in internal control were reported at the financial statement level. (Again, a Federal agency may provide a waiver.)

* None of the following audit findings were reported for Type A programs--material weaknesses in internal control, material noncompliance, or known or likely questioned costs greater than five percent of that program's expenditures.

A low-risk auditee can receive either annual or biennial audits; however, an entity that has biennial audits does not qualify as a low-risk auditee unless agreed to in advance by its cognizant or oversight agency. For entities with annual audits, the criteria have to be met for the previous two fiscal years. For entities with biennial audits, the criteria have to be met for the previous two audit periods--a total of four fiscal years.

Internal Control Over
Compliance Requirements

Circular A-133 requires auditors to obtain an understanding of internal control pertaining to the compliance requirements for Federal programs sufficient to plan the audit to support a low assessed level of control risk for major programs. Those procedures are to be applied to compliance requirements that have a direct and material effect on a major program. An auditor's understanding of internal control over compliance involves knowledge not only about the design of controls and whether those controls have been placed in operation, but also whether those controls are operating effectively. The Federal government is seeking audit testing of internal control over the compliance requirements related to major programs and disclosure through audit findings if an auditee's internal control over Federal programs does not provide reasonable assurance that it is managing Federal awards in compliance with requirements that could have a direct and material effect on each of its major programs.

If internal control is likely to be ineffective, however, auditors are not required to test internal control over compliance. This would be the case if an auditor cannot assess control risk related to compliance as low. In this situation, the auditor should assess control risk at the maximum and consider whether any additional compliance tests are required because of ineffective internal control. The auditor also should report a reportable condition or material weakness in internal control as an audit finding.

The Compliance Supplement provides assistance to auditors in considering internal control over compliance with Federal programs by presenting characteristics of internal control that may be used to reasonably ensure compliance with the requirements affecting those programs.

Compliance Requirements

Through reference to the Compliance Supplement, Circular A-133 eliminates the previous general and specific requirements and establishes the 14 types of compliance requirements shown in Exhibit 5. Suggested audit procedures also are provided to help the auditor plan and perform compliance testwork. However, auditors should use judgment to determine whether the suggested audit procedures will achieve the stated audit objectives and whether additional or different audit procedures are needed.

The Compliance Supplement provides program objectives, program procedures, and certain compliance requirements for more than 70 Federal programs. The auditor should not limit identification of compliance requirements for programs included in the Compliance Supplement solely to that source, however. Although Federal agencies are required to provide annual updates to the Compliance Supplement, laws and regulations change periodically, and may postdate the latest revision. Furthermore, there may be provisions of contracts or grant agreements that are unique to a particular auditee and, therefore, not included in the Compliance Supplement. Auditors should consider not only the requirements in the Compliance Supplement, but also a program's referenced laws, regulations, and provisions of contracts or grant agreements as well as other OMB circulars (such as the cost principles circulars) in identifying the applicable compliance requirements.

In planning and performing the single audit, auditors should associate the compliance requirements that have a direct and material effect on each major program to one of the 14 types of compliance requirements. That association is important to the single audit process and to single audit reporting.

Responsibilities of
Pass-Through Entities

Circular A-133 requires that pass-through entities--

* identify and provide information about Federal awards to subrecipients,

* advise subrecipients of compliance requirements,

* ensure that required subrecipient audits are appropriately and timely completed, and

* issue a management decision on audit findings within six months and ensure that subrecipients take appropriate and timely corrective action.

The responsibilities imposed by Circular A-133 on a pass-through entity are important to the auditor when considering programs that have a material amount of subrecipient activity. Auditees may need to restructure their subrecipient monitoring activities, especially given the increased threshold for receiving a single audit. No longer can a pass-through entity rely on a single audit for those subrecipients that expend less than $300,000 of Federal awards annually. However, Circular A-133 allows pass-through entities to monitor those subrecipients through limited-scope audits, which are agreed-upon procedures engagements performed in accordance with GAAS or the attestation standards that are paid for and arranged by the pass-through entity and address only certain compliance requirements. The pass-through entity, not the subrecipient, must contract for the engagement. Not all subrecipients that are not subject to a Circular A-133 audit may need an agreed-upon procedures engagement. A cyclical approach to such engagements or other monitoring procedures might be more cost-beneficial in a particular situation.

Single Audit Reports

Single audit reports are due sooner--the earlier of 30 days after receipt of the reports from the auditor or nine months after the end of the fiscal year. The nine-month period is not effective until audits for fiscal years beginning after June 30, 1998. Also, Federal agencies may grant waivers to the shortened time frame if they conclude such a request is reasonable.

Circular A-133 provides requirements for submitting the single audit reporting package to the Federal clearinghouse in Jeffersonville, Indiana, and to pass-through entities. Generally, copies of the reporting package are to be made available to or for each direct Federal funding agency and pass-through entity for which current- or prior-year audit findings are reported. If there are no current- or prior-year audit findings reported related to a pass-through entity, the auditee may instead submit a written notification of the audit. However, pass-through entities may require different submissions.

A data collection form, which is to accompany the single audit report submission to the Federal clearinghouse, requires information about whether the audit was completed in accordance with Circular A-133 and about the auditee, its Federal programs, and the results of the audit. The form should be signed by senior-level representatives of the auditee and the auditor.

Circular A-133 requires certain information to be provided in auditor's reports, but allows flexibility in how that information is organized. SOP 98-3 recommends the following reports:

* Opinions (or disclaimers) on the financial statements and the schedule of expenditures of Federal awards

* A report on compliance and on internal control over financial reporting based on an audit of the financial statements performed in accordance with Government Auditing Standards

* A report on compliance with requirements applicable to each major program and internal control over compliance in accordance with Circular A-133, including an opinion (or disclaimer of opinion) as to whether the auditee complied with laws, regulations, and the provisions of contracts or grant agreements that could have a direct and material effect on each major program

In addition to the auditor's reports, the single audit reporting package should include the following:

* Financial statements

* Schedule of expenditures of Federal awards

* Summary schedule of prior audit findings

* Corrective action plan

* Schedule of findings and questioned costs

Circular A-133 requires the auditee to prepare the first four items and specifies minimum information requirements. For example, the schedule of expenditures of Federal awards should list individual Federal programs by Federal agency and by program or cluster of programs, identify Federal awards received as a subrecipient, include notes that describe the significant accounting policies used in preparing the schedule, and include, in either the schedule or a note to the schedule, the value of the Federal awards expended in the form of noncash assistance. The schedule and notes are not required to identify major programs--major programs are identified in the summary of auditor's results section of the schedule of findings and questioned costs.

The auditor prepares the schedule of findings and questioned costs, which includes the three parts discussed below. The schedule of findings and questioned costs is required even if there are no current-year findings. The three parts of the schedule of findings and questioned costs are illustrated in SOP 98-3 and at the AICPA's Internet site listed in Exhibit 6.

Part I--Summary of Auditor's Results. Circular A-133 specifies the information requirements for the summary of auditor's results including, for example, the type of reports issued on the auditee's financial statements and on its compliance with major programs, the major programs, whether the audit disclosed reportable conditions or material weaknesses in internal control at the financial statement level or over major programs, the dollar threshold used to distinguish between Type A and Type B programs, and whether the auditee qualified as low-risk. The requirements of Part I are the reason for the submission of the schedule of findings and questioned costs for each A-133 audit.

Part II--Findings Related to the Financial Statements. Findings related to the financial statements are based on GAS, which requires auditors to report findings for irregularities, illegal acts, other material noncompliance, and reportable conditions and material weaknesses in internal control, as well as the status of uncorrected material findings and recommendations from prior audits that affect the current-year financial statement audit.

Part III--Findings and Questioned Costs for Federal Awards. Circular A-133 requires the auditor to report the following types of findings related to Federal awards:

* Reportable conditions (or material weaknesses) in internal control over major programs

* Material noncompliance with laws, regulations, and provisions of contracts or grant agreements related to major programs

The auditor's determination of whether a deficiency in internal control is a reportable condition (or material weakness) and whether noncompliance is material for the purposes of reporting audit findings is in relation to a type of compliance requirement or an audit objective identified in the Compliance Supplement.

* Known questioned costs greater than $10,000 and, for major programs, known questioned costs when likely questioned costs are greater than $10,000

For major programs, auditors should report an audit finding for known questioned costs if known or likely questioned costs are greater than $10,000 for a type of compliance requirement. Known questioned costs are those specifically identified by the auditor. Likely questioned costs represent the auditor's best estimate of total questioned costs.

Except for audit follow-up, the auditor is not required to perform any audit procedures on Federal programs that are not identified as major. However, if the auditor becomes aware of questioned costs of more than $10,000 for such a program, the auditor should report an audit finding.

* Other types of findings

If the auditor's report on compliance for Federal programs is other than unqualified, the reason should be reported as an audit finding. The auditor also should report findings for known fraud affecting a Federal award unless the fraud was reported outside of the auditor's reports under the direct reporting requirements of GAS.

Finally, the auditor should report an audit finding if the results of audit follow-up procedures disclose that the auditee materially misrepresented the status of any prior audit finding in its summary schedule of prior audit findings. That summary schedule should include all findings reported in the prior audit's schedule of findings and questioned costs related to Federal awards. (That is, the schedule need not include prior audit findings related to the financial statements.) The summary schedule should include the findings in the prior audit's schedule of prior audit findings except those that were listed as fully corrected, no longer valid, or no longer warranting further action. For reports on the year beginning after June 30, 1996, the summary schedule need only include those findings previously reported that would have been subject to reporting under Circular A-133.

Audit findings should be presented in sufficient detail for the auditee to prepare and execute a corrective action plan, and for Federal agencies and pass-through entities to arrive at a management decision. Circular A-133 provides the specific information that should be included in audit findings including, for example, a reference number; Federal program and specific Federal award identification; the criteria or specific requirement upon which the audit finding is based, including statutory, regulatory, or other citation; and the context of the finding.

It Should Work

We believe that the revised single audit process, with its focus on larger programs with greater risk of noncompliance and on material instances of noncompliance, will make single audits more effective and the results of the single audit more useful to the Federal grantor agencies. *