The concept of auditing a government entity's compliance with laws and regulations has evolved over time and continues to concern the accounting profession. This concern affects not only audits of governmental entities in which compliance issues are most frequently encountered, but also the audits of many business enterprises and not- for-profit organizations. Three significant events regarding compliance auditing came with the issuance of: SAS 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities; SAS 54, Illegal Acts by Clients; and SAS 63, Compliance Auditing Applicable to Governmental Entities and Other Recipients of Governmental Financial Assistance.

Auditors should be aware that, in certain circumstances, not-for- profit organizations and even business enterprises are recipients of government financial assistance and hence may be required by law, regulation, or contract to be audited in accordance with the U.S. General Accounting Office (GAO) auditing standards.

Entities Subject to Government Auditing Standards

The GAO auditing standards often apply to audits of federal and other entities receiving federal financial assistance; such as colleges, universities and other not-for-profit organizations. Government financial assistance provided to colleges and universities includes research and development grants, and funds provided under student financial assistance programs. Other not-for-profit organizations (religious and secular) that receive financial assistance include libraries, day care centers, shelters for the homeless, crisis intervention agencies and other community-based action agencies. Federal financial assistance comes from agencies as diverse as the Agency for International Development (for training), the Department of Health and Human Services (for medical research), the Department of Education (for student financial aid), and the National Endowment for the Arts (to conduct cultural programs). State and local government financial assistance can come from virtually all departments and agencies.

The GAO auditing standards may, by contractual agreement, apply to audits of business enterprises. Examples include mortgage banks and financial institutions that service GNMA and FNMA mortgage pools, privately owned vocational schools that receive federal assistance, and businesses that have cost plus fixed fee contracts and those subject to audit by the Defense Contract Audit Agency.

This article focuses on audits of government entities for two reasons. First, the activities and operations of governmental units are extensively controlled by laws and regulations. Second, government entities undergo audits in accordance with the GAO auditing standards and the Single Audit Act (SAA) more frequently than non-government organizations. The following discussion is relevant, however, to organizations that undergo audits in accordance with GAO auditing standards or the SAA. SAA requirements are mentioned later in this article.

Compliance Auditing in Accordance with GAAS

When making a financial statement audit in accordance with GAAS, the auditor has a responsibility to consider an entity's compliance with certain laws and regulations. According to SASs 53 and 54, the auditor should design the audit to provide reasonable assurance of detecting illegal acts (i.e., violations of laws and regulations) that could have a direct and material effect on the entity's financial statement amounts. The entity is responsible for identifying those laws and regulations, the violation of which could have a direct and material effect on financial statement amounts as well as for establishing internal control structure policies and procedures designed to ensure compliance with those laws and regulations. The auditor, in planning the audit, should become aware of those laws and regulations and design appropriate procedures that, given assessed levels of inherent and control risk, limit the risk of not detecting such violations to an acceptable level. SAS 47, Audit Risk and Materiality, points out that the auditor normally plans and audit engagement primarily to detect quantitatively material errors and irregularities. With respect to compliance matters, an additional complication is that the violation of many laws and regulations may be qualitatively material. While the concept of materiality is complex, auditors are accustomed to resolving accounting and auditing issues on which it has a bearing.

The concept of "direct effect" illegal acts is clarified in SAS 54 as referring to violations of those" ...laws and regulations that are generally recognized by auditors to have a direct...effect on the determination of financial statement amounts." Two examples provided in SAS 54 are the effect of tax laws on accruals and amounts recognized as tax expense, and laws and regulations that affect the amount of revenue recognized under government contracts.

In a government audit there are usually many laws and regulations, the violation of which could have a direct and material effect on the financial statements. Foremost are those related to the expenditure of public resources. Many governments operate under laws that require the adoption of budgets, that, once enacted, have the force and effect of law, and the reporting of budget-actual comparisons. Clearly, compliance with such budgets should be subjected to audit tests because of the possible direct and material consequences of budgetary violations.

Other "direct and material effect" laws and regulations affecting governmental units include those related to the composition of the reporting entity, fund structure to be used, grant terms, and other restrictions on expenditures. The entity has the primary responsibility of identifying "direct and material effect" laws and regulations. If the auditor believes that the entity is not aware of such laws and regulations or has not implemented an appropriate internal control structure with regard to them, or otherwise comes to believe that the risk of unknown and undetected violations of such laws and regulations is relatively high, the auditor should respond appropriately. The auditor should seek to extend the audit to identify the "direct and material effect" laws and regulations and design audit procedures to limit the risk of not detecting violations to a low level in accordance with SAS 47.

Normally, the auditor determines that the entity's administration has identified "direct and material effect" laws and regulations in a variety of ways. For example, inquiries of administration officials, such as the chief financial officer, legal counsel, and grant administrators are useful starting points. Reading documents such as the city charter, relevant state statutes, budgets (including amendments), bond ordinances, and grant agreements is also necessary to corroborate the replies to these inquiries and to increase the auditor's understanding of "direct and material effect" laws and regulations. In addition, the auditor should review the minutes of meetings of the entity's legislative body. The auditor should inform assistants of the "direct and material effect" laws and regulations, and instruct them to be alert for potential violations.

In planning substantive tests of compliance with "direct and material effect" laws and regulations, the auditor should consider the risks-- that violations may have occurred and as yet remain undetected by the entity, and that the financial statements are thereby materially misstated. This risk consideration should be extended to both inherent and control risk and become a factor in determining the planned level of detection risk. Inherent risk relates to such matters as the incentives or pressures on the government's administration to deliberately violate laws and regulations and to the complexity and volume of the laws and regulations with which the entity must comply.

Control risk relates to the quality of the internal control structure in operation to prevent violations of laws and regulations. The auditor is required, at a minimum, to consider the control environment, the accounting system, and the existing control procedures to prevent violations (as well as assessing related control risk) to the extent necessary to adequately plan the audit.

Once this understanding has been obtained and the assessed levels of inherent and control risk are established for the "direct and material effect" laws and regulations, the auditor should design and apply substantive audit procedures appropriate in the circumstances to achieve an acceptable level of detection risk. The results may give rise to a number of reporting or communication responsibilities.

If violations of laws or regulations are noted, and are considered material, the auditor should consider the adequacy of accounting measurements and disclosures about those matters in the financial statements. If such matters are not appropriately accounted for or adequately disclosed, then the auditor should express a qualified or adverse opinion on the statements. The auditor should determine that any violations of laws and regulations detected during the audit are communicated to the legislative body of the government and the audit committee or its equivalent, unless the violations are clearly inconsequential. The auditor should carefully consider the significance of known violations of laws and regulations before deciding not to so communicate. As a practical matter, the authors believe that, where possible, a second partner should be consulted when concluding that a particular violation is inconsequential and, therefore, need not be reported.

Many violations that the auditor detects may be communicated to the appropriate body by the auditor directly or by the senior management of the entity. Allowing management to communicate the violation may enhance the relationship with the entity's management and increase the auditor's effectiveness through increased cooperation and candor by management. The auditor should, nevertheless, gain assurance that the communication will take place. If the violations involve senior management, then the auditor should make the communication directly.

Compliance Auditing in Accordance with the GAO Auditing Standards

GAO auditing standards encompass the requirements of GAAS and, in addition, contain other incremental responsibilities. Compliance requirements of audits conducted in accordance with the GAO auditing standards parallel those of GAAS with respect to planning and conducting the audit.

Reporting responsibilities under the GAO auditing standards, however, go beyond those of GAAS. GAO auditing standards require the auditor to provide a written report on tests of compliance with laws and regulations. The report should provide positive assurance on items tested for compliance and negative assurance on those items not tested. The report should include: 1) all material instances of noncompliance; 2) all instances or indications of illegal acts that could result in criminal prosecution; and 3) instances in which the cumulative effect of individually immaterial instances of noncompliance could materially effect the financial statements. Non-material instances of noncompliance need not be disclosed, but should be communicated to top management. These communications should, however, be referred to in the report on compliance. The language to be used in the report when no material instances of noncompliance were noted is presented below:

"We have audited the financial statements of (name of

entity) as of and for the year ended June 30, 19X1, and

have issued our report thereon dated August 15, 19X1.

We conducted our audit in accordance with

generally accepted auditing standards and Government

Auditing Standards, issued by the Comptroller General of the

United States. Those standards require that we plan and

perform the audit to obtain reasonable assurance about

whether the financial statements are free of material

misstatement.

Compliance with laws, regulations, contracts, and

grants applicable to (name of entity) is the responsibility

of (name of entity)'s management. As part of obtaining

reasonable assurance about whether the financial

statements are free of material misstatement, we performed

tests of (name of entity)'s compliance with certain

provisions of laws, regulations, contracts, and grants.

However, our objective was not to provide an opinion on

overall compliance with such provisions.

The results of our tests indicate that, with respect to

the items tested (name of entity) complied, in all material

respects, with the provisions referred to in the preceding

paragraph. With respect to items not tested, nothing

came to our attention that caused us to believe that

(name of entity) had not complied, in all material

respects, with those provisions.

This report is intended for the information of the

audit committee, management and (specify legislative or

regulatory body). This restriction is not intended to limit

the distribution of this report, which is a matter of public

record."

GAO auditing standards further recognize that the auditor's assessment of inherent and control risk and materiality may result in situations in which substantive tests of compliance with laws and regulations may not be performed. In such situations, the report on compliance should indicate that the auditor did not test for compliance with laws and regulations. In this situation, the auditor should also state:

"(The first two paragraphs are the same as in the previous

report).

Compliance with laws, regulations, contracts, and

grants applicable to (name of entity) is the responsibility

of (name of entity)'s management. As part of our audit,

we assessed the risk that noncompliance with certain

provisions of laws, regulations, contracts, and grants

could cause the financial statements to be materially

misstated. We concluded that the risk of such material

misstatement was sufficiently low that it was not

necessary to perform tests of (name of entity)'s compliance

with such provisions of laws, regulations, contracts, and

grants.

However, in connection with our audit, nothing

came to our attention that caused us to believe that

(name of entity) had not complied, in all material

respects, with the laws, regulations, contracts, and grants

referred to in the preceding paragraph. (The last

paragraph is the same as in the previous report.)"

The auditor should report material instances of noncompliance regardless of whether the financial statements properly report such items. If material instances of noncompliance are detected, the following language should be used, in part, in conveying those conclusions:

"(The first three paragraphs are the same as in the report

previously illustrated).

Material instances of noncompliance are failures to

follow requirements or violations of prohibitions

contained in statutes, regulations, contracts, or grants, that

cause us to conclude that the aggregation of the

misstatements resulting from those failures or violations is

material to the financial statements. The results of our tests

of compliance disclosed the following material instances

of noncompliance, the effects of which have been

corrected in (name of entity)'s 19X1 financial statements.

(Include paragraphs describing the material

instances of noncompliance noted.)

We considered these material instances of

noncompliance in forming our opinion on whether (name of

entity)'s 19X1 financial statements are presented fairly,

in all material respects, in conformity with generally

accepted accounting principles, and this report does not

affect our report dated (date of report) on those financial

statements.

Except as described above, the results of our tests

of compliance indicate that, with respect to the items

tested, (name of entity) complied, in all material respects,

with the provisions referred to in the third paragraph of

this report, and with respect to items not tested, nothing

came to our attention that caused us to believe that

(name of entity) had not complied, in all material

respects, with those provisions.

(The last paragraph is the same as in the first report

illustrated.)"

Compliance Auditing in Accordance with the Single Audit Act

State and local governments that receive $100,000 or more in federal financial assistance in a fiscal year must have an audit in accordance with the SAA and Circular A-128 issued by the Office of Management and Budget (OMB). Government units that receive at least $25,000 but less than $100,000 may be audited in accordance with either the SAA or with federal laws and regulations governing the programs in which the governments participate. Units receiving less than $25,000 in federal financial assistance are not required to be audited. Auditors performing a single audit should conduct the engagement in accordance with GAAS and the GAO auditing standards and, in addition, comply with certain other requirements. An SAA audit will result in the issuance of audit reports relating to the following:

* Compliance with laws and regulations that may have a material effect on the financial statements;

* Compliance with laws and regulations that may have a material effect on each major federal financial assistance program; and

* Compliance with certain laws and regulations applicable to non-major federal financial assistance programs.

The first reporting objective is the same as that discussed herein dealing with GAO auditing standards. The other reporting objectives, however, are unique to the SAA. Audits in accordance with the SAA require the auditor to determine whether the client has administered each "major" federal financial assistance program in compliance with relevant laws and regulations. Reporting on compliance at the major program level requires two reports under SAS 63. The first is an opinion on compliance with specific requirements applicable to major federal assistance programs.

The second, a new approach under the SAS, is a report on the results of having tested major programs for compliance with the general compliance requirements. These general compliance requirements relate to laws and regulations that involve significant national policy and apply to all federal assistance. If a government does not administer any major federal financial assistance programs, then the report expressing an opinion on major program compliance is not required. Similarly, the report on general compliance requirements for major programs is not required. However, a report on compliance with laws and regulations at the general purpose financial statement level would still be required.

A major program is defined in terms of a government's expenditure of federal financial assistance under that program relative to its total expenditures of federal financial assistance. In general, the threshold for major federal financial assistance programs increases as the total federal financial assistance expenditures increase. The SAA provides explicit guidance, based on the total amount of federal financial assistance an entity expends, for determining what constitutes a major program.

Once it is determined that the government administers major federal financial assistance programs, the auditor is in a position to report on the entity's compliance with the specific category of laws and regulations governing the expenditure of major program resources. As clarified by the SAS, the auditor must also report the results of having tested compliance with the general compliance requirements for major programs. Typically, the auditor gives an opinion with respect to compliance with the specific requirements and a report expressing positive assurance based upon the results of having tested compliance with the general requirements and negative assurance on items not tested.

Remember, there are two categories of laws and regulations that the auditor should consider and test: general and specific (see Exhibit 1). The general compliance requirements for all federal financial assistance programs and the specific compliance requirements for the largest programs are identified in the OMB's Compliance Supplement for Single Audits of State and Local Governments (Compliance Supplement). The auditor may need to refer to the grant agreement to identify specific requirements for programs not included in the Compliance Supplement.

Having identified the general and specific compliance requirements for the major programs, the auditor should assess the risks of material instances of noncompliance. Then the auditor designs and applies appropriate procedures with the objective of expressing an opinion on compliance with the specific requirements, and to report on the results of testing compliance with the general requirements. Material instances of noncompliance and scope limitations may require the auditor to express a qualified or adverse opinion or to disclaim an opinion on compliance with the specific requirements.

To report on compliance with laws and regulations related to non-major federal financial assistance programs, audit procedures should be applied to the non-major program federal assistance transactions. These are selected in performing the financial statement audit in accordance with GAAS, and in conjunction with transactions selected in testing the control structure over federal financial assistance programs. For transactions from non-major programs, only specific compliance requirements need be tested to support the related reporting objective.

Summary of Compliance Auditing Standards

Exhibit 2 summarizes the requirements of each of the types of audits discussed. Note that the exhibit presents those standards in terms of planning and conducting the audit, and in reporting the results thereof.

Implementation Guidance

The AICPA's Government Accounting and Auditing Committee has undertaken a project to revise the 1986 Accounting and Auditing Guide entitled "Audits of State and Local Governmental Units" (ASLGU). A major portion of that project is devoted to developing practical guidance to auditors on compliance auditing. Guidance is being developed on the interrelationship of compliance testing and the internal control structure, general compliance versus specific compliance audit objectives and tests, and factors to consider in designing the scope of the compliance audit. The procedural guidance in a revised ASLGU coupled with the provisions of SAS 63 will substantially enhance guidance in the area of auditing an entity's compliance with laws and regulations.

Conclusion

Governments and other recipients of federal financial assistance are being held to higher levels of accountability than ever before. This demand for greater accountability is creating new demands for CPAs' independent judgment, assessment and attestation, especially in non- financial statement areas. SAS 63 provides the necessary first step in providing CPAs with guidance and valuable tools to meet the expanding compliance reporting needs of governmental and non-governmental entities. Exhibit 1 and 2 Omitted

William W. Holder, CPA, is the Accounting Circle Professor at the University of Southern California. He was a member of the AICPA Auditing Standards Board's Compliance Auditing Task Force and is currently a member of the Accounting Standards Executive Committee. He formerly served as a member of the Government Accounting and Auditing Committee. Mr. Holder is a member of the AICPA and the California Society of CPAs; he chairs that organization's Professional Conduct Committee. John R. Miller, CPA, is a Partner and National Director of Government Services of KPMG Peat Marwick. He was a member of the AICPA Auditing Standards Board's Compliance Auditing Task Force, is Chairman of the AICPA's Government Accounting and Auditing Committee and is a member of the AICPA and the NYSSCPA. Mr. Miller is also a member of the U.S. Comptroller General's Auditing Standards Advisory Council.