Recent efforts by the General Accounting Office (GAO), the Office of Management and Budget (OMB), and the AICPA to improve the quality of compliance audits have resulted in a flurry of new requirements and guidance. For example, the AICPA recently issued three exposure drafts of proposed guidance for compliance audits that total over 250 pages. The first exposure draft describes proposed revisions to SAS 63, "Compliance Auditing Applicable to Governmental Entitities and Other Recipients of Governmental Financial Assistance." The second exposure draft, "Audits of State and Local Governmental Entities Receiving Federal Financial Assistance," addresses single audits (audits in accordance with OMB Circular A-128), which are the third basic type of engagement covered in SAS 63. The third exposure draft, "Audits of Not- for-Profit Organizations Receiving Federal Awards," provides guidance on the "twin" of Circular A-128, OMB Circular A-133, Audits of Institutions of Higher Education and Other Nonprofit Institutions.

Revisions to SAS 63

SAS 63 provides guidance on compliance auditing responsibilities in three basic types of engagements:

* Audits in accordance with generally accepted auditing standards;

* Audits in accordance with Government Auditing Standards, commonly referred to as the "Yellow Book;" and

* Single audits, which are in accordance with OMB Circular A-128, Audits of State and Local Governments.

Even though SAS 63 was only issued a few years ago, recent developments occurred that required changes to the guidance provided in the statement. The exposure draft, issued in April, proposes certain changes to conform the SAS to recently issued federal requirements, such as the revised Compliance Supplement for State and Local Governments and the newly issued Circular A-133. For example, when finalized, revised SAS 63 will include a new section that describes the auditor's responsibilities under Circular A-133. Another proposed change is to add guidance on what the auditor should do if he or she finds out that the entity being audited is subject to additional audit requirements. Other changes were editorial in nature, such as certain minor wording changes in the illustrative audit reports.

Guidance on A-133 Audits

Circular A-128 was issued in 1985 to implement the Single Audit Act and many auditors are already familiar with its requirements. The revised SAS 63 states that the guidance presented in the statement about Circular A-128 audits is "generally applicable to audits in accordance with OMB Circular A-133." However, there are differences between the significant differences: the definition of a major program and the communication of immaterial findings.

Major Program Definitions. Both circulars distinguish between "major" and "nonmajor" federal programs. What constitutes a major program is based upon the relative size of the entity's federal programs. Any program that doesn't meet the definition of a major program is a nonmajor program. Whether a program is major or nonmajor dictates the type of audit work and reports required.

Under Circular A-128, a major program is defined as the larger of 3% of total federal expenditures or $300,000. Circular A-133 defines a major program as one in which federal expenditures total the larger of 3% of total federal funds expended or $100,000. By changing the fixed dollar amount from $300,000 to $100,000, Circular A-133 lowers the threshold of what qualifies as a major program.

Immaterial Findings. Circular A-133 permits, but doesn't require, immaterial noncompliance to be described in the audit reports. However, immaterial non-compliance, if not included in the audit reports, is required by Circular A-133 to be communicated to management in a separate letter, which is in turn submitted to the appropriate federal agency by the organization.

Report on General Requirements. Under both circulars, auditors are required to perform certain tests of compliance with two types of requirements: general and specific. For the most part, these requirements are specified in the Compliance Supplement for Single Audits of State and Local Governments (Compliance Supplement), which was revised in September 1990. Compliance requirements in addition to those covered in the compliance supplements are often included in agreements or contracts between the federal government and the entity. The OMB plans to issue a similar compliance supplement for not-for-profit organizations this year.

One substantive change to SAS 63 is to require the auditor to report on the general requirements in all A-128 and A-133 audits. SAS 63 requires this report in those audits--but only when the entity has major programs. The Compliance Supplement states that general requirements "shall be included as part of every audit...whether or not the government has a major program."

Additional Audit Requirements. Another change to SAS 63 provides guidance to the auditor when, during an audit in accordance with GAAS, the auditor becomes aware that the entity is subject to an audit requirement that is not encompassed in the terms of the engagement. This situation is increasingly common, as federal and state audit requirements proliferate. In those situations, auditors have certain communication responsibilities, which are described by the flowchart in Figure 1.

Revision to State and Local Governmental Audit Guide

On July 31, 1991, the AICPA issued an exposure draft that would amend the guidance on single audits in the Audit and Accounting Guide, Audits of State and Local Governmental Units. The draft updates the guide (last revised in 1986) for the 1988 revision to Government Auditing Standards and statements on auditing standards that have been issued since 1986.

One of the matters addressed in the draft includes guidance for reporting on compliance when the auditor is uncertain as to whether the entity has complied with applicable requirements. The draft distinguishes between a scope limitation (where the auditor cannot examine appropriate evidence to determine whether the entity has complied with the applicable requirements) and an uncertainty (where the auditor has concluded that the entity has not complied, but the auditor cannot determine the consequences of the noncompliance). If an auditor concluded that an instance of noncompliance has a material effect on a federal program, the auditor would modify his or her report (qualified or adverse). However, if the auditor cannot determine whether an instance of non-compliance could have a material effect on the program, an uncertainty exists and the auditor should state that in the report on compliance. The draft notes that the "auditor also should consider the impact of uncertainties associated with federal programs on the general- purpose financial statements and modify that report if necessary." The draft provides illustrative auditor's reports to be used when uncertainty about compliance exists.

Currently, auditors need to look to Statement of Position (SOP) 89-6, "Auditors' Reports in Audits of State and Local Governmental Units," and SOP 90-9, "The Auditor's Consideration of the Internal Control Structure Used in Administering Federal Financial Assistance Programs Under the Single Audit Act," which update the illustrative audit reports in the guide. SOP 90-9 also provides guidance on performing tests of controls required by Circular A-128. The AICPA intends to incorporate SOPs 89-6 and 90-9 into the final statement, which should be issued early in 1992.

Guidance on Circular A-133

The exposure draft of a proposed SOP that provides guidance to auditors performing a Circular A-133 audit was issued in August 1991.

The exposure draft describes the auditor's responsibilities for compliance testing and performing tests of controls used in administering federal awards. The draft compares Circular A-133 to the administrative requirements in Circular A-110, Uniform Requirements for Grants to Universities, Hospitals and Other Non-profit Organizations, and the audit requirements in Circular A-128. For example, the draft points out that Circular A-133 allows for audits to be conducted every other year, rather than annually as required in Circular A-128. Also, the exposure draft provides examples of audit reports and an engagement letter that may be used in Circular A-133 audits.

Who's Keeping Track of the Changes?

Recent changes to compliance audit requirements have made it difficult for practitioners to keep up. Rather than create new requirements, the focus of the three AICPA exposure drafts is to consolidate existing requirements in a framework that facilitates performance of various types of compliance audits. The exposure drafts, which should be finalized by early 1992, will provide practitioners with much needed compliance auditing guidance.