Conference Speaker: Single Audit Guidance Has Heavier Emphasis on Internal Controls

By:
Chris Gaetano
Published Date:
Jan 16, 2020
Untitled design - 2020-01-16T154210.617

David Ashenfarb, the director of the Not-For-Profit Industry Group at Schall & Ashenfarb, speaking at the Foundation for Accounting Education's Nonprofit Conference on Jan. 16, said that the updated Office of Management and Budget Compliance Supplement changes the criteria for when an auditor tests an item, and has a heavier emphasis on internal controls than previous versions. 

Ashenfarb said that the current version was created as a way to reduce the burden on auditors by limiting the number of compliance requirements—standard requirements around factors such as eligibility procedures, program income and reporting, which are needed to receive federal assistance—subject to audit to six per program, versus all 12 in previous versions. Under the previous rules, "if the box was checked yes, the compliance requirement applied to that program," and then the auditor would test the item if it was considered direct and material. Under the new rules, if the box is checked yes, then the item is subject to audit, with no need to perform an analysis. This means that even if the auditor thinks a compliance requirement is material, if it's not checked off on the list applying to that entity, then it does not have to be audited. However, he said that even in that case, when an entity has one major program as its predominant service, the auditor may want to test it anyway, though not within the single audit framework but to see whether the entity is complying with their grant agreements. 

Ashenfarb noted that six is a maximum: If an auditor's best judgment determines an item is not direct and material, it does not need to be tested, though he said that, unlike in the previous versions, when auditors make this determination, they must document their reasoning behind it. 

"The key is, you don't just say 'N/A, this doesn't apply' when something is checked yes. If you don't think it's direct and material and still have that ability to use that judgment, make sure you document that," he said. 

The new guidance also has a heavier emphasis on internal controls. Ashenfarb said that the government likely came to the conclusion that "a lot of firms doing peer reviews aren't qualified to do that in this area relating to single audits," and a lot of this reasoning, he said, has do to with internal controls. 

"I think a lot of practitioners don't realize what the requirements are. When thinking of the regular financial statement audit, we're not required to do detailed testing of internal controls. What we are required to do is gain an understanding, assess risk and do walk-throughs to come up with a best plan," he said. 

The single audit rules are much more specific when it comes to internal controls, based on whether the entity has procedures in place to prevent or detect violations of compliance requirements. The tests need to be tailored to the specific control that, in turn, needs to be connected with the specific compliance requirement. For example, he said, consider a senior center that gets grants from the federal government. In this case, one of the compliance requirements is "eligibility." How does the senior center determine who is and is not eligible for the program? It's not enough, he said, to simply walk through the door, look around, "and say everyone looks old, and it looks fine."

"Maybe everyone did meet the requirement, but the question becomes: What does the entity itself do to make sure everyone is the right age? An intake form? [Checking] a driver's license? And so if they don't have a control in place, they can still comply with the contract but have a problem with the internal control process," he said. 

He noted that in cases where there's no control, or a poorly designed control, then the auditor does not need to perform a test. But "this doesn't let us off the hook" because if the auditors don't test for these reasons, then they are required to show a significant deficiency or material weakness, which will take even more work than the testing. 

Ashenfarb said it's important to make sure that one is using the most recent version of the guidance. While a version was released in June 2019, he said it contained errors and so the government released a revised guide in August 2019. He said firms have gotten tripped up by using the wrong compliance supplement, so practitioners should first ensure they're using the correct document. 

Click here to see more of the latest news from the NYSSCPA.