SAS 117:The New Auditing Standard on Compliance

May 11, 2010

Eric Formberg, Plante & Moran, PLLC

Randy Roberts, AZ Auditor General Office

1

What This Session Will Cover•What the new Compliance Audit SAS will

require •How a compliance audit differs from the

financial statement portion of an audit

• Insight on how to implement the compliance audit requirements

•Questions

2

What the New Standard Will Do•Supersedes AU section 801, Compliance

Auditing Considerations . . . (SAS 74) •Uses new clarity format•Effective for audits of periods ending June

15, 2010 and later

3

What the New Standard Will Do• Address some of the recommendations in the

PCIE’s study on single audit quality• Clarify its applicability • Update for changes in the compliance audit

environment • Clarify that, and which, generally accepted

auditing standards apply to the compliance portion of an audit

• Identify auditor requirements and provide guidance that are unique to a compliance audit

• Update the elements to be included in an auditor’s report on compliance for current standards

4

New Compliance SAS – Content•Intro and Applicability•Objectives•Definitions•Requirements and Guidance

5

• This new SAS applies when all of the following are required: ▫Generally accepted auditing standards (GAAS)

▫Financial audit standards for Government Auditing Standards

▫A governmental audit requirement that requires the auditor to express an opinion on compliance

Applicability

6

Applicability ExamplesRequirement• Single Audit (A-133)• HUD Guide audit• State Grant• State law to

determine that gas tax monies spent for road purposes

• Bond monies spent per debt covenants

Type of engagementCompliance audit

(AU801)Compliance

attestation (AT601)Agreed-upon

procedure (AT101)“In connection

with” (AU623.01.c)

7

Objectives• Obtain sufficient appropriate audit evidence

to form an opinion and report at the level specified by the government audit requirement on whether the entity complied in all material respects with the applicable compliance requirements

• Identify audit and reporting requirements specified in the governmental audit requirement that are supplementary to GAAS and GAGAS, if any, and perform procedures to address those requirements.

8

Definitions•Terms Unique to Compliance Audit

Environment▫ Applicable Compliance Requirements▫ Governmental Audit Requirement▫ Compliance Audit

•Terms Adapted for Compliance Audit Environment from Financial Audit Standards▫ Audit Risk of Noncompliance ▫ Risk of Material Noncompliance▫ Significant Deficiency in Internal Control over Compliance▫ Material Weakness in Internal Control over Compliance

9

Definitions – Examples

•Applicable compliance requirements

•Risk of material noncompliance

Compliance =

F/S = materially accurate

10

RequirementsAdapt and apply AU sections to compliance

objectives• Appendix has the laundry list, but what’re

the key ones?▫Materiality▫Risk assessment process▫Gotta do the tests – internal controls, tests of

compliance, analytical procedures – sufficient to give an opinion

▫Reporting▫Documentation

11

Materiality•Materiality set based on governmental

audit requirement, GAAS and GAGAS supplement how▫Different levels of materiality

▫Different nature

▫Unique qualitative & quantitative factors12

Risk Assessment Procedures•Gaining an understanding

▫First, which programs, which requirements? Inquiries, past experience, federal regulations

▫What are the risk factors? Newness, complexity, knowledge, nature of

services, level of oversight, past external and internal reports, management's corrective actions

▫What are the internal controls? Five elements of COSO for compliance objectives

13

Risk of Material Noncompliance•Factors relative to the applicable compliance

requirements when assessing this risk:▫ Complexity▫ Susceptibility to noncompliance▫ Length of time the entity has been following them▫ The auditor’s observations about the entity’s compliance in

prior years▫ The potential effect on the entity of noncompliance▫ The degree of judgment involved to adhere to them▫ The auditor’s assessment of the risks of material

misstatement in the financial statement audit▫ Design and implementation of relevant internal controls

14

Matching Controls with Related RisksControls over compliance – Controls with a

purpose!• Value of control dependent on compliance risk it

offsets• Risk assessment process

▫ Identify compliance risk ▫ Identify control(s) that reduce risk▫Determine if risk is reduced sufficiently (a

relatively low level)▫Do deficiencies exist? Impact on compliance tests?

DOCUMENT YOUR THINKING!• Are tests of control effectiveness “necessary”?

▫Governmental audit requirement (A-133)▫Reduce overall audit effort to issue an opinion

15

Match GameControl Compliance

Susie approves the reimbursement request

The grant department budget is approved annually by the Board

Cash needs projections for grants are updated monthly by the business office

Harry checks the suspended and debarred website for each contract

The grants director obtains certified payrolls every 2 weeks from the contractor

Fixed assets are tagged

Pete keeps a calendar showing due dates for grant reports

16

Performing Further Procedures•Pervasive risks – how it’s different than a

F/S auditCompliance:

Trip across what affects multiple programs/

requirements;

Respond to overall risk

F/S:

Look at both overall and assertion level;

Respond to risks at both

Examples: Centralized recordkeeping with poor internal controls Tone at the Top suggests lack of concern for compliance Overall grants management centered on one individual Decentralized operation with no monitoring

17

Performing Further Procedures•Tests of compliance

▫Tests of details, tests of transactions•Tests of internal control, if:

▫ Risk assessment is based on expectation that controls are operating effectively

▫ Substantive procedures alone won’t provide sufficient appropriate audit evidence, or

▫ Required by governmental audit requirement▫ Portions of AU 318 related to evidence of operating

effectiveness obtained in prior audits are not applicable to compliance audits

18

Performing Further Procedures• New chapter about sampling in Government

Auditing Standards and A-133 Audit Guide• Perform any supplementary audit requirements

▫e.g., specific procedures to identify major programs

▫e.g., assess reasonableness of summary schedule of prior audit findings

• Where analytical procedures fit in▫For planning▫As tests of compliance▫Other evidence

19

How Does Fraud Fit In?• It does! .. Focus - Impact of Fraud Risks on

noncompliance• Fraud Triangle in a compliance environment• Example Areas of Concern

▫Funding pressure▫Maximizing reimbursement▫Job security▫Program or Participant Utilization▫Compliance “world” often a separate part of

the entity▫“Power” of the journal entry!

• SAS 99 documentation requirements apply • Hot Topic………ARRA concerns

20

Forming an Opinion•Do you have enough relevant evidence to

determine whether an entity materially complied? Consider:▫The frequency of the noncompliance▫The nature of the noncompliance▫The adequacy of the entity’s system for

monitoring compliance▫Whether any identified noncompliance

resulted in likely questioned costs that are material to the government program

21

Forming an Opinion•Making the decision about material

noncompliance▫Is it big enough (per the governmental audit

requirement [GAR]) to be: A finding?

Material to the requirement?

Material to the program?

Look to the GAR – could be noncompliance, internal control deficiencies, questioned costs

$ or % for monetary transactions (e.g., cost principles, cash management); # or % for nonmonetary (e.g., eligibility, reporting)

Significance of requirement to program; degree to which requirement was not complied with

22

Subsequent events• Financial statement audits versus compliance audit

23

Reporting and Reports•Reporting

▫Opinion on compliance▫Other required reporting per the

governmental audit requirement (e.g., instances of noncompliance, internal control deficiencies, questioned costs)

•Reports▫Report on compliance▫Report on internal controls▫Can be combined

24

Documentation• All of AU section 339 applies• Key areas:

▫Risk assessment procedures▫Response to risk of material noncompliance▫Materiality levels used and the basis on which

they were determined Can there be more than one? How should it be applied to specific

requirements?▫Compliance with supplemental audit

requirements▫No expectation to document how the auditor

adapted and applied every applicable AU section

25

Reissuing a Compliance ReportHopefully, this never happens to you!•Explanatory paragraph describing reason

for reissuance or report and changes made•Dating

▫Update if all programs affected▫Dual date if not all programs affected

•A need to reissue auditor-prepared documents referred to in the compliance report is considered to be a reissuance of the report itself

26

AICPA Audit Resources •Auditing & Accounting Guides will

continue to be important for meeting standards for Single Audits▫Government Auditing Standards and

Circular A-133 ▫State & Local Governments

27

Questions ?????

28