If you perform governmental audits, you know that different governmental auditing standards can come into play.
In this video, I explain three essential governmental auditing standards. By understanding these, you can properly plan and perform your engagements to comply with professional standards.
SAS No. 149, Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors and Audits of Referred-to Auditors) defines what firms must do in group audits.
Sometimes, auditors have a group audit but don’t know it (as Michael Westervelt pointed out in his JOA article), or they are aware that a group audit is in play but don’t know the requirements. Either way, if your firm doesn’t comply with group audit standards and your peer reviewer notices, you’ve got a problem—sometimes a big one.
Group audits raise questions such as who is responsible for what. Below, I explain the responsibilities of the following:
Group auditor,
Group engagement partner,
Component auditor and
Referred-to auditor.
I also provide key group audit definitions and communication and documentation requirements.
I will use a question-and-answer format to explain the following:
Group audits
Group auditor
Group audit partner
Component auditor
Components
Component performance materiality
Aggregation risk
Referred-to auditor
Number of audit firms
Group audit documentation
Group Audits
What is a group audit?
It’s an audit of group financial statements.
But what are group financial statements? They are financial statements that include multiple entities or business units or the aggregation of financial information from entities or business units such as branches or divisions. Group financial statements include aggregating financial information from business units with separate locations, management, or information systems. (See A4 and A5 of SAS 149 for additional information.)
A government with a discretely presented component unit
An entity organized by geography (e.g., an entity comprised of American, Mexican, and Canadian operations managed by three national management teams; each national reporting center has its own general ledger)
If you are auditing one of these, you are conducting a group audit, and specific audit requirements apply. If you are directing the audit, you are the group auditor; in some cases, other audit firms might participate.
Group Auditor
So, what is a group auditor?
It’s the group engagement partner and engagement team members other than component auditors (see component auditor definition below).
The group auditor performs duties including the following:
Establishes the group audit strategy
Develops the group audit plan
Determines components to audit
Gains an understanding of the group and its environment, reporting framework, and system of internal controls
Takes responsibility for assessing group financial statement risks of material misstatement
Takes responsibility for the performance of further audit procedures, including the work of component auditors and work related to the consolidation process
Determines the resources needed to perform the audit, including any component auditors (see below)
Determines the component performance materiality (see below) to address aggregation risk (see below)
Directs and supervises component auditors and reviews their work
Makes decisions about referencing the audit of a referred-to auditor (see below)
Evaluates the conclusions based on audit evidence as a basis for the group audit opinion
Evaluates whether sufficient appropriate evidential matter is present to support the group audit opinion (including the work of component auditors or through reference to a referred-to auditor’s opinion)
Forms an opinion on the group financial statements based on the audit evidence obtained
Communicates with those charged with governance (and management, when appropriate) about audit matters including:
an overview of the component auditor’s work
decisions to make reference to audits of referred-to auditors
any scope limitations
fraud or suspected fraud
internal control deficiencies
Evaluates whether the audit documentation is sufficient to enable an experienced auditor (one with no previous connection with the engagement) to understand the following:
Nature, timing, and extent of audit procedures
Audit evidence
Conclusions about significant matters
When component auditors are in use, the group auditor has specific responsibilities, including the following:
Evaluating the adequacy of component auditor communications for the group auditor’s purposes
Determining the nature, timing, and extent of the component auditor’s involvement
Being sufficiently and appropriately involved in the component auditor’s work
Confirming that the component auditor understands and will comply with the ethical requirements
Determining the component performance materiality (see below) to lessen aggregation risk (see below)
Determining the appropriateness of the further audit procedures performed by the component auditor
Reviewing component auditor documentation while taking into account the group financial statement risks of material misstatement and significant risks
Evaluating the sufficiency and appropriateness of the audit evidence obtained from all components, including evidence provided by component auditors
The group auditor should communicate the following to component auditors:
The component auditor’s responsibilities
The relevant ethical requirements
Requesting the component auditor to confirm that they will cooperate with the group auditor
The need for timely communication during the engagement
Risk assessment matters that affect the risk assessment procedures to be performed by the component auditor
Matters affecting planned further audit procedures in response to group financial statement risks of material misstatement
Significant risks of the group financial statements that have a bearing on the component audit procedures
Related party relationships and transactions affecting the component
Any events or conditions that may raise substantial doubt about the group’s ability to continue as a going concern (as related to the component auditor’s work)
Group Engagement Partner
Who is the group engagement partner?
The auditor responsible for the group audit.
The group engagement partner’s responsibilities include:
Deciding that sufficient appropriate audit evidence can be obtained (including the use of component auditors and referred-to auditors) before accepting the engagement or making the decision to continue providing audit services
Being sufficiently and appropriately involved in the group audit, including the work of component auditors
Determining that the component auditor has appropriate competence and capabilities
Determining the nature, timing, and extent of the component auditor’s involvement in the group audit
Accountability for the group audit and compliance with standards
Determining the appropriateness of significant judgments and conclusions
Taking responsibility for directing, supervising, and reviewing the work of component auditors
Here are examples of different ways the group engagement partner can direct and supervise component auditors:
Have meetings with or make phone calls to the component auditors about risk assessment, findings, or other issues
Review the component auditor’s documentation
Be a part of the component auditor’s meetings with component management
Component Auditor
What is a component auditor?
An auditor that audits a group audit component, such as a business subsidiary.
A component auditor (working with the group auditor) is a part of the audit team.
Component auditors can include:
Auditors from a firm network,
An audit firm that is not a network firm, or
The group auditor’s firm (e.g., another office in the firm of the group auditor)
It is possible that all component auditors are from the group audit firm. It is also possible that component auditors include the group audit firm and audit firms external to the group audit firm.
The group auditor should ask the component auditor to communicate certain component matters, including the following:
Matters that might affect the identification and assessment of the risk of material misstatement at the group financial statement level
Related party relationships or transactions not previously communicated by the group auditor
Identification of the information audited by the component auditor
Whether the component auditor performed the requested work
Noncompliance with laws and regulations
Whether the component auditor complied with ethical requirements
Corrected and uncorrected misstatements
Possible management bias
Deficiencies in the system of internal control
Fraud or suspected fraud
Any events or conditions that might affect the group’s ability to continue as a going concern for a reasonable period of time
Any other significant matters communicated to the component’s management or those charged with governance
Overall findings and conclusions of the component auditor
The group audit report should not reference any component auditors when component auditors participate in the group audit.
Components
What are components?
A component is an:
Entity
Business unit
Function
Business activity, or
Some combination thereof
The group auditor determines how components relate to one another for planning and performing audit procedures.
For instance, the group auditor might decide that the group audit firm will audit entities A, B, and C, and another firm (a component auditor) will audit entity D. In this example, the group audit firm and the component audit firm comprise the audit team.
In another example, the group auditor might decide that the group audit firm will audit entities A, B, and C and reference the audit report of entity D performed by another firm (called the referred-to auditor). The referred-to auditor is not a part of the audit team.
A component auditor needs to know what the component materiality is.
Component Performance Materiality
What is component performance materiality?
It’s the amount the group auditor sets to reduce aggregation risk (see below) to an appropriate level. The component performance materiality must be less than the group performance materiality.
Additionally, the component auditor must communicate any misstatements above a certain amount (component threshold) to the group auditor. The group auditor specifies this component threshold,anditshould not exceed the trivial amount in the group financial statement.
For example, the trivial misstatement amount for the ABC Consolidated financial statements might be $75,000 (as set by Cole CPA firm), and the component threshold could be $25,000 for entity B, a component audited by the Gee Whiz CPA firm. If Gee Whiz identifies one misstatement of $15,000 and another for $55,000, it must communicate the second misstatement to Cole CPA firm, the group audit firm.
One unique risk in group audits is aggregation risk.
Aggregation Risk
What is aggregation risk?
It’s the risk that aggregate uncorrected and undetected misstatements might exceed the financial statements’ materiality.
Suppose the group auditor audits companies A and B, and a component auditor audits company C. And say the group audit materiality is $750,000. If company A has a passed adjustment of $300,000 in accounts receivable (an overstatement) and company C has an undetected misstatement in accounts receivable of $600,000 (also an overstatement), the aggregate uncorrected and undetected misstatements is material.
So, the group auditor needs to plan the engagement to keep aggregation risk at an appropriate level. One way to do so is to lower the materiality thresholds for the various components.
Sometimes, another auditor audits a component and issues an opinion on the entity. When this occurs, the group auditor can elect to reference the other auditor’s opinion.
Referred-to Auditor
What is a referred-to auditor?
An auditor who audits an entity that the group audit report references.
The group engagement partner can only make reference when the referred-to auditor issues an audit report on a component that is not restricted as to use.
A referred-to auditor is not part of the audit team or a component auditor.
Should the group auditor direct the referred-to auditor’s work? No, the group auditor does not direct or supervise the referred-to auditor or review their work. Even so, the group engagement partner should determine whether the referred-to auditor followed generally accepted auditing standards (GAAS) or the PCAOB standards. Additionally, the group auditor should read the component’s financial statements and the referred-to audit report to see if there are any significant matters.
Referred-to Auditor Example
For example, Big CPA firm might audit ABC Company and XYZ Company. Little CPA firm audits DEF Company and issues an audit opinion on it. Big CPA’s audit report can reference Little CPA’s audit (provided specific requirements are met; see below). Illustration 2 in SAS 149 provides a sample report for this situation.
Here’s a sample referred-to paragraph that would follow the Big CPA firm’s opinion paragraph:
We did not audit the financial statements of DEF Company, a wholly owned subsidiary, whose statements reflect total assets constituting 15 percent and 20 percent, respectively, of consolidated total assets on December 31, 20X1 and 20X0, and total revenues constituting 14 percent and 17 percent, respectively, of consolidated total revenues for the years then ended. Those statements were audited by other auditors, whose report has been furnished to us, and our opinion, insofar as it relates to the amounts included for DEF Company, is based solely on the report of the other auditors.
(Note – I bolded some words to highlight the language in this example paragraph. Standard audit opinions do not bold such wording.)
The purposes of this referred-to paragraph are to communicate:
that the group auditor was not involved in the referred-to auditor’s audit, and
the source of the audit evidence for the referred-to components
The group auditor can provide the magnitude of the referred-to auditor’s work in percentages or dollar amounts. (The example above uses percentages.)
The group auditor does not direct the audit of the referred-to auditor’s work, so the group auditor says its opinion (concerning that portion of the group financial statements) is based solely on the referred-to auditor’s report.
Referred-to Auditor Communications
What communications should occur between the group auditor and the referred-to auditor?
The group auditor should communicate the related party relationships identified by group management, any other related party, and any related party transactions (that affect the referred-t0 auditor’s work) to the referred-to auditor.
Moreover, the group engagement partner should do the following:
Make the referred-to auditor aware of relevant ethical requirements
Confirm whether the referred-to auditor complied with the ethical requirements
Determine whether the referred-to auditor has appropriate competence and capabilities
Referencing the referred-to auditor’s report may not be suitable if the group auditor believes the referred-to auditor lacks appropriate competence and capabilities or has not complied with ethical requirements.
The group auditor should request the following from the referred-to auditor:
Identification of the component financial information on which the referred-to auditor issues a report
Confirmation that the referred-to auditor will cooperate with the group auditor
Related party relationships not previously identified by the group auditor or group management
No, not necessarily. One firm can audit all entities in group audit financial statements. Alternatively, one or more component auditors from other audit firms can audit one or more components.
Here are examples of group audits:
One firm audits all components comprising a consolidated financial statement
One firm audits five entities comprising a consolidated financial statement, and another firm audits two entities included in that same consolidated financial statement
For a governmental audit:
Audit firm A audits seven opinion units
Audit firm B audits a discretely presented component unit (one opinion unit)
One firm audits a company that owns an equity method investment, andanother firm audits the equity method investment company
One firm audits all operations of a company in the United States, and another firm audits all operations in England (the company’s financial statements include all operations)
Exhibit A of SAS 149 (titled Relevancy of Requirements in Various Group Audit Scenarios) outlines the paragraphs in this standard that are relevant to various scenarios. The scenarios include the following:
Group auditor – the group auditor carries out the audit, and no component auditors participate
Group auditor and component auditors – component auditors are involved in the group audit
Group auditor and referred-to auditors – the group auditor, in its audit opinion, makes reference to the referred-to auditor’s report, and no component auditor is involved
Group auditor, component auditors, and referred-to auditor – the group auditor, in its audit opinion, makes reference to the referred-to auditor’s report, and component auditors are involved
So, see exhibit A for the pertinent SAS 149 paragraphs when performing a group audit.
Group Audit Documentation
What group audit documentation do you need?
Group audit documentation includes the following (this is not a comprehensive list):
The basis for component determinations and how those were used in planning and performing the group audit
The basis of component performance materiality and component thresholds for communication
Your understanding of the group’s system of internal control
The basis for your determination that component auditors possess sufficient competence and capabilities
Evidence of the group auditor’s direction and supervision of the component auditor and the review of their work
Communications with component auditors, including matters such as fraud, significant matters, or going concern
For referred-to auditors:
Financial statements of the component
Referred-to auditor’s report
The basis for your determination that the referred-to auditors possess sufficient competence and capabilities
The group auditor’s evaluation of, and actions taken in response to, findings or conclusions from component auditors or referred-to auditors regarding issues that could materially impact the group financial statements
Group Audit Summary
Here are summary points from the above:
The group audit standards are often relevant when you audit an entity with multiple entities, divisions, or opinion units (governments).
The group auditor (including the group engagement partner) directs a group audit, including a component auditor’s work.
The group auditor does not direct the work of a referred-to auditor; a referred-to auditor is not a part of the audit team.
SAS 149 Effective Date
SAS 149 is effective for audits of group financial statements for periods ending on or after December 15, 2026.
Are you looking for payment fraud tests? Ways to detect fraudulent payments and create unpredictable tests. Here’s your article.
You are leading the audit team discussion concerning disbursements, and a staff member asks, “Why don’t we ever perform fraud tests? It seems like we never introduce elements of unpredictability.”
You respond by saying, “Yes, I know the audit standards require unpredictable tests, but I’m not sure what else to do. Any fresh ideas?”
The staff member sheepishly responds, “I’m not sure.”
And you are thinking, “What can we do?”
Five Payment Fraud Tests
Here are five payment fraud tests that you can perform in most any audit.
1. Test for duplicate payments
Why test for duplicate payments?
Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer does not normally examine supporting documentation and the payee name.
How can you test for duplicate payments?
Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).
2. Review the accounts payable vendor file for similar names
Why test for similar vendor names?
Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes might be used).
The check-signer will probably not recognize the payee name as fictitious.
How can you test for similar vendor names?
Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.
3. Check for fictitious vendors
Why test for fictitious vendors?
The accounts payable clerk may add a fictitious vendor. What address will be entered for the fictitious vendor? You guessed it: the payable clerk’s home address (or P.O. Box).
Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.
How can you test for fictitious vendors?
Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the business addresses to check for validity. If necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).
4. Compare vendor and payroll addresses
Why compare vendor and payroll addresses?
Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.
How can you test for the same vendor and payroll addresses?
Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.
5. Scan all checks for proper signatures and payees
Why test checks for proper signatures and payees?
Fraudsters will forge signatures or complete checks with improper payees such as themselves.
How can you test for proper signatures and payees?
Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also, consider scanning endorsements (if available).
Your Payment Fraud Tests
Those are a few of my payment fraud tests. Please share yours.
Need additional ideas regarding how fraud might occur. Check out my post: 25 Ways Fraud Happens.
My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. See The Little Book of Local Government Fraud Prevention. The book focuses on local government fraud, but most of the information is equally applicable to small businesses.
Seven deadly audit sins can destroy you. These audit mistakes kill your profits and effectiveness.
You just completed an audit project, and you have another significant write-down. Last year’s audit hours came in well over budget, and—at the time—you thought, This will not happen again. But here it is, and it’s driving you insane.
Insanity: doing the same thing year after year but expecting different results.
Are you ready for better results?
Audit Mistakes
Here are seven deadly (audit) sins that cause our engagements to fail.
1. We don’t plan
Rolling over the prior year file does not qualify as planning. Using canned audit programs is not planning.
What do I mean? We don’t know what has changed. Why? Because we have not performed real risk assessment such as current year walkthroughs. We have not (really) thought about current year risks of material misstatement.
Each year, audits have new wrinkles.
Are there any fraud rumors? Has the CFO left without explanation? Have cash balances decreased while profits increased? Does the client have a new accounting program or new staff? Can you still obtain the reports you need? Are there any new audit or accounting standards?
Anticipate issues and be ready for them with a real audit plan.
2. SALY lives
Elvis may not be in the house, but SALY is.
Performing the same audit steps is wasteful. Just because we needed the procedure ten years ago does not mean we need it today. Kill SALY. (No, I don’t mean your staff member; SALY stands for Same As Last Year).
I find that audit files are like closets. We allow old thoughts (clothes) to accumulate without purging. It’s high time for a Goodwill visit. After all, this audit mistake has been with you too long. So ask yourself Are all of the prior audit procedures relevant to this year’s engagement?
Will better planning require us to think more in the early phases of the engagement? Yes. Is this hard work? Yes. Will it result in less overall effort? Yes.
Sometimes the Saly issue occurs because of weak staff.
3. We use weak staff
Staffing your engagement is the primary key to project success. Excellent staff makes a challenging engagement pan out well. Poor staff causes your engagement time to balloon–lots of motion, but few results. Maybe you have smart people, but they need training. Consider AuditSense.
Another audit mistake is weak partner involvement.
4. We don’t monitor
Partners must keep an eye on the project. And I don’t mean just asking, “How’s it going?” Look in the audit file. See what is going on. In-charges will usually tell you what you want to hear. They hope to save the job on the final play, but a Hail Mary often results in a lost game.
As Ronald Reagan once said: Trust but verify.
Engagement partners need to lead and monitor. They also need to provide the right technology tools.
5. We use outdated technology
Are you paperless? Using portable scanners and monitors? Are your auditors well versed in Adobe Acrobat? Are you electronically linking your trial balances to Excel documents? Do you use project management software (e.g., Basecamp)? How about conferencing software (e.g., Zoom)? Do you have secure remote access to audit files? Do you store files securely in the cloud (e.g., Box)? Are you using data mining software such as Idea? Do you send electronic confirmations?
Do your staff members fear you so much that they don’t give you the bad news?
6. Staff (intentionally) hide problems
Remind your staff that bad news communicated early is always welcome.
Early communication of bad news should be encouraged and rewarded (yes, rewarded, assuming the employee did not cause the problem).
Sometimes leaders unwittingly cause their staff to hide problems. In the past, we may have gone ballistic on them–now they fear the same.
And here’s one last audit mistake: no post-engagement review.
7. No post-engagement review
Once our audit is complete, we should honestly assess the project. Then make a list of inefficiencies or failures for future reference.
If you are a partner, consider a fifteen-minute meeting with staff to go over the list.
In this post, I provide an overview of the internal control reporting requirements when no significant deficiencies or material weaknesses are noted in an audit of the financial statements. I also provide guidance for when such an engagement is subject to the Government Auditing Standards (i.e., Yellow Book). You’ll see a video that shows you what the audit opinion and Yellow Book reports look like when both are in play, and there are no issues.
Internal Control Reporting Standards
There are two sets of rules when you perform an audit that is subject to the Yellow Book requirements:
Generally accepted auditing standards from AICPA
Government Auditing Standards (i.e., Yellow Book) from GAO
And only one set of rules if the audit is not subject to the Yellow Book requirements:
Generally accepted auditing standards from AICPA
Consider two scenarios.
1. Perform an audit not subject to Yellow Book
If you perform an audit (not subject to Yellow Book) and have no significant deficiencies or material weaknesses, then no internal control letter is required (for anyone). I refer to this letter as the “SAS 115 letter” since that’s where the original generally accepted auditing rule came from. Some people opt to issue one anyway. But again, this is not required.
In this scenario, you issue one report:
Audit opinion (and no internal control letter is issued)
2. Perform an audit subject to Yellow Book
If you perform an audit that is subject to Yellow Book and have no significant deficiencies or material weaknesses, then no SAS 115 internal control letter is required. Some people opt to issue one anyway.
A Yellow Book report is required (even though there are no significant deficiencies or material weaknesses) and is included in the audited financial statements, usually after the notes to the financial statement.
You do not need to send this report to anyone separately (i.e., the government) since it’s included in the bound audit report.
So, in this scenario, you issue two reports:
Audit opinion, and
Yellow Book report
But what do these reports look like?
Yellow Book Report and Amendments to Audit Opinion
Here is a video that shows you what a Yellow Book reports looks like when there are no significant deficiencies or material weaknesses.
I also show you how to amend your standard audit opinion (governmental example) when the Yellow Book report is provided.