Category Archives for "Auditing"

wrapping up audits
Jul 26

Wrapping Up Audits: The Why and How

By Charles Hall | Auditing

Wrapping up audits is a chore. But today's post will help you do just that.
Do you ever have the almost-done illusion? You think you’re almost done, but you’re not—and you’re not even close. Frustrating! 

wrapping up audits

What? I’m Not Done?

I remember my boss asking me, “what’s the status of the audit?” I answered, “oh, I’m about 90% done.” But actually I was—at best—75% through. Why the miscalculation? I mistakenly thought if the planning and transaction areas (e.g., cash) were complete, that I was nearly finished. I was wrong. Wrapping up audits takes (or least can take) a significant amount of time. 

Wrapping Up Audits — An Overview

In the final stages of an audit, we are (among other things):

  • Updating subsequent events
  • Considering going concern
  • Creating final analytics
  • Providing audit entries to the client
  • Summarizing passed journal entries
  • Reviewing the file
  • Creating financial statements
  • Completing the disclosure checklist
  • Reviewing financial statements
  • Obtaining a management representation letter
  • Creating your audit opinion
  • Creating a management letter
  • Communicating control deficiencies

There is no required order for these steps. The sequence provided below is simply my normal method.

Let’s start with subsequent events.

Updating Subsequent Events

The financial statements should disclose material subsequent events such as legal settlements, the issuance of debt, the adoption of a benefit plan, or the sale of stock. And while disclosure is important, subsequent events—such as legal settlements—can affect the year-end balance sheet. Some subsequent events trigger the accrual of liabilities.

Here are common subsequent event procedures:

  • Inquire of management and company attorneys about subsequent events
  • Review subsequent receipts and payments
  • Read the minutes created after period-end
  • Review subsequent interim financial statements
  • Review the subsequent year’s budget
  • Obtain an understanding of management’s methods for accumulating subsequent event information

In performing these procedures, obtain subsequent event information through the audit report date. 

If you’ve sent attorneys’ letters asking about potential litigation, you may need to get an update to coincide with the audit report date. You want the attorney’s written response to be as close to the audit report date as possible. How close? Usually within two weeks. If there are significant issues, you may want to bring the written response through the audit report date.

Another critical issue in wrapping up audits is going concern.

Considering Going Concern

Even in the planning stage, auditors should consider going concern, especially if the entity is struggling financially. But as you approach the end of the audit, going concern should crystallize. Now you have your audit evidence, and it’s time to determine if a going concern opinion is necessary. Also, consider whether going concern disclosures are sufficient. If substantial doubt is present, then the entity should include going concern disclosures (even if substantial doubt is alleviated by management’s plans).

And what is substantial doubt? The Financial Accounting Standards Board defines it this way:

Substantial doubt about the entity’s ability to continue as a going concern is considered to exist when aggregate conditions and events indicate that it is probable that the entity will be unable to meet obligations when due within one year of the date that the financial statements are issued or are available to be issued.

So, for nongovernmental entities, ask “Is it probable that the company will meet its obligations for one year from the opinion date?” If it is probable that the entity will meet its obligations, then substantial doubt does not exist. If it is not probable that the entity will meet its obligations, then substantial doubt exists.

And what is the period of time to be considered when assessing going concern? One year from the audit report date—unless the entity is a government. If the entity is a government, then the evaluation period is one year from the financial statement date (though this period can lengthen in certain circumstances).

The going concern evaluation is one that management makes as it considers whether disclosures are necessary. 

Then the auditor considers going concern from an audit perspective. If substantial doubt is present, the auditor issues a going concern opinion. Also, if going concern disclosures are incorrect or inadequate, the auditor may need to modify the opinion.

Wrapping up audits also includes the creation and review of final analytics.

Creating Final Analytics

Auditors create planning analytics—the comparison of key numbers—early in the audit. Why? To look for the risk of material misstatement. Unexpected changes in numbers are indicators of potential error or fraud. They create questions. When unexpected variations exist, auditors plan procedures to test why. 

wrapping up audits

So, what is the purpose of final analytics? To determine whether unanswered questions still exit. Auditors want to know, given the audit evidence in hand, that the numbers are fairly stated.

What analytics should you use? Audit standards don’t specify particular analytics. Some auditors read the financial statements (when comparative periods are presented). Others review key ratios. And some compare current year trial balance numbers with the prior year. 

My final analytics are often the same as those in the beginning. For example, if my planning analytics include a comparison of trial balance numbers, so will my final analytics. Why do I use the same analytics? I want to know that the questions raised in the beginning are now answered. 

In wrapping up your audits, consider the numbers important to your clients. Many auditors—in an exit conference—provide key analytics to management and board members, such as performance indicators or liquidity ratios. Consider whether these numbers should be a part of your final (and planning) analytics. 

Now, you are ready to provide your proposed audit entries.

Providing Audit Entries to the Client

Give your audit entries to your client. Hopefully, you discussed these adjustments with your client when you discovered them. If you did, this part is easy. You’re just giving your client the entries. If not, review the proposed adjustments with the client and see if they agree.

Your client may desire to pass on (not post) some immaterial entries. 

Summarizing Passed Journal Entries

Prior to creating the representation letter, the auditor needs to summarize passed journal entries. Why? Audit standards require management to provide a written assertion regarding whether the uncorrected misstatements are material. The summary assists in that determination. 

Once you summarize the uncorrected misstatements, you should consider whether they are material. Review your audit materiality and consider whether the passed adjustments are acceptable. If material uncorrected misstatements exist, consider the effect on your opinion.

In addition to all of the above, you need to review the audit file to make sure everything is in order. 

Reviewing the File

Perform your final review of the work papers and sign off as the reviewer. All preparer and reviewer dates must precede or coincide with the representation letter date (which is the opinion date). Why? Reviews are a part of your evidential matter. Documentation—including reviews—must exist no later than the opinion date. 

See my article titled Seven Excuses for Unnecessary Audit Work Papers.

Once the audit file is ready, it’s time to create the financial statements (if you’ve been engaged to do so).

Creating Financial Statements

Larger entities usually create their own financial statements, but smaller organizations sometimes outsource this work to their auditors. 

wrapping up audits

If the auditor creates the financial statements, the following needs to occur:

  • The audit firm creates the financial statements.
  • The audit firm reviews the financial statements 
  • The client reviews the financial statements 

If you (the auditor) are engaged to create the financial statements, complete them on time. Why? Management must read and take responsibility for the financial statements prior to signing the representation letter. 

Also, the auditor’s review of the financial statements needs to be completed prior to the date of management’s representation letter. Why? All evidential matter, including the audit firm’s review of the financial statements, must be complete before the opinion is issued.

So, management and the auditor must review the financial statements before the opinion is issued. We’ll discuss the financial statement review process for auditors in a moment, but before we do, let’s take a look at completing the disclosure checklist.

Completing the Disclosure Checklist

Whether you or your client creates the financial statements, a disclosure checklist helps ensure the completeness and propriety of the notes. Remember your audit opinion covers the financial statements and the disclosures. 

Since new accounting standards are issued throughout the year, make sure you use a current checklist. Otherwise, you may not be aware of new or amended disclosure requirements.

Now it’s time to review the financial statements.

Reviewing Financial Statements

If your audit firm creates the financial statements, at least two people should be involved—one creating and one reviewing. Why? Two reasons: (1) the self-review threat (an independence issue) and (2) blind spots.

So, what is a self-review threat? It’s the idea that the person creating something (e.g., the financial statements) will not be independent in reviewing the same. Why is this a problem? Well, we are issuing an independent auditor’s opinion. That’s why we need a second-person review of the financial statements—to mitigate the self review threat.

Additionally, a second-person review is useful in overcoming blind spots. If I create financial statements with errors, I may not see my own mistakes. I have a blind spots. Such errors are often readily apparent to a second person.

See my  post about reviewing financial statement on a computer screen.

Once the financial statements have been prepared and reviewed by your audit firm and your client, it’s time to obtain the management representation letter, another step in wrapping up audits.

Obtaining a Management Representation Letter

The management letter is usually prepared by the audit firm and is provided to the client for signing. In the letter, the client is making certain assertions regarding issues such as the following:

  • Management’s responsibility for the financial statements
  • Management’s responsibility for internal controls
  • Assurances that all transactions have been recorded
  • Whether known fraud has occurred
  • Whether known non-compliance with laws or regulations occurred
  • The effects of uncorrected misstatements
  • Litigation
  • The assumptions used in computing estimates
  • Related party transactions
  • Subsequent events
  • Supplementary information
  • Responsibility for nonattest services

The representation letter should cover all financial statements and periods referred to in the auditor’s report. If management refuses to provide the management letter, then consider the effect upon the auditor’s report. Such a refusal constitutes a scope limitation and will usually preclude the issuance of an unmodified opinion.

Another part of wrapping up audits is creating your audit opinion.

Creating Your Audit Opinion

You’ve planned and performed your audit. 

Now you need to consider the type of opinion you’ll issue. If an unmodified opinion is merited, no problem. Use the standard opinion. But if you are going to qualify the opinion, or issue a disclaimer or adverse opinion, there’s more work to be done. Additionally, sometimes you need to add an emphasis-of-matter paragraph or an other-matter paragraph to your opinion.

wrapping up audits

Determine which opinion is appropriate. Most CPAs use sample reports from national publishing companies. Others use sample reports directly from the auditing standards. Regardless, place a copy of the sample report in your audit file. Why? Your peer reviewer—or someone else—might question your report language. Responding to such questions is much easier with the sample report in hand.

Create your opinion and have a second person review the report, comparing the opinion to the sample report. Check and recheck your wording.

Another consideration in wrap-up is whether you’ll issue a management letter. 

Creating a Management Letter

While not required, you can provide a written management letter to your audit client. Why would you do so? To add value to the audit. 

What is a management letter? Suggestions for improving the business. 

What should you include in the letter? It’s up to you (and dependent upon your observations during the audit), but here are a few examples:

  • Suggested monthly reports for the owners or management
  • Warnings regarding cyber attacks and prevention techniques
  • A suggestion that excess cash be used to pay off high interest rate debt
  • Procurement and bidding recommendations
  • A suggestion that security cameras be installed
  • Software recommendations 
  • A recommendation that all equipment be physically inspected and reconciled to the property ledger 
  • A suggestion that the company review its property insurance coverage
  • Best practices for the implementation of new accounting standards

If you provide a management letter, give the client a draft prior to issuance. Why? To avoid the embarrassment of making inappropriate suggestions—maybe they’ve already done what you are suggesting, for example. 

In addition to the management letter, you may also need to communicate significant deficiencies and material weaknesses.

Communicating Control Deficiencies

Audit standards define significant deficiencies and material weaknesses as follows:

  1. Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  2. Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.

Auditing standards require a written communication of significant deficiencies and material weaknesses.

Control deficiencies are often noted during the risk assessment process, particularly as you perform walkthroughs. 

You may also note control weaknesses as you prepare audit journal entries, especially if the adjustments are material. Errors are usually the result of weak internal controls.

Regardless of how you become aware of the control weaknesses, capture them immediately. Otherwise, you may forget them later on. Also, if control weaknesses are material, you may need to communicate them to management when they are discovered (and again at the completion of the audit).

As you are wrapping up audits, create your internal control letter based on the weaknesses noted.

Consider providing a draft of the internal control letter to management prior to final issuance. Why? To avoid potential misunderstandings. If there’s a disagreement between the client and the auditor, it’s best to clear the issue prior to final issuance of the internal control letter.

One other suggestion: if there are sensitive issues, the senior audit team member (usually the engagement partner) should make this communication. It’s a time to speak the truth with tactfulness—and experience helps.

I started this chapter by saying that wrap-up can take a significant amount of time. As we have seen, there is much to be done in this closing stage of the engagement. 

Wrapping Up Audits - A Simple Summary

  • Perform subsequent event procedures to ensure that all relevant information is included in the financial statements 
  • Consider whether going concern disclosures are necessary and, if required, complete; also consider the need for a going concern opinion
  • Create final analytics and determine if all significant variations in the numbers have been addressed
  • Provide proposed audit entries to the client 
  • Summarize and review all passed journal entries to ensure that material misstatements are not present
  • Review the work paper file 
  • Create the financial statements (if you have been engaged to do so)
  • Complete a current disclosure checklist
  • Review the financial statements 
  • Obtain a signed management representation letter 
  • Create your audit opinion 
  • Create a management letter 
  • Communicate significant deficiencies and material weaknesses 

There you have it: the wrap-up process. Now, when your boss asks, “what’s the status of the audit?” you can say, “I’m at 90 percent”—and be sure of it.

This post is a part of a series of articles title The Why and How of Auditing. Check it out. The series is also available as a book on Amazon. Be one of the thousands who have purchased this resource. You'll find it useful as a partner or a staff member.

Jul 21

Disbursement Fraud Audit Tests: Five Powerful Ideas

By Charles Hall | Auditing , Fraud

Are you looking for disbursement fraud audit tests? Here’s your article.

You are leading the audit team discussion concerning disbursements, and a staff member asks, “Why don’t we ever perform fraud tests? It seems like we never introduce elements of unpredictability.”

You respond by saying, “Yes, I know the audit standards require unpredictable tests, but I’m not sure what else to do. Any fresh ideas?”

The staff member sheepishly responds, “I’m not sure.”

And you are thinking, “What can we do?”

disbursement fraud audit tests

Picture from AdobeStock.com

Five Disbursement Fraud Audit Tests

Here are five disbursement fraud tests that you can perform in most any audit.

1. Test for duplicate payments

Why test for duplicate payments?

Theft may occur as the accounts payable clerk generates the same check twice, stealing and converting the second check to cash. The second check may be created in a separate check batch, a week or two later. This threat increases if (1) checks are signed electronically or (2) the check-signer does not normally examine supporting documentation and the payee name.

How can you test for duplicate payments?

Obtain a download of the full check register in Excel. Sort by dollar amount and vendor name. Then investigate same-dollar payments with same-vendor names above a certain threshold (e.g., $25,000).

2. Review the accounts payable vendor file for similar names

Why test for similar vendor names?

Fictitious vendor names may mimic real vendor names (e.g., ABC Company is the real vendor name while the fictitious name is ABC Co.). Additionally, the home address of the accounts payable clerk is assigned to the fake vendor (alternatively, P.O. boxes might be used).

The check-signer will probably not recognize the payee name as fictitious.

How can you test for similar vendor names?

Obtain a download of all vendor names in Excel. Sort by name and visually compare any vendors with similar names. Investigate any near-matches.

3. Check for fictitious vendors

Why test for fictitious vendors?

The accounts payable clerk may add a fictitious vendor. What address will be entered for the fictitious vendor? You guessed it: the payable clerk’s home address (or P.O. Box).

Pay particular attention to new vendors that provide services (e.g., consulting) rather than physical products (e.g., inventory). Physical products leave audit trails; services, less so.

How can you test for fictitious vendors?

Obtain a download in Excel of new vendors and their addresses for a period of time (e.g., month or quarter). Google the business addresses to check for validity. If necessary, call the vendor. Or ask someone familiar with vendors to review the list (preferably someone without vendor set-up capabilities).

4. Compare vendor and payroll addresses

Why compare vendor and payroll addresses?

Those with vendor-setup ability can create fictitious vendors associated with their own home address. If you compare all addresses in the vendor file with addresses in the payroll file, you may find a match. (Careful – sometimes the match is legitimate, such as travel checks being processed through accounts payable.) Investigate any suspicious matches.

How can you test for the same vendor and payroll addresses?

Obtain a download in Excel of (1) vendor names and addresses and (2) payroll names and addresses. Merge the two files; sort the addresses and visually inspect for matches.

5. Scan all checks for proper signatures and payees

Why test checks for proper signatures and payees?

Fraudsters will forge signatures or complete checks with improper payees such as themselves.

How can you test for proper signatures and payees?

Pick a period of time (e.g., two months), obtain the related bank statements, and scan the checks for appropriate signatures and payees. Also, consider scanning endorsements (if available).

Your Ideas

Those are a few of my ideas. Please share yours.

Need additional ideas regarding how fraud might occur. Check out my post: 25 Ways Fraud Happens.

My fraud book provides more insights into why fraud occurs, how to detect it, and–most importantly–how to prevent it. Check it out on Amazon by clicking here. The book focuses on local government fraud, but most of the information is equally applicable to small businesses.

Yellow Book CPE
Jul 06

2018 Yellow Book CPE Requirements – A Summary

By Charles Hall | Auditing , Local Governments

What are the 2018 Yellow Book CPE requirements?

You’ve heard about the new Yellow Book (effective for audits of years ending June 30, 2020, and after). So, now you’re wondering if there are any changes in CPE requirements. This article explains the Yellow Book continuing education requirements. 

Below we will address (1) who is subject to the Yellow Book CPE requirements and (2) what CPE classes satisfy those requirements.

Yellow Book CPE

Overview

Paragraph 4.16 of the Yellow Book states “Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of CPE in every 2-year period.”

Nevertheless, Paragraph 4.26 states “nonsupervisory auditors who charge less than 40 hours of their time annually to engagements conducted in accordance with GAGAS may be exempted by the organization from all CPE requirements in paragraph 4.16.” Additionally, paragraph 4.27 allows an audit organization to exempt “college and university students employed on a temporary basis.”

Auditors not exempted by the provisions in paragraphs 4.26 or 4.27 must take at least 20 hours of CPE in each year of the two years. 

So, there is an 80 requirement. Additionally, there are two more requirements:

  1. 56-hour (every two years)
  2. 24-hour (every two years)

Below we’ll see:

  1. Who is subject to each requirement?
  2. What classes qualify for each requirement?

Before we get into the details, you may be wondering, “How do I know if I am subject to the Yellow Book CPE requirements?” To answer that question, consider whether a Yellow Book report is to be issued (or whether one was issued in a prior engagement). If yes, then consider the requirements below. In most audit reports, you’ll see the Yellow Book report just after the notes to the financial statements. And when must an entity comply with the Yellow Book requirements? Usually when a law or a grant requires it. 

Now, let’s start our review of Yellow Book CPE requirements.

The 24-Hour Requirement – Who is Subject?

Who is subject to the 24-hour requirement? If you work on a Yellow Book engagement as an auditor, you are subject to the 24-hour requirement. Even so, if you are a nonsupervisory auditor that works less than forty hours annually on Yellow Book engagements, your audit organization can exempt you from Yellow Book requirements. (See paragraph 4.26 of the Yellow Book.) Additionally, audit organizations can exempt college students hired temporarily. (See paragraph 4.27 of the Yellow Book.)

Next, let’s see who is subject to the 56-hour requirement?

The 56-Hour Requirement – Who is Subject?

Who is subject to the 56-hour requirement? Auditors who are involved in:

1. Planning,
2. Directing, or
3. Reporting 

These are usually partners, managers, and in-charges. 

Additionally, the 56-hour requirement applies to auditors who are not involved in planning, directing, or reporting but charge 20 percent or more of their annual time to GAGAS engagements. This category usually includes professional staff personnel. 

So, consider this example. You have a staff member that has:

  • 2,000 hours of total time each year
  • 140 hours in two GAGAS (Yellow Book) engagements for the year
  • He is not involved in planning, directing, or reporting

He is not subject to the 56-hour requirement (his GAGAS time is less than 20% of the total hours), though he is subject to the 24-hour requirement.

But suppose he is promoted during the year and becomes a manager on the second Yellow Book engagement. Even though his time is less than 20% of his annual time, he is now subject to the 56-hour requirement. Why? He is directing the engagement. 

Now, let’s see what classes qualify for Yellow Book CPE. 

What Classes Qualify for Yellow Book CPE?

Paragraph 4.21 of the Yellow Book states, “Determining what subjects are appropriate for individual auditors to satisfy the CPE requirements is a matter of professional judgment to be exercised by auditors in consultation with appropriate officials in their audit organization.” Moreover, there are differences in the 56-hour requirement and the 24-hour requirement. Otherwise, only one category would exist. The 56-hour requirement is broader and the 24-hour requirement is more specific. 

Yellow Book CPE

Okay, let’s define the differences in the 56-hour and 24-hour requirements. 

The 56-Hour Rule – Classes that Qualify

The 56-hour rule is broad, encompassing any CPE that enhances the auditor’s professional expertise to conduct engagements.  So, CPE classes about better writing, for example, would qualify. 

Paragraph 4.24 of the Yellow Book provides the following as examples of acceptable topics:

  • Subject matter categories for the 24-hour requirement listed in paragraph 4.23 (the 24-hour requirement–see below)
  • General ethics and independence
  • Communicating clearly in writing or verbally
  • Managing time
  • Leadership
  • Political science

Now, let’s compare the general 56-hour requirements with the more specific 24-hour requirements. 

The 24-Hour Rule – Classes that Qualify

Each auditor performing work under GAGAS should complete, every two years, at least twenty-four hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.

Paragraph 4.23 of the Yellow Book provides the following as examples of acceptable topics:

  • GAO generally accepted government auditing standards (GAGAS)
  • AICPA Statements of Auditing Standards (SASs)
  • AICPA Statements on Standards for Attestation Services (SSAEs)
  • AICPA Statements on Accounting and Review Services (SSARS)
  • Standards issued by the Institute of Internal Auditors
  • Standards issued by the Public Company Accounting and Oversight Board
  • U.S. Generally Accepted Accounting Principles (FASB and GASB)
  • Standards for Internal Control in the Federal Government
  • COSO Internal Controls–Integrated Framework
  • Relevant audit guides (including information technology auditing and forensic auditing)
  • Fraud and abuse in a governmental environment
  • Compliance with laws and regulations
  • Topics related to the governmental environment such as financing, economics, appropriations, program performance
  • Governmental ethics and independence

Notice these topics are more directly related to auditees than those in the 56-hour requirement. But again, use judgment to determine whether a CPE class is in the 24-hour or the 56-hour bucket. 

Since the GAO, a governmental agency, issues the Yellow Book, we tend to associate Yellow Book engagements with audits of governments. But the Yellow Book can be in play for entities such as banks or electric membership corporations. 

Specific or Unique Environment in Which the Audited Entity Operates

Suppose you audit electric membership corporations (EMCs) subject to the Yellow Book. A CPE class about electric supply grids qualifies for the 24-hour requirement. Or if you audit banks subject to Yellow Book requirements (e.g., FHA loans), then a CPE class dealing with lending qualifies. These classes address issues unique to the environment in which the entity operates.

So, are there CPE classes that don’t qualify as GAGAS hours?

CPE that Does Not Qualify as Yellow Book Hours

Some CPE classes will not qualify as GAGAS hours. Paragraph 4.36 of the Yellow Book provides the following examples:

  • On-the-job training
  • Resume writing
  • Improving parent-child relations
  • Personal investments
  • Money management
  • Retirement planning

Additionally, paragraph 4.35 states that some taxation classes may not qualify such as estate planning. It is possible that a tax class would qualify if “topics relate to an objective of the subject matter of an engagement.”

Your head might be spinning from all of the above rules. So, you might be wondering, can my audit organization use a standard two-year cycle for all employees? You’d like to keep this as simple as possible. 

Two-Year Cycle

An audit organization can adopt a standard two-year period for all of its auditors to simplify the administration of CPE requirements.

But can you carry over excess CPE credit earned in the two-year period?

Carryover Credit

Auditors are not allowed to carry over hours in excess of the 24-hour or 56-hour rule to the next reporting period.

And what are the Yellow Book CPE requirements for a new employee?

Proration of Hours for New-Hires (or Those Newly Assigned to a Yellow Book Audit)

You will prorate the hourly requirements based on the remaining full 6-month intervals in your two-year reporting period. For example, you hire Joan on May 1, 2021, and the firm’s two-year cycle ends on December 31, 2021. There is one remaining full 6-month period. So, if Joan is subject to the 24-hour rule, she will multiply 25% (one six-month period divided by the four six-month periods in the two-year cycle) times 24 to compute the required hours: 6 hours.

And when is the 2018 Yellow Book effective?

Effective Date of Yellow Book Guidance

The 2018 Yellow Book is effective for audits of financial statements for periods ending on or after June 30, 2020. Early implementation is not permitted.

But, didn’t the GAO provide COVID-19 relief? Yes. 

COVID-19 GAO Guidance

The above information is provided without consideration of the COVID-19 guidance issued on February 29, 2020. See the GAO COVID-19 guidance here

Auditing Equity
Jun 15

Auditing Equity: The Why and How Guide

By Charles Hall | Auditing

Auditing equity is easy, until it’s not. 

Auditing equity is usually one of the easiest parts of an audit. For some equity accounts, you agree the year-end balances to the prior year ending balance, and you’re done. For instance paid-in-capital seldom changes. Often, the only changes in equity are from current year profits and owner distributions. And testing those equity additions and reductions in equity takes only minutes.

Nevertheless, auditing equity can be challenging, especially for businesses that desire to attract investors. Such companies offer complicated equity instruments. Why? The desire to attract cash without giving away (too much) power. And this balancing act can lead to complex equity instruments.  

Regardless of whether a company’s equity is easy to audit or not, below I show you how to focus on important equity issues.

Auditing Equity

Auditing Equity — An Overview

In this post, we will cover the following:

  • Primary equity assertions
  • Equity walkthroughs
  • Equity-related fraud and errors
  • Directional risk for equity
  • Primary risks for equity
  • Common equity control deficiencies
  • Risk of material misstatement for equity
  • Substantive procedures for equity
  • Common equity work papers
Continue reading
Single Audit Major Program Determination
Jun 13

Single Audit Major Program Determination

By Charles Hall | Auditing

Single Audit major program determination can be challenging. And if this determination is wrong, your Single Audit will be wrong. 

So in this article, I explain how you can correctly determine your major programs in four steps. 

Single Audit Major Program Determination

First, understand that Single Audits focus on major programs. This is how you know which programs to test. So if your auditee has multiple federal programs, it's important to determine which are major and which are not. 

Here is a summary of the four steps of Single Audit major program determination:

  1. Identify Type A programs
  2. Identify Type A low-risk programs
  3. Identify Type B high-risk programs
  4. Determine major programs

(If you desire a deeper dive, watch the following video with a case study.)

Before you do any of these, create a list of all federal programs, similar to the schedule of expenditure of federal awards (the SEFA). The list is comprised of each federal program and the amounts expended. 

Next, apply the four steps to this list. We'll start by identifying the type A programs.

1. Identify Type A Programs

The type A threshold is $750,000 when the total federal awards expended are $25 million or less. So if you have a federal program of $750,000 or greater, then it's a type A program. Type B programs are those of less than $750,000. 

When total federal awards exceed $25 million, see the table below.

Total federal awards expended

Type A/B threshold

≥$750,000 and ≤ $25 million

$750,000

>$25 million but ≤ $100 million

total federal awards expended times .03

>$100 million but ≤ $ 1 billion

$3 million

> $1 billion but ≤ $10 billion

total federal awards expended times .003

>$10 billion but ≤ $20 billion

$30 million

>$20 billion

total federal awards expended times .0015

Remove the Large-Loan Program Distortion

Large loan programs can potentially cause some type A programs to be excluded. In other words, large loan programs can cause some programs to be deemed type B though they should be type A. Therefore, the auditor subtracts any large loan balances from the total federal programs before determining what programs are type A.

And what are large loan balances? They are loan programs that exceed four times the largest non-loan program.

So see what the largest non-loan program is and multiply that amount times four. Then see if any loan programs exceed that amount. If they do, subtract the large loan program from the total federal awards before determining the A/B thresholds. See §200.518 (b)(3) for more information. 

Clusters are One Program

Additionally, if the entity has a cluster such as student financial aid, then treat that program as one program. Clusters have multiple CFDA numbers for each grant but are treated as one program when performing a Single Audit. The Compliance Supplement states "a cluster of programs means a grouping of closely related programs that share common compliance requirements." So if you have a cluster, add all the grants together to see if the total cluster exceeds the type A threshold. (See part 5 of the Compliance Supplement for additional information about clusters.)

No Type A Programs

What if there are no type A programs? Then go to step 4 and pick enough programs to satisfy the coverage requirement. 

Next, we'll see how to identify low-risk type A programs. 

2. Identify Low-Risk Type A Programs

The Uniform Guidance provides the auditor with criteria in §200.518 (c) for determining whether a type A program is low risk. Type A programs that meet these criteria are low-risk. Programs that do not meet these criteria are not low-risk. 

The Uniform Guidance says,

For a Type A program to be considered low-risk, it must have been audited as a major program in at least one of the two most recent audit periods.

Consequently, a type A program will be major at least once every three years.

Additionally, the Uniform Guidance goes on to say:

in the most recent audit period, the program must have not had:
(i) Internal control deficiencies which were identified as material weaknesses in the auditor's report on internal control for major programs as required under §200.515 Audit reporting, paragraph (c);
(ii) A modified opinion on the program in the auditor's report on major programs as required under §200.515 Audit reporting, paragraph (c); or
(iii) Known or likely questioned costs that exceed five percent of the total Federal awards expended for the program.

Additionally, federal agencies can request that programs not be considered low-risk for certain recipients. If such a request is made, the program will not be low risk. 

But if the factors listed above don't lead to a high-risk classification, can the auditor use inherent risk factors such as size and complexity to move the assessment to high risk? No. The auditor must use the criteria listed above. 

And what if there are no low-risk programs?

No Low-Risk Type A Programs

If there are no low-risk type A programs then step 3, identifying high-risk type B programs, is not necessary. Go directly to step 4: Determine major programs. 

Now, let's take a look at step 3: Identifying high-risk type B programs.

3. Identifying High-Risk Type B Programs

The auditor identifies the type B programs by using their judgment and criteria such as that listed below. But how many high-risk type B programs should the auditor identify? No more than at least one-fourth the number of low-risk type A programs.

Additionally, the auditor is only required to perform risk assessments of type B programs that exceed 25% of the type A threshold (e.g., 25% of 750,000 is $187,500). If all of the type B programs are less than this amount, then none are assessed. And you skip step 3. But if you have type B programs greater than this 25% amount, perform risk assessments.

In determining whether a type B program is high-risk, the auditor should use factors such as:

  • The complexity of the program
  • The phase of the program in its life cycle (newer programs may be higher risk)
  • The degree of significant changes in the program or related statutes and regulations
  • The size of the program (programs with larger expenditures are higher risk)
  • Weaknesses in internal controls as related to compliance requirements (e.g., controls to ensure allowability of costs)
  • Prior audit findings
  • The structure of the internal control system (multiple structures tend to be higher risk)
  • Federal programs not recently audited as a major program
  • Oversight by a federal agency (if their review noted issues, then the program could be higher risk)

Other than known material control weaknesses in internal controls pertaining to compliance requirements or known compliance problems, a single risk criterion will seldom cause the program to be high risk.

But what if there are no high-risk type B programs?

No High-Risk Type B Programs

If there are no high-risk type B programs, then none are major. This is true even if there are low-risk type A programs. You can't make a type B program high-risk just because a low-risk type A program exists (and you're trying to meet the one-fourth of type A low-risk requirement). So, assess the program in light of the criteria. And let it be what it is, whether high-risk or low-risk.

If, however, there are multiple high-risk type B programs, a potential problem arises: identifying too many high-risk programs.

Identify Only What is Required

Don't make the mistake of identifying more high-risk type B programs than what is necessary. If you do, then you must test them all (those you identified as high-risk). So, once you have identified the requisite number of high-risk type B programs, stop. 

If there are multiple potential type B high-risk programs and not all are identified as high-risk, then consider rotating the programs tested each year. 

Rotate Programs Tested

The Uniform Guidance (§200.518) encourages providing "an opportunity for different high-risk type B programs to be audited as major over a period of time." So if the auditor only needs one type B high-risk program, for example, and there are multiple potential high-risk type B programs, then it is desirable to identify a different one as major each year. That way, different type B high-risk programs will be audited over time.

We're almost done. Now, let's determine the major programs.

4. Determine Major Programs

At a minimum, the following will be your major programs:

  • All type A programs not identified as low risk
  • All type B programs identified as high-risk
  • Any additional programs needed to comply with the percentage of coverage rule

So what is the percentage of coverage rule? It's 20% for low-risk auditees and 40% for those that are not low-risk auditees. But what does this mean? Well, let's look at an example to clarify.

Suppose the entity is a low-risk auditee. And suppose the entity has type A program that is not low risk (it's a major program). It makes up 17% of the total federal awards. All other programs are type B and none is considered major. What should be done? Pick a type B program and test it. But the program picked must bring the total tested to at least 20% of the total federal awards. Now you've complied with the coverage rule.

The low-risk auditee criteria follows below. Though there are similarities with program risk assessment criteria shown above, there are differences as well. 

Low-Risk Auditee

An auditee must meet all of the following conditions for each of the preceding two audit periods to qualify as a low-risk auditee:

  • An annual Single Audit was performed and the reporting package was timely filed with the Federal Audit Clearinghouse
  • The auditor issued an unmodified opinion on the financial statements and on the schedule of expenditures of federal awards
  • There were no internal control material weaknesses in the Yellow Book report
  • The auditor's opinion did not report substantial doubt about the entity's ability to continue as a going concern
  • No federal programs had findings from any of the following in the preceding two years:
    • No material weaknesses in internal control for a major program
    • No modified opinion on a major program
    • No known or likely questioned costs that exceeded five percent of the total federal awards expended for a type A program during the audit period

So if the entity meets all of these conditions, it is a low-risk auditee and you can use the 20% threshold. If not, use 40%.

Meeting the percentage of coverage rule does not by itself permit the auditor to skip remaining steps. Suppose in step 2. that one type A program is 50% of the total federal awards and is identified as a major program, can the auditor skip step 3.? Not necessarily. Coverage does not exempt the auditor from following the remaining steps. 

Four Steps of Major Program Determination

Now you know how to determine which programs are major. These are the programs you'll test for compliance. You'll also test related compliance internal controls.

Additionally, you now know how to determine whether an entity is a low-risk auditee.

You may want to save this article and keep it handy. Why? Well, the four-step determination is relevant in every Single Audit. 

If you're looking for information about whether an entity is required to have a Single Audit, see my article

1 2 3 13
>