can you take low inherent risk compliance items off of your audit plate?

I started an online conversation regarding the Single Audit a few weeks ago - and it still isn't completely resolved.  Here is the email I sent to my referencial gurus: 


Hi Smart People -

Please take a minute to ponder this question and give me your opinion on it.


Last week, I was teaching Single Audit stuff at a CPA firm and argued that SAS 117 gave the auditor the ability to use the risk assessment formula (especially IR!) to get compliance items off their plate.  If it the item wasn't inherently risky, then there was no need to worry about controls over the item.


An audit manager agreed that would be great and that would reduce his efforts significantly.  But upon further research, he wasn't sure that the standards would let him get away with it.  As you guys know, the standards can be vague and contradictory and I am  constantly trying to reduce the scope of the audit.  


Here is my thinking and find relevant quotes from SAS 117 and OMB Circular A-133 below:

  • You have 14 compliance items per major grant

  • You can take a few off your plate right off the bat, because they aren't relevant to the program

  • Then you assess inherent risk of the remaining requirements


  • If they are inherently risky – moderately or highly risky – then you would determine whether the entity has controls in place to mitigate these risks and test these controls (because of that phrase above in OMB Circular A-133 that says "plan for a low assessed level of control risk")


  • But if the compliance item doesn't generate a very big 'who cares' or inherent risk – then you don't have to evaluate the controls.   ?   And what if you went one step further and didn't even evaluate compliance?  (OK – that might be taking things too far!)  But it would be nice to blow off the evaluation of controls.  


SAS 117:

The auditor should design and perform further audit procedures in response to the assessed risks of material non-compliance.  These procedures should include performing tests of controls over compliance if:

  • The auditor's risk assessment includes an expectation of the operating effectiveness of controls over compliance related to the applicable compliance requirements;

  • Substantive procedures alone do not provide sufficient appropriate audit evidence; or

  • Such tests of controls over compliance are required by government audit requirements

If an of the conditions in this paragraph are met, the auditor should test the operating effectiveness of controls over each applicable compliance requirement to which the conditions apply in each compliance audit.



OMB Circular A-133

(c) Internal control.

(1) In addition to the requirements of GAGAS, the auditor shall perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk for major programs.

(2) Except as provided in paragraph (c)(3) of thissection, the auditor shall:

(i) Plan the testing of internal control over major programs to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program; and

(ii) Perform testing of internal control as planned in paragraph (c)(2)(i) of this section.

(3) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(2) of this section are not required for those compliance requirements. However, the auditor shall report a reportable condition (including whether any such condition is a material weakness) in accordance with §___.510, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control.

(d) Compliance.

(1) In addition to the requirements of GAGAS, the auditor shall determine whether the auditee has complied with laws, regulations, and the provisions of contracts or grant agreements that may have a direct and material effect on each of its major programs.

(2) The principal compliance requirements applicable to most Federal programs and the compliance requirements of the largest Federal programs are included in the compliance supplement.

(3) For the compliance requirements related to Federal programs contained in the compliance supplement, an audit of these compliance requirements will meet the requirements of this part. Where there have beenchanges to the compliance requirements and the changes are not reflected in the compliance supplement, the auditor shall determine the current compliance requirements and modify the audit procedures accordingly. For those Federal programs not covered in the compliance supplement, the auditor should use the types of compliance requirements contained in the compliance supplement as guidance for identifying the types of compliance requirements to test, and determine therequirements governing the Federal program by reviewing the provisions of contracts and grant agreements and the laws and regulations referred to in such contracts and grant agreements.

(4) The compliance testing shall include tests of transactions and such other auditing procedures necessary to provide the auditor sufficient evidence to support an opinion on compliance.


What do you think of that approach?


Thanks mucho!



And here are their responses:

response #1: 

Hi Leita,


Here are my thoughts:


A-133 indicates that the auditor shall perform procedures to obtain an understanding of controls sufficient to plan the audit to support a low assessed level of “control risk” (not a low combined inherent and control risk). In addition, it is my understanding that SAS 117 requires controls over “each applicable compliance requirement” to be understood and tested in planning to support a low assessed control risk (unless deemed ineffective to begin with) when such tests are required by government audit requirements (such as A-133 requires). If my understanding is accurate, it would seem that an “applicable compliance requirement” should not be eliminated from this control understanding and testing merely because it is considered to have a low inherent risk of noncompliance. While it seems logical that low inherent risk of noncompliance should drive the level of control understanding and testing for an applicable compliance requirement, the A-133 audit requirement is unique (and maybe illogical) and differs from a financial statement audit where a low inherent risk can have a direct impact whether controls are tested.


These are my initial thoughts, but I am always open to new ideas.



Response #2:

Your thoughts are good, but they are not quite correct.


First, while there are 14 requirement, they do not all apply to every program.

1.       You only have to deal with the ones that do apply to a specific major program.

2.       Some of those may not have a direct or material effect on the program and those you can eliminate from audit testing, but YOU MUST EXPLAIN WHY!

3.       All the others must be tested:

a.       Here is where inherent risk comes into play, the lower the inherent risk the lower the risk of material misstatement and therefore the less testing you have to do.


In summary, every requirement that applies to a major program must either be tested or explained away as not have a direct and material effect.


Response #3:

I don't have enough experience with OMB A-133 to be able to answer this with any kind of confidence.  I think that is the key.  Because if a compliance requirement is material according to OMB A-133 then I think that makes it material to the audit, regardless of whether it meets the "usual" materiality standards.  That's because of the section (can't remember the cite) that requires you to include qualitative risks.
A-133, bolded below, says "assertions relevant to the compliance requirements" NOT assertion relevant to the MATERIAL compliance requirements.
I could certainly be wrong, but that's my gut feel at present.  What you are saying certainly makes logical and even economic sense though.
(i) Plan the testing of internal control over major programs to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program
After I sent these to the very smart and thorough auditor at the CPA firm, he responded with the following:

I will be working on setting up our single audit templates soon based on CCH’s practice aids.  I was reading up on the AICPA guide for single audits.    Here are some interesting paragraphs from the guide that I think supports your methodology and will allow us to remove any low risk areas……


6.25 SAS No. 117 defines applicable compliance requirements as compliance requirements that are subject to a compliance audit. SAS No. 117 also states that some governmental audit requirements provide a framework for the auditor to determine the applicable compliance requirements and cites the OMB Circular A-133 Compliance Supplement (Compliance Supplement) as such a framework in a Circular A-133 compliance audit. Therefore, in a Circular A-133 compliance audit, the applicable compliance requirements are those that may have a direct and material effect on each major program (direct and material compliance requirements). Further, the Compliance Supplement is the primary source for identifying compliance requirements for federal programs, and the auditor, using professional judgment, determines which of the 14 types of compliance requirements may have a direct and material effect on each major program. These direct and material compliance requirements are tested as part of the compliance audit. A program specific audit guide issued by a grantor agency may be another source for identifying applicable compliance requirements. For programs not included in the Compliance Supplement, Part 7 of that document instructs auditors to, among other things, review the federal award document and referenced laws and regulations applicable to the program and the Catalog of Federal Domestic Assistance. Chapter 10 Database 'Research Mgr - MOM Authoring', View '7.a. Content in Process\a. by Team', Document 'Accounting; Auditing'of this guide further discusses the use of the Compliance Supplement to identify direct and material compliance requirements.

6.38 SAS No. 117 Database 'Research Mgr - MOM Authoring', View '7. Main Content Authoring\a. Contents', Document 'Auditing'states that the auditor should assess the risks of material noncompliance whether due to fraud or error for each applicable compliance requirement (PER 6.25 ABOVE, THESE ARE ONLY THE DIRECT AND MATERIAL REQUIREMENTS)14 and should consider whether any of those risks are pervasive to the entity’s compliance.


10.15 In a Circular A-133 compliance audit, the auditor should perform the following, as discussed in paragraphs 10.16–.69:

a. Identify the auditee’s major programs to be tested and reported on for compliance

b. Identify the compliance requirements applicable to each major program

c. Determine which of the compliance requirements identified in step (b) could have a direct and material effect on each major program  (ASSESS RISK IR – Eliminate low IR areas)

d. Plan the engagement

e. Consider relevant portions of the entity’s internal control over compliance for each direct and material compliance requirement for each major program

f. Obtain sufficient appropriate audit evidence, which involves testing internal control over compliance and compliance with direct and material compliance requirements for each major program

g. Consider indications of abuse

h. Consider subsequent events

i. Form an opinion about whether the auditee complied with the direct and material compliance requirements

j. Perform follow-up procedures on previously identified findings


10.17 As discussed in this section, the auditor should determine, after identifying the compliance requirements applicable to each major program, the direct and material compliance requirements to be tested and reported on in a Circular A-133 compliance audit. As further described in paragraph 10.19, Part 2 Database 'Research Mgr - MOM Authoring (New)', View '7.a. Content in Process\a. by Team', Document 'Government'of the Compliance Supplement provides a matrix that is useful to the auditor in identifying whether particular types of compliance requirements may apply to federal programs. The auditor then assesses, based on the nature of the program and the transactions for the period under audit, those types of compliance requirements that may have a direct and material effect on each major program. The auditor should use professional judgment in making this determination.


10.19………..In making a determination not to test a type of compliance requirement identified as applicable to a particular program, the auditor should conclude, and document such conclusion, either that the requirement does not apply to the particular auditee or that noncompliance with the requirements could not have a direct and material effect on a major program.


10.33 In planning the audit, the auditor should use knowledge gained in the inherent risk of noncompliance assessment process (as described in chapter 6 of this guide) to (a) identify types of potential noncompliance, (b) to consider other factors that affect the risks of material noncompliance, and (c) to design appropriate tests of compliance to reduce the risk of significant noncompliance to a sufficiently low level.


Thus, it appears that, although this is not the official “risk assessment,” a sifting of the compliance requirements that may have a direct and material effect should occur (your “high likely and magnitude”).  By doing this, we eliminate any of the 14 compliance areas that do not have a direct and material effect (which to me, would include those that would be low risk) from even being considered in the overall risk assessment (since they would not be considered “applicable”).  Any of these that are eliminated, we would need to document why (which could be accomplished in a similar manner as when we document a low inherent risk).


Thus, I think we are more/less accomplishing the same goal.  We should “sift out” our low risk compliance areas and end up only with those high risk areas to further assess and perform substantive/control tests.  So, maybe the intent is to only test controls on areas with high inherent risk and NOT test low risk areas (no controls or substantive testing).


What do you think?

Well, I think I want to get stuff of of my audit plate - because every chosen compliance item creates a whole little world of work.  It is risky.  The federal government would prefer that you cover every little item - but that is not a reasonable expectation.  
Now the question is - what do you think?  Let me know.  



This blog

Governmental auditors unite! Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of “The Yellow Book Interpreted” and owner of a website devoted to training for governmental auditors. Whether you are an internal auditor or monitor for a government entity or a CPA doing grant audits, you will enjoy Leita’s humorous take on the complexity of auditing in the government environment.

More from this blog

Bloggers crew

Steve Knowles has spent 25 years in business and practice in the UK, but he also worked in the states and the years haven't dulled his way of seeing an alternative view to everyone else, and every day is a new adventure.


Joel M. Ungar, CPA is a lifelong resident of the Detroit area and a graduate of The University of Michigan. He is a principal with Silberstein Ungar, PLLC, a Top 15 auditor of SEC public reporting companies.


Allan Boress, CPA, with over 25 years as a practitioner and consultant to the accounting profession. Mr. Boress is the author of 12 published books in 6 different languages, including a best-seller, The "I-Hate-Selling" Book.


Larry Perry, CPA, CPA Firm Support Services, LLC, is the author of accounting and auditing manuals, author and presenter of live staff training seminars, and author of webcast and self-study CPE programs. He blogs about small audits, reviews, and compilations.

Sandra Wiley, COO and Shareholder, is ranked by Accounting Today as one of the 100 Most Influential People in Accounting as a result of her prominent role as an industry expert on HR and training as well as influence as a management and planning consultant. She is also a founding member of The CPA Consultant's Alliance. Sandra is a certified Kolbe™ trainer who advises firms on building balanced teams, managing employee conflict and hiring staff.

Maria Calabrese, CIR, Human Resources manager for Fazio, Mannuzza, Roche, Tankel, LaPilusa, LLC in Cranford, New Jersey, Maria's topics revolve around the world of: Mentoring, Performance management, and The "Y Generation," a.k.a. "The whY generation".


William Brighenti is a CPA, Certified QuickBooks ProAdvisor, and Certified [Business] Valuation Analyst, operating an accounting, tax, and QuickBooks consulting firm in Hartford, Connecticut, Accountants CPA Hartford.


Ken Garen, CPA, is the co-founder and President of Universal Business Computing Company (, a software development firm of high-volume, high-productivity accounting and payroll technology.


Eva Rosenberg, MBA, EA, is the publisher of, and author of the weekly syndicated Ask TaxMama column. She provides answers to tax questions from taxpayers and tax professionals worldwide.


Amy Vetter, CPA, CITP is the CPA Programs Leader for Intacct Corporation responsible for leading the CPA/BPO Partners nationally.

Brian Strahle is the owner of LEVERAGE SALT, LLC where he provides state and local tax technical services to accounting firms, law firms and tax research organizations across the United States. He also writes a weekly column in Tax Analysts State tax Notes entitled, "The SALT Effect." For more info, visit his website:
Scott H. Cytron, ABC, is president of Cytron and Company, known for helping companies and organizations improve their bottom line through a hybrid of strategic public relations, communications, marketing programs and top-notch client service. An accredited consultant, Scott works with companies, organizations and individuals in professional services (accounting, finance, medical, legal, engineering), high-tech and B2B/B2C product/service sales.

Rita Keller is a nationally known CPA firm management consultant, speaker, author, mentor and blogger. She has over 30 years hands-on experience in CPA firm management, marketing, technology and administrative operations.

Stacy Kildal is the mom of two fantastic kids, an Advanced Certified QuickBooks ProAdvisor, Certified Enterprise Solutions ProAdvisor, Sleeter Group Certified Consultant, a nationally recognized member of the Intuit Trainer and Writer Network, and co-host of RadioFree QuickBooks.
Michael Alter's blog specializes in providing practical advice to those who seek greater profitability and practice management tactics that enhance deeper client relationships.

Sally Glick, CMO, Principal, Marketer of the Year in 2003 and AAM Hall of Famer in 2007, leads a lively discussion of the constantly expanding roles of marketing and the professional marketers that drive this initiative in accounting firms of all sizes.


The IMA Young Professionals Blog features the insights of IMA’s Young Professionals Committee. Committee members share advice and experiences on careers, continuing education, work/life balance, and other issues affecting young accounting and finance professionals.


FEI Financial Reporting Blog provides highlights from SEC, PCAOB, FASB, IASB, and other regulatory news, including reporting under Sarbanes-Oxley Sect 404. It is written by Edith Orenstein, Director of Technical Policy Analysis at FEI.


Sue Anderson has 30 years of experience in continuing education for accountants. Currently she is the program director for online CPE provider CPE Link.


Jim Fahey is COO of Apple Growth Partners, a regional CPA firm in Ohio. His focus is on the effective and efficient use of technology within the firm by all team members.

Caleb Newquist is the Editor-in-Chief of Sift Media US, overseeing content for both AccountingWEB and Going Concern.

Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of "The Yellow Book Interpreted" and owner of a website devoted to training for governmental auditors.


AccountingWEB is more than just a U.S. team of journalists and financial and technology experts - we have an international side, too! Members of our British team who publish share their ideas, insights, and perspectives from across the pond.