can you take low inherent risk compliance items off of your audit plate?
I started an online conversation regarding the Single Audit a few weeks ago - and it still isn't completely resolved. Here is the email I sent to my referencial gurus:
Hi Smart People -
Please take a minute to ponder this question and give me your opinion on it.
Last week, I was teaching Single Audit stuff at a CPA firm and argued that SAS 117 gave the auditor the ability to use the risk assessment formula (especially IR!) to get compliance items off their plate. If it the item wasn't inherently risky, then there was no need to worry about controls over the item.
An audit manager agreed that would be great and that would reduce his efforts significantly. But upon further research, he wasn't sure that the standards would let him get away with it. As you guys know, the standards can be vague and contradictory and I am constantly trying to reduce the scope of the audit.
Here is my thinking and find relevant quotes from SAS 117 and OMB Circular A-133 below:
- You have 14 compliance items per major grant
- You can take a few off your plate right off the bat, because they aren't relevant to the program
- Then you assess inherent risk of the remaining requirements
- If they are inherently risky – moderately or highly risky – then you would determine whether the entity has controls in place to mitigate these risks and test these controls (because of that phrase above in OMB Circular A-133 that says "plan for a low assessed level of control risk")
- But if the compliance item doesn't generate a very big 'who cares' or inherent risk – then you don't have to evaluate the controls. ? And what if you went one step further and didn't even evaluate compliance? (OK – that might be taking things too far!) But it would be nice to blow off the evaluation of controls.
The auditor should design and perform further audit procedures in response to the assessed risks of material non-compliance. These procedures should include performing tests of controls over compliance if:
- The auditor's risk assessment includes an expectation of the operating effectiveness of controls over compliance related to the applicable compliance requirements;
- Substantive procedures alone do not provide sufficient appropriate audit evidence; or
- Such tests of controls over compliance are required by government audit requirements
If an of the conditions in this paragraph are met, the auditor should test the operating effectiveness of controls over each applicable compliance requirement to which the conditions apply in each compliance audit.
OMB Circular A-133
(c) Internal control.
(1) In addition to the requirements of GAGAS, the auditor shall perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk for major programs.
(2) Except as provided in paragraph (c)(3) of thissection, the auditor shall:
(i) Plan the testing of internal control over major programs to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program; and
(ii) Perform testing of internal control as planned in paragraph (c)(2)(i) of this section.
(3) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(2) of this section are not required for those compliance requirements. However, the auditor shall report a reportable condition (including whether any such condition is a material weakness) in accordance with §___.510, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control.
(1) In addition to the requirements of GAGAS, the auditor shall determine whether the auditee has complied with laws, regulations, and the provisions of contracts or grant agreements that may have a direct and material effect on each of its major programs.
(2) The principal compliance requirements applicable to most Federal programs and the compliance requirements of the largest Federal programs are included in the compliance supplement.
(3) For the compliance requirements related to Federal programs contained in the compliance supplement, an audit of these compliance requirements will meet the requirements of this part. Where there have beenchanges to the compliance requirements and the changes are not reflected in the compliance supplement, the auditor shall determine the current compliance requirements and modify the audit procedures accordingly. For those Federal programs not covered in the compliance supplement, the auditor should use the types of compliance requirements contained in the compliance supplement as guidance for identifying the types of compliance requirements to test, and determine therequirements governing the Federal program by reviewing the provisions of contracts and grant agreements and the laws and regulations referred to in such contracts and grant agreements.
(4) The compliance testing shall include tests of transactions and such other auditing procedures necessary to provide the auditor sufficient evidence to support an opinion on compliance.
What do you think of that approach?
And here are their responses:
Here are my thoughts:
A-133 indicates that the auditor shall perform procedures to obtain an understanding of controls sufficient to plan the audit to support a low assessed level of “control risk” (not a low combined inherent and control risk). In addition, it is my understanding that SAS 117 requires controls over “each applicable compliance requirement” to be understood and tested in planning to support a low assessed control risk (unless deemed ineffective to begin with) when such tests are required by government audit requirements (such as A-133 requires). If my understanding is accurate, it would seem that an “applicable compliance requirement” should not be eliminated from this control understanding and testing merely because it is considered to have a low inherent risk of noncompliance. While it seems logical that low inherent risk of noncompliance should drive the level of control understanding and testing for an applicable compliance requirement, the A-133 audit requirement is unique (and maybe illogical) and differs from a financial statement audit where a low inherent risk can have a direct impact whether controls are tested.
These are my initial thoughts, but I am always open to new ideas.
Your thoughts are good, but they are not quite correct.
First, while there are 14 requirement, they do not all apply to every program.
1. You only have to deal with the ones that do apply to a specific major program.
2. Some of those may not have a direct or material effect on the program and those you can eliminate from audit testing, but YOU MUST EXPLAIN WHY!
3. All the others must be tested:
a. Here is where inherent risk comes into play, the lower the inherent risk the lower the risk of material misstatement and therefore the less testing you have to do.
In summary, every requirement that applies to a major program must either be tested or explained away as not have a direct and material effect.
I will be working on setting up our single audit templates soon based on CCH’s practice aids. I was reading up on the AICPA guide for single audits. Here are some interesting paragraphs from the guide that I think supports your methodology and will allow us to remove any low risk areas……
6.25 SAS No. 117 defines applicable compliance requirements as compliance requirements that are subject to a compliance audit. SAS No. 117 also states that some governmental audit requirements provide a framework for the auditor to determine the applicable compliance requirements and cites the OMB Circular A-133 Compliance Supplement (Compliance Supplement) as such a framework in a Circular A-133 compliance audit. Therefore, in a Circular A-133 compliance audit, the applicable compliance requirements are those that may have a direct and material effect on each major program (direct and material compliance requirements). Further, the Compliance Supplement is the primary source for identifying compliance requirements for federal programs, and the auditor, using professional judgment, determines which of the 14 types of compliance requirements may have a direct and material effect on each major program. These direct and material compliance requirements are tested as part of the compliance audit. A program specific audit guide issued by a grantor agency may be another source for identifying applicable compliance requirements. For programs not included in the Compliance Supplement, Part 7 of that document instructs auditors to, among other things, review the federal award document and referenced laws and regulations applicable to the program and the Catalog of Federal Domestic Assistance. Chapter 10 of this guide further discusses the use of the Compliance Supplement to identify direct and material compliance requirements.
6.38 SAS No. 117 states that the auditor should assess the risks of material noncompliance whether due to fraud or error for each applicable compliance requirement (PER 6.25 ABOVE, THESE ARE ONLY THE DIRECT AND MATERIAL REQUIREMENTS)14 and should consider whether any of those risks are pervasive to the entity’s compliance.
10.15 In a Circular A-133 compliance audit, the auditor should perform the following, as discussed in paragraphs 10.16–.69:
a. Identify the auditee’s major programs to be tested and reported on for compliance
b. Identify the compliance requirements applicable to each major program
c. Determine which of the compliance requirements identified in step (b) could have a direct and material effect on each major program (ASSESS RISK IR – Eliminate low IR areas)
d. Plan the engagement
e. Consider relevant portions of the entity’s internal control over compliance for each direct and material compliance requirement for each major program
f. Obtain sufficient appropriate audit evidence, which involves testing internal control over compliance and compliance with direct and material compliance requirements for each major program
g. Consider indications of abuse
h. Consider subsequent events
i. Form an opinion about whether the auditee complied with the direct and material compliance requirements
j. Perform follow-up procedures on previously identified findings
10.17 As discussed in this section, the auditor should determine, after identifying the compliance requirements applicable to each major program, the direct and material compliance requirements to be tested and reported on in a Circular A-133 compliance audit. As further described in paragraph 10.19, Part 2 of the Compliance Supplement provides a matrix that is useful to the auditor in identifying whether particular types of compliance requirements may apply to federal programs. The auditor then assesses, based on the nature of the program and the transactions for the period under audit, those types of compliance requirements that may have a direct and material effect on each major program. The auditor should use professional judgment in making this determination.
10.19………..In making a determination not to test a type of compliance requirement identified as applicable to a particular program, the auditor should conclude, and document such conclusion, either that the requirement does not apply to the particular auditee or that noncompliance with the requirements could not have a direct and material effect on a major program.
10.33 In planning the audit, the auditor should use knowledge gained in the inherent risk of noncompliance assessment process (as described in chapter 6 of this guide) to (a) identify types of potential noncompliance, (b) to consider other factors that affect the risks of material noncompliance, and (c) to design appropriate tests of compliance to reduce the risk of significant noncompliance to a sufficiently low level.
Thus, it appears that, although this is not the official “risk assessment,” a sifting of the compliance requirements that may have a direct and material effect should occur (your “high likely and magnitude”). By doing this, we eliminate any of the 14 compliance areas that do not have a direct and material effect (which to me, would include those that would be low risk) from even being considered in the overall risk assessment (since they would not be considered “applicable”). Any of these that are eliminated, we would need to document why (which could be accomplished in a similar manner as when we document a low inherent risk).
Thus, I think we are more/less accomplishing the same goal. We should “sift out” our low risk compliance areas and end up only with those high risk areas to further assess and perform substantive/control tests. So, maybe the intent is to only test controls on areas with high inherent risk and NOT test low risk areas (no controls or substantive testing).
What do you think?