550 likes | 688 Views
Association of College and University Auditors – Compliance Track --------- Research Compliance and Audit Issues – Part 3 -------- April 11, 2006. Auditing Research Under OMB Circular A-133. Amy Barrett, CPA Assistant Director, System Audit Office
E N D
Association of College and University Auditors – Compliance Track --------- Research Compliance and Audit Issues – Part 3 -------- April 11, 2006
Auditing Research Under OMB Circular A-133 Amy Barrett, CPA Assistant Director, System Audit Office The University of Texas System Administration 512/499-4535 abarrett@utsystem.edu
Agenda • Introduction: What is an a-133 audit? • Approach: How is one performed? • Planning: What is involved in planning? • Assessing controls: How are controls assessed? • Assessing compliance: How is compliance assessed? • Reporting: What is reported and how? • Conclusion: What are the takeaways?
Introduction • History and purpose of the single audit • Requirements of a-133
Introduction, continued - Scope of Audit • In general • Financial statements • Schedule of Federal Awards • Internal control • Compliance • Reporting • Corrective action plan and follow-up
Introduction, continued - Agencies and Resources • Government Accountability Office (GAO) • Office of Management and Budget (OMB) • Inspectors General (IG) • President’s Council on Integrity and Efficiency (PCIE) • Cognizant agencies • Oversight agencies • Federal awarding agencies • Pass-through entities • Code of Federal Regulations (CFR)
Introduction, continued - Applicable Standards • A-21 Cost Principles for Educational Institutions • A-110 Administrative Requirements for Educational Institutions • Cost Accounting Standards • A-133 Audits of State, Local Governments, and Non-Profit Organizations • Compliance Supplement • AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits • Yellow Book
Approach - Planning the Engagement • Planning steps that should be documented • Yellow Book requirements
Approach, continued - Testing Controls and Compliance • Document and test entity-level controls using the COSO • Select programs for testing • Document and test controls and compliance requirements for specific programs selected
Approach, continued - Report Findings • Submit information to management and to clearinghouse: • Opinions • SEFA • Data collection form • Findings • Corrective action plan
Planning • Update knowledge about changes in the past year • Audit risk alert (www.aicpa.org/belt/practalert1.htm) • Changes in policies and procedures • Correspondence from federal agencies • Other auditor workpapers • Financial statements • Management letters • Schedule of Federal Awards (See Handout A) • Disclosure statement • Conduct understanding meeting
Planning, continued • Document scope of work • Determine engagement team • Determine engagement budget • Document compliance with YB requirements
Planning, continued – Compliance with YB • Training: • CPE requirements (80 hour requirement every two years; 24 directly-related to audit environment) • Quality control requirements (peer reviews) • Working paper requirements: • Objective, scope, and methodology, including sampling criteria used • Reperformance standard • Evidence of supervisory review • Independence • Fieldwork (abuse)
Planning, continued • Consider risk of fraud • SAS 99 • Fraud risk planning meeting • Consider inherent risk • Document materiality • Document and obtain signoff of audit program • Select programs for testing (see next slide) • Send engagement letter • Hold entrance conference
Planning, continued – Selecting Major Programs • Definition • Risk-based approach • Type A vs. Type B • Low risk vs. high risk • Percentage of coverage rule • Documentation requirements
Controls • Our responsibility • Obtain understanding of internal control over federal programs sufficient to plan the audit to support a low assessed level of control risk • Plan testing of internal control to support a low assessed level of control risk • Perform tests of internal control, unless control likely to be ineffective
Controls, continued - Compliance Supplement, Part 6 (See Handout B) • A-110 requirements: “Maintain internal control designed to reasonably ensure compliance with laws regulations and program compliance requirements.” • A-133 requirements • SAS 78, Consideration of Internal Control in a Financial Statement Audit • COSO Framework
Controls, continued - Compliance Supplement, Part 6 • COSO Framework • Control environment • Risk assessment • Control activities • Information and communication • Monitoring
Controls, continued - Compliance Supplement, Part 6 • COSO Framework • Control environment • A sense of conducting operations ethically, as evidenced by a code of conduct or other verbal or written directive • Conflict of interest • Misconduct • Intellectual property • Management’s positive responsiveness to prior questioned costs and control recommendations • Management’s respect for, and adherence to, program compliance requirements
Controls, continued - Compliance Supplement, Part 6 • COSO Framework • Risk assessment • Program managers and staff understand and have identified key compliance objectives • Organizational structure identifies the risk • Monitoring plans are in place • Specific risks have been addressed • Human subject and animal testing • Lab safety
Controls, continued - Compliance Supplement, Part 6 • COSO Framework • Control activities • Operating policies and procedures are clearly written • Procedures are in place to implement changes in laws, regulations, guidance, and funding agreements affecting federal awards • Management prohibition against intervention or overriding established controls
Controls, continued - Compliance Supplement, Part 6 • COSO Framework • Control activities, continued • Adequate segregation of duties • Computer controls that include edit checks, exception reporting, access controls, reviews of input and output data, and security controls • Data management • Privacy • Adequate supervision of employees • Personnel with adequate knowledge and experience • Assets physically safeguarded
Controls, continued - Compliance Supplement, Part 6 • COSO Framework: Information and communication • Reconciliation and reviews ensure accuracy of reports • Internal and external communication channels are established (meetings, memos, surveys) • Employee duties and responsibilities effectively communicated • Channels of communication for people to report improprieties are in place and actions taken when communication occurs • Channels of communication established between the pass-through entities and subrecipients
Controls, continued - Compliance Supplement, Part 6 • COSO Framework • Monitoring • Ongoing monitoring through independent reconciliations, staff meeting feedback, rotating staff, etc. • Periodic site visits performed at decentralized locations, including subrecipients • Follow-up on fraud and deficiencies • Internal quality review • Management meets with program monitors, auditors, and reviewers • Internal audit tests
Compliance - Compliance Supplement Areas • Activities allowed or unallowed • Allowable costs/cost principles • Cash management • Davis-Bacon Act • Eligibility • Equipment and real property • Matching, level of effort, earmarking • Period of availability of federal funds
Compliance, continued • Procurement, suspension, and debarment • Program income • Real property acquisition and relocation assistance • Reporting • Subrecipient monitoring • Special tests and provisions
A. Activities Allowed or Unallowed • Types of activities either specifically allowed or prohibited by laws, regulations, and the provisions of contract or grant agreements pertaining to the program. • The objectives of individual research projects are explained in the applicable award documents. Testing of compliance with this requirement should ensure that funds were used only for activities for the furtherance of such objectives.
B. Allowable Costs and Cost Principles • Describes the government’s overall requirement that recipients must follow specified cost principles in order for costs to be allowable (A-21) • Particular focus should be paid to time and effort reporting (see next slide) • Indirect costs will be tested through recalculation • Need to determine which administrative costs are charged directly and which are charged through overhead. Should not have duplication. • Supplies and equipment also represent significant costs
B. Time and Effort Procedures • External auditors typically look for signed time and effort reports • Auditors should go further • Inquire of staff • Question 100% time • Test salary caps • Look at total awards for researcher • Test cost-sharing • Be aware of cost transfers
C. Cash Management • Requirements recipients to minimize the time lapse between receipt and disbursement. • Need to determine how cash received. If cost recovery, then test to ensure expenditure made prior to receipt of cash
D. Davis-Bacon Act • Requires that laborers working on federally financed construction projects be paid a wage not less than the prevailing regional wage established by the Secretary of Labor.
E. Eligibility • Laws, regulations, and provisions of contract or grant agreements pertaining to the program should specify criteria for determining the individual, groups of individuals, or subrecipients that can participate in the program and the amount for which they qualify. • Consider export controls regulations
F. Equipment and Real Property Management • Requires that the organization maintain proper records for equipment and adequately safeguard and maintain equipment; and in disposing of any equipment or real property acquired under federal awards, adhere to federal requirements.
G. Matching, Level of Effort, Earmarking • Specifies amounts entities are required to contribute from their own resources toward projects for which financial assistance is provided. • While matching requirements are less common, institutional “cost sharing” is very common, and that cost sharing and matching are considered to be the same concept under A-110.
I. Period of Availability of Funds • When a funding period is specified, a non-federal entity may charge to the award only costs resulting from obligations incurred during the funding period and any pre-award costs authorized by the awarding agency. • Test cost transfers.
J. Procurement, Suspension, and Debarment • Requires the entity to ensure that procurements are not made to parties that are suspended or debarred. • Testing purchasing procedures.
K. Program Income • Income directly generated by the federal project during the grant period.
L. Real Property Acquisition and Relocation Assistance • Requires that property acquired must be appraised; moving expenses and re-establishment expenses incurred by displaced businesses and farm operations must be recovered.
L. Reporting • Specifies the reports that entities must file in addition to those required by the common requirements. • Consider technical reporting issues.
M. Subrecipient Monitoring • Requires the identification of award information and the monitoring of subrecipient activities to provide reasonable assurance of compliance with federal requirements. • Merely asking for a-133 report from subrecipients is a start, but probably not enough.
N. Special Tests and Provisions • Other provisions for which federal agencies determined noncompliance could materially affect the program. • We should obtain the awards to ascertain the special terms and conditions. Typical special tests surround: • Human participants • Animal welfare • Biosafety • Chemical safety • Radiation safety
Compliance, continued - Develop Audit Approach – Handout C • Meet with Principal Investigator • Determine how compliance met in each of 14 areas in order to develop tests • Questionnaire should be developed using Compliance Supplement (Part 3): • F. Equipment and Real Property Management • Compliance requirements • Audit objectives • Internal control tests • Compliance test
Compliance, continued - Determine Sample Size • Risk assessment • Controls • Compliance
Compliance, continued - Remember Working Paper Requirements • In addition to GAAS, GAGAS requires: • Objective, scope, and methodology, including sampling criteria used • Reperformance standard • Evidence of supervisory review