1 / 54

Internal Control Over Compliance: Getting it Right Using the GAQC Practice Aids

Internal Control Over Compliance: Getting it Right Using the GAQC Practice Aids. A Governmental Audit Quality Center Web Event December 1, 2010. Administrative Notes. If you encounter any technical difficulties (e.g., audio issues) during this event please take the following steps:

overton
Download Presentation

Internal Control Over Compliance: Getting it Right Using the GAQC Practice Aids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internal Control Over Compliance: Getting it Right Using the GAQC Practice Aids A Governmental Audit Quality Center Web Event December 1, 2010

  2. Administrative Notes • If you encounter any technical difficulties (e.g., audio issues) during this event please take the following steps: • Press the F5 key on your computer to refresh • Close and re-start your browser • Check your speakers, ensure they are not on mute • Turn off your pop-up blocker • Re-start you computer • Call InterCall Genesys Tech support 866.871.4318, Conf ID# 1497539 • If none of the above work, submit a request for help on the “Send a Question Box” located on the left hand side of your screen. • If are unable to get assistance from Genesys for some reason, e-mail gaqc@aicpa.org or call 202-434-9207 2

  3. Administrative Notes • We encourage you to submit your technical questions – please limit your questions to the content of today’s program • To submit a question, type it into the “Send a Question” box on left side of your screen; we will answer as many as possible • You can also submit questions to the GAQC member forum for consideration by other members • This event is being recorded and will be posted in an archive format to the GAQC Web site 3

  4. Continuing Professional Education • Must have registered for CPE credit prior to this event; a link to the CPE Credit Approval Form was e-mailed to you • Listen for announcement of 4 CPE codes (7 digit codes: ALL_ _ _ _ ) and 4 polling questions during the event • Record CPE Codes on CPE Credit Approval Form and return completed form (by fax or mail) to AICPA Service Center for record of attendance; keep a copy for your records • If you are not receiving CPE for this call, ignore the CPE codes that we announce, but please answer the polling questions 4

  5. PresentersJoel BlackMauldin & Jenkins CPAsJohn GoodErnst & Young LLP 5

  6. Background • Federal study on single audit quality showed numerous deficiencies in the auditor’s testing of compliance and understanding and testing of internal control over compliance • GAQC task force reviewed the study results for the purpose of determining needed actions to improve the quality of work relating to compliance and internal control over compliance • Actions taken: • Clarifications made in the 2008 AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits • Issuance of Practice Aids to assist auditors in ensuring that their audit documentation relating to compliance and internal control over compliance is responsive to underlying audit requirements 6

  7. GAQC Practice Aids for Documenting Internal Control Over Compliance and Compliance Testwork • Available Now! • GAQC members – free access to word and excel versions on GAQC Web site • GAQC members and non-members – small fee ($39.99) for purchase of electronic PDF product where responses can be input into form (order through CPA2BIZ at http://www.cpa2biz.com) Product # 006662PDF 7

  8. Purpose of Today • To help you understand what the Practice Aids are and how they are to be used • Even if you don’t wish to incorporate the Practice Aids directly, you should review them to determine if there are any weaknesses in your current audit documentation strategy that could be improved upon • But first….let’s be sure we are all are on the same page regarding the actual audit requirements 8

  9. What We Will Cover • Determining Direct & Material Compliance Requirements & Using the Matrix Practice Aid • Specific Requirements of the Circular Related to Internal Control • Using Part 6 of the OMB Compliance Supplement • Using the Controls Overview Documents • Common Deficiencies and Avoiding Them • Planning & Performing Dual Purpose Tests 9

  10. Determining Direct & Material Compliance Requirements 10

  11. Determining Direct & Material Compliance Requirements • Do auditors look at all applicable compliance requirements? • No • Direct and material compliance requirements • Should an auditee comply with all applicable compliance requirements? • Yes • Do not try to predict an auditor’s scope 11

  12. Determining Direct & Material Compliance Requirements • Obtain an understanding of Major Programs • Compliance Supplement – Parts 2, 3, 4, 5 and 7 • Review contracts and grant documents • Determine key elements • Amount • Timing • Applicable compliance requirements • Indirect cost considerations • Regulations • Expenditure Patterns • Wages, benefits, equipment, etc. 12

  13. Determining Direct & Material Compliance Requirements • What compliance requirements are applicable? • Part 2 – Matrix of Compliance Requirements • Part 7 – Guidance for Auditing Programs Not Included • Very subjective, meaning • Personal views / auditor judgment • Experience • Accepted risk • Industry expectation • Qualitative and quantitative factors 13

  14. Determining D & M Compliance Requirements: Part 2 – Matrix of Compliance Requirements 14

  15. Determining Direct & Material Compliance Requirements Qualitative Factors • Needs and expectations of federal or pass-through agencies • Noncompliance could cause federal agency to take action • Seeking reimbursement of program costs • Suspending participation in the program • Public or political sensitivity • Federal, state, local oversight • Internal or other external audits • Previous findings 15

  16. Determining Direct & Material Compliance Requirements Quantitative Factors • Noncompliance could likely result in questioned costs • Requirement affects large part of the program • Material amount of program dollars • For example: 5% of expenditures, +/- 1 day, etc. • Auditor’s tolerance, not an auditee concept 16

  17. Major Program Risk Matrix Applicable per Compliance Supplement (Yes or No) Direct & Material to Program (Yes or No) 17

  18. Major Program Risk Matrix • How to document which of the 14 types of compliance requirements ultimately will be subject to audit for each major program. • Lists 14 compliance requirements and denotes applicability of each or reason for consideration as not direct and material • For direct and material requirements - documents risk assessments (IR x CR = RoMN) • RoMN = Risk of Material Noncompliance 18

  19. Specific Requirements of the Circular Related to Internal Control 19

  20. Specific Requirements of the Circular Related to Internal Control • § 500 (c) (2) • Auditors should perform procedures to obtain an understanding of I/C over Federal programs sufficient to plan the audit to support a low assessed level of control risk for major programs. • Plan testing of IC over the relevant compliance requirements for each MP • Perform testing of internal control as planned

  21. Specific Requirements of the Circular Related to Internal Control • Each major program • Each direct & material compliance requirement • Each of the 5 elements of COSO • Control Environment • Risk assessment • Information and Communication • Control Activities • Monitoring • A-133 says to plan testing of internal control to support low level of control risk

  22. Specific Requirements of the Circular Related to Internal Control • Test of design and implementation • Walkthrough our understanding • Conclusion: Control has been properly designed and implemented • Test of effectiveness • Test key control attributes • Conclusion: Control is effective • Control must be effective or you should have a finding

  23. Specific Requirements: Design & Implementation AU 314 (SAS 109):Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement • Involves evaluating design and determining if control has been placed in service • Design: Is the control capable of functioning effectively • Preventing non-compliance • Detecting non-compliance • Correcting non-compliance • Placed in Service: Has the auditor reviewed documentation that the control is in place? • Document Understanding of the Control • Who, what and when

  24. Specific Requirements: Design & Implementation AU 314 (SAS 109):Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement • Procedures include • Inquiry of personnel • Observations of application • Inspecting document reports • Reperformance of controls • Inquiry alone is not sufficient

  25. Specific Requirements: Operating Effectiveness • Tests of operating effectiveness different than determining that control has been implemented (AU 318.26) • Evidence of who, when, what • Procedures include: • Inquiries • Inspection of documents indicating performance • Observation of application of specific controls • Reperformance of controls by auditor • Generally involves combination of procedures • Inquiry alone is not sufficient

  26. Control vs. Compliance Tests • CONTROL TEST: • What did they do to make sure the grant’s objective was attained? • COMPLIANCE TEST: • Was the grant’s objective attained?

  27. Specific Requirements: Operating Effectiveness • Test controls • Throughout the period under audit • Every period under audit • Internal controls that cross major programs • Are they really the same? • Representative sample

  28. Specific Requirements: Operating Effectiveness • Evaluating results of tests of controls • Deviations may occur • Understand deviation and consequences • Determine if the expansion of the sample would provide evidence of containment of the error • Assess the deviation and determine proper reporting • Control deficiency • Material weakness • Significant deficiency • Assess impact on tests of compliance

  29. Using Part 6 of the OMB Compliance Supplement 29

  30. Using Part 6 of the OMB Compliance Supplement • Internal control considerations for each compliance requirement for each major program • Guidance not a checklist • Facilitates discussions with management

  31. Using Part 6 of the OMB Compliance Supplement • Describes characteristics of IC relating to each of the five components of internal control that should reasonably assure compliance with the requirements of Federal laws, regulations, and program compliance requirements. • Describes the components of IC and examples of characteristics common to the 14 types of compliance requirements. • Provides objectives of IC and examples of characteristics specific to each of 13 of the 14 types of compliance requirements follow this introduction (Special Tests and Provisions excluded).

  32. Using Part 6 of the OMB Compliance Supplement – Excerpt CASH MANAGEMENT • Control Objectives: To provide reasonable assurance that the (1) drawdown of Federal cash is only for immediate needs, (2) reimbursement is requested only after costs have been incurred, (3) States comply with applicable Treasury agreements, and (4) recipients limit payments to subrecipients to immediate cash needs. 32

  33. Using Part 6 of the OMB Compliance Supplement – Excerpt from Cash Management • Control Environment • Appropriate assignment of responsibility for approval of cash drawdowns, requests for reimbursement, and payments to subrecipients. • Budgets for drawdowns are consistent with realistic cash needs. • Reimbursement is requested only have costs have been incurred. • Risk Assessment • Mechanisms exist to anticipate, identify, and react to routine events that affect cash needs. • Routine assessment of adequacy of subrecipient cash needs. • Management has identified programs that receive cash advances and/or reimbursements and is aware of cash management requirements. 33

  34. Using the Controls Overview Documents 34

  35. Using the Controls Overview Documents • Illustrates how an auditor might document the audit work associated with internal control over compliance for the types of compliance requirements selected for testing for each major program • Two versions • Narrative • Robust Checklist

  36. Narrative 36

  37. Template – Documenting Internal Control • Narrative • Section to document controls under each element of COSO • Space for documenting procedures to determine if control(s) are placed in operation for each element of COSO • Summary section to select key control(s) that will be tested for operating effectiveness • Standard conclusion space which references finding if less than low control risk

  38. Robust Checklist 38

  39. Template – Documenting Internal Control • Robust Checklist • Part 6 of the Compliance Supplement used for items down left side of the sheet – each element of COSO separated • Columns allow documentation of who, what, when the control is performed and how determined it was placed in operation • Column to denote if it is a key control and how tested for operating effectiveness • Standard conclusion space which references finding if less than low control risk

  40. Common Deficiencies & Avoiding Them 40

  41. Common Deficiencies • Compliance testing not documented as performed or not applicable. • This condition ranges from one of the 14 compliance requirements not being documented as covered to all compliance requirements not documented as covered. • Need to document rationale for “applicable” requirements being N/A.

  42. Common Deficiencies • Not documenting understanding of internal control over compliance in a manner that addresses the five elements of COSO. • Not documenting testing of internal controls over compliance. • OMB Circular A-133 §.500(c)(2) provides that, generally, the auditor shall plan the testing of internal control over major programs to support a low level of assessed control risk for the assertions relevant to the compliance requirements for each major program, and perform that testing as planned.

  43. Common Deficiencies • Indication that current compliance requirements or compliance supplements were not considered. • Using old Compliance Supplements / old compliance steps. • Compliance Supplement is updated and published every year – typically in the Spring. • Download the 2010 Compliance Supplement • http://www.whitehouse.gov/omb/grants_circulars/

  44. Avoiding Deficiencies • Preliminary assessment of control risk may be facilitated through a checklist or narrative • Evaluate ineffective control • SAS 115 criteria • Evaluation guidance • Internal controls must be continually reevaluated throughout the audit process

  45. Avoiding Deficiencies • Testing compliance gives indirect evidence on controls, but cannot serve as the basis for assessing controls as operating effectively • Controls: What did entity do to ensure compliance? • Compliance: Did entity comply? • Ensure dual purpose testing is properly documented • Properly identify compliance tests & controls tests • Utilize a template to write findings so that all elements are properly captured

  46. Avoiding Deficiencies • Understand the difference between process and control Process • Procedures that originate, transfer or change data • Can introduce errors • Example: Employees complete their timesheets Controls • Procedures designed to prevent, detect and correct errors resulting from processing of accounting information • Cannot generate errors • Example: Project manager approves timesheets

  47. Planning & Performing Dual Purpose Tests 47

  48. Planning & Performing Dual Purpose Tests • Common practice to utilize a single sample to achieve multiple audit objectives • Internal control over compliance testing • Compliance testing • Financial statement balance testing • Exercise caution: • Different characteristics are for different objectives • If there are errors in internal control, compliance sample may not be adequate 48

  49. Planning & Performing Dual Purpose Tests • Sample size designed for a dual purpose test should be the larger of the samples designed for the separate tests • Evaluate findings separately for compliance and controls • Separate documentation for I/C and Compliance tests • Objectives • Population considerations • Deviations/Exceptions • Conclusions 49

  50. Testing Compliance – Practice Aids & Tips Tickmark/Procedure Description for an Allowability Test Better √ = Cost met criteria for being allocable, allowable, reasonable, and net of applicable credits. Cost charge was in accordance with A-122 Insufficient √ = Allowable 50

More Related