Misconceptions in Single Audits

Click here to view original web page at www.cpajournal.com

Enacted in 1984, and subsequently amended, the Single Audit Act was established to provide assurance to the federal government that recipients of federal funds have internal controls in place and are in compliance with the federal requirements related to the programs for which the funds were granted. A single audit is an audit requirement that nonfederal entities must undergo when they receive and expend federal financial assistance in their fiscal year of more than $750,000, which represents the current threshold. Nonfederal entities include state governments and local governments, institutions of higher education, and not-for-profit organizations. At the act’s inception, this requirement was only applicable to states and local governments, but it was eventually expanded to include all nonfederal organizations as well.

Congress passed the Single Audit Act to provide a cost-effective audit for recipients of federal grants in that only one audit is conducted annually by an independent accounting firm or by a state’s internal audit department. Prior to the act, nonfederal entities were subject to audits performed by every federal agency that provided them with federal financial assistance—which was a time-consuming and costly process.

Each year, the federal government provides trillions of dollars in federal financial assistance to nonfederal entities. Single audits are now performed under the requirements of the Office of Management and Budget (OMB) to ensure that these funds are expended in compliance with the federal programs. Originally, the OMB issued these requirements in OMB Circulars and eventually in 2013 codified them into the Code of Federal Regulations (CFR) in Title 2 CFR 200, “Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards” (i.e., Uniform Guidance, https://www.ecfr.gov/current/title-2/subtitle-A/chapter-II/part-200).

The supplement can and should be used by auditees to determine what the auditors will be testing for their federal programs.

The administrative requirements and cost principles that nonfederal entities are required to adhere to are included in Title 2 CFR 200.300 (subpart D) and .400 series (subpart E), respectively. The audit requirements that auditors must follow are included in Title 2 CFR.500 series (subpart F). To assist auditors in performing single audits, the OMB annually issues the Compliance Supplement. The supplement is a document that identifies existing compliance requirements that the federal government expects to be considered as part of an audit required by the act. The supplement provides information for auditors to understand the federal program’s objectives, procedures, and requirements subject to the audit.

These regulations and requirements are extensive, and there are many nuances that can easily be misunderstood by both some nonfederal entities and auditors alike. The following are common examples of actual misconceptions that the authors have encountered while performing audit procedures and during quality reviews of single audit engagements.

General Single Audit Misconceptions

Misconception: The Compliance Supplement is exclusively for auditors to use in performing their audits.

Reality: The supplement can and should be used by auditees to determine what the auditors will be testing for their federal programs. Auditees can determine which of the 12 compliance requirements are subject to audit by searching their federal programs in “Part 2—Matrix of the Supplement” and then reviewing the audit procedures listed in both “Parts 3—Compliance Requirements” and “Part 4—Agency Program Requirements.” The 2023 Compliance Supplement can be accessed online (2 CFR Part 200 Appendix XI, https://tinyurl.com/4jrb56hy).

Misconception: All federal noncash assistance is recorded on the Schedule of Expenditures of Federal Awards (SEFA) as an expenditure when used in the federal program.

Reality: This is incorrect, as only federal donated food items are considered as an expenditure when used or passed through to a subrecipient. All other noncash assistance (e.g., supplies) is considered expended and recorded on the SEFA when received.

Misconception: All compliance findings will result in the audit opinion being qualified for that particular major program.

Reality: This is untrue. There is no requirement to qualify the audit opinion on a major program due to compliance findings. If an auditor determines that the noncompliance is material to the major program as a whole, the auditor will express a qualified or adverse opinion on compliance with respect to that particular major program.

Misconception: The single audit reporting package is required to be submitted to the Federal Audit Clearinghouse within nine months after the organization’s fiscal year end.

Reality: The single audit submission is due by the earlier of 30 calendar days after the receipt of the auditor’s reports, or nine months from the auditee’s fiscal year-end.

Misconceptions Involving Certain Compliance Requirements

The compliance requirements for all single audits have been categorized into 12 general requirements. These 12 have not changed since the inception of the Single Audit Act; however, there have been many changes in the audit objectives and audit requirements in each category. These numerous changes over the years have contributed to some common misconceptions.

Misconception: The “activities allowed or unallowed” compliance requirement should only be tested by selecting costs charged to the program.

Reality: The most common procedure to test whether activities are allowed or unallowed is to sample the costs charged to the program. But auditors also need to determine and document how the non-federal entity is using the funds, in order to determine whether the recipient is in compliance with what the federal program was designed for. In addition, auditors need to determine if the nonfederal entity is using these funds for any unallowed purposes. Testing the costs charged to the program basically satisfies the allowable costs compliance requirement.

Misconception: If the funding for a federal program is on a reimbursement basis, the costs must be paid in advance of requesting reimbursement.

Reality: This is no longer true. The cash management compliance requirement in the 2023 Compliance Supplement now states that entities can request reimbursement when the expenditures have been incurred and before being paid.

Misconception: With respect to the “Special Tests and Provisions” compliance requirement, auditors must determine which special tests need to be performed for programs not included in the Compliance Supplement.

Reality. This is not true. Auditors are not required to design a special test if the program requirement is not shown in the Supplement.

Misconceptions Involving Major Program Determinations

Auditors are required to use a risk-based approach to determine which federal programs are required to be audited at each nonfederal entity annually. These requirements are somewhat complicated because there are different requirements for Type A and Type B programs. Type A programs are at a minimum of $750,000 of expenditures in the entity’s fiscal year when the nonfederal entity’s total federal expenditures are $25 million or less. Type B programs are those that are not Type A.

Type A programs, at a minimum, need to be audited at least once every three years; there is no such requirement for Type B programs. In addition, an auditor is only required to perform risk assessments on Type B programs if there is at least one low-risk Type A program. These specific complicated regulations have led to several misconceptions.

Misconception: Type B programs that were not previously audited must be considered high risk and audited.

Reality: This is false. In fact, only Type A programs that were not previously audited must be considered high risk and must be audited. Type B programs only need to be risk assessed if there is at least one low-risk Type A program. If the auditor assesses any of the Type B programs as high risk, then those Type B programs are required to audited. Type B programs should be assessed sequentially, meaning that once the number of high-risk Type B programs that are required to be audited has been reached, the remaining Type B programs should not be risk assessed, to avoid the auditor needing to treat as major programs they otherwise would not have been required to audit.

Misconception: When an auditor determines that an entity has low-risk Type A programs, the auditor is required to audit at least one-fourth of the Type B programs.

Reality: This is untrue. The auditor is required to perform risk assessments on the Type B programs except for the B programs that are under one-fourth of the A/B threshold. Only Type B programs that are deemed to be high risk by the auditor are required to be audited. A program that was not previously audited does not automatically make a Type B program high risk. Auditors should sequentially assess the risk of Type B programs and stop evaluating when they have identified at least one-fourth of the number of low-risk Type A programs, even if more of those are over one-fourth of the A/B threshold [see 3CFR 200.518 (d)(1)].

Misconception: Regarding the percentage of coverage rule: Once the coverage is met, no other programs need to be audited.

Reality: This is false. The percentage of coverage rule is to ensure that a minimum number of federal expenditures are audited. All type A programs deemed not to be low risk and all type B programs that were evaluated and deemed to be high risk must be audited, even though the auditor may already meet the percentage of coverage requirements without auditing all these programs determined to be major.

Misconception: All COVID programs are considered to be “higher” risk.

Reality: This is not the case. Only COVID programs deemed to be “higher” risk by the OMB as identified in the applicable year’s OMB Compliance Supplement need to be considered higher risk.

Misconception: All programs deemed to be “higher” risk by the OMB must be audited in the current year.

Reality: A higher risk program does not need to be audited in the current year if it meets both of the following criteria:

Misconceptions Involving Low-Risk Auditees

A nonfederal entity must meet very specific regulations to be considered a low-risk auditee. For the two preceding audit periods, single audits must have been performed annually (including submitting the data collection form and the reporting package timely); the opinion on whether the financial statements were prepared in accordance with generally accepted accounting principles (or basis of accounting required by state law); must have been unmodified; and

In addition, no federal program had audit findings from any of the following in either of the preceding two years in which they were classified as type A programs:

Misconception: A nonfederal entity cannot be considered a low-risk auditee when significant deficiencies were reported in the prior two years.

Reality: A previous significant deficiency finding does not have an automatic impact on the determination if an entity can be considered a low-risk entity. Only a material weakness reported for a type A program in the prior two years will result in the non-federal entity not being considered a low-risk entity. A significant deficiency is a deficiency (or a combination of deficiencies) in internal control over compliance that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness in internal control over compliance is a deficiency (or a combination of deficiencies) in internal control over compliance such that there is a reasonable possibility that material noncompliance with a compliance requirement of a federal program will not be prevented, or detected and corrected, on a timely basis.

If an auditor concludes that controls are either nonexistent or ineffective, then control risk should be set at high and either a significant deficiency or material weakness needs to be reported.

A nonfederal entity can still be determined to be a low-risk auditee even if a type B program had a material weakness or modified opinion on a particular program in the past year.

Misconception: All compliance findings will result in the auditee not being a low-risk auditee in the next year.

Reality: This is not true. Only findings of any of the following, in either of the preceding two audit periods in which they were classified as type A programs, will result in an entity not being considered a low-risk auditee:

Misconception: A nonfederal entity can use the modified cash basis of accounting and still be considered a low-risk auditee.

Reality: Only entities that follow the applicable Generally Accepted Accounting Principles (U.S. GAAP as issued by FASB or GASB, as applicable) can be considered a low-risk auditee unless using a different basis of accounting is required by state law and the audit opinion as to whether the financial statements are in accordance with that statutory basis of accounting is unmodified.

Misconceptions Involving Internal Controls over Compliance

The Uniform Guidance establishes requirements for additional audit procedures and reporting with respect to the auditor’s consideration of internal control over compliance for major programs. Auditors are required to perform procedures to obtain an understanding of internal control over federal programs sufficient to plan the audit and support a low assessed level of control risk of noncompliance for major programs.

Misconception: An auditor can assess control risk at high and perform substantive compliance tests and not report a deficiency.

Reality: Auditors should plan tests of controls over compliance to achieve a low control risk and perform tests of controls over compliance. If an auditor concludes that controls are either nonexistent or ineffective, then control risk should be set at high and either a significant deficiency or material weakness needs to be reported. The auditor is essentially stating that there are no controls properly designed and implemented that can be tested over compliance.

Misconception: Planning and performing tests of controls is required even when they are likely to be ineffective in preventing or detecting noncompliance.

Reality: This is not correct. If the auditor determines that the internal controls are likely to be ineffective in preventing or detecting noncompliance, then the auditor is not required to test controls, but a significant deficiency or material weakness must be reported.

Misconception: Testing of internal controls over compliance is not required if they were tested in the prior year and there were no deficiencies noted.

Reality: Testing internal controls over compliance is required every year for every compliance requirement that the auditor deems to be direct and material for each major program being tested.

Misconceptions Involving Pass-Through Entities and Subrecipients

A pass-through entity is an entity that receives federal financial assistance and takes all or part of that assistance and remits it to another nonfederal entity (a subrecipient) to run the program on its behalf. In such a scenario, the pass-through entity assumes the role of the federal agency to ensure that the federal funds are spent according to the regulations of that particular federal program.

Misconception: Amounts provided to subrecipients are considered expended when the subrecipient spends it.

Reality: When a nonfederal entity remits funds to a subrecipient, it is considered expended at that time. The nonfederal entity must include this amount on the SEFA when the cash is disbursed to a subrecipient, not when the subrecipient expends it.

Misconception: All federal funds paid to another organization are considered payments to subrecipients.

Reality: Not all amounts paid to another organization are subrecipient payments. A nonfederal entity can remit federal funds to a contractor for goods and services used in the federal program. Only payments made to other organizations that are running the federal program on behalf of the pass-through entity are considered subrecipient payments.

Misconception: The only monitoring requirement of pass-through entities is to obtain the subrecipients’ audit report.

Reality: Obtaining the subrecipient’s audit report to determine if there were any findings is only a part of the pass-through entity’s responsibilities. Pass-through entities must also evaluate the risk for each subrecipient, perform monitoring throughout the year, and make a management decision on the findings of the subrecipient.

Misconception: The auditor is not expected to determine whether the subrecipient and contractor determinations are correct.

Reality: When the subrecipient monitoring compliance requirement is applicable to the federal program being tested and it is deemed direct and material, auditors are expected to determine whether the nonfederal entity correctly determined the subrecipient and contractor findings.

Misconceptions involving Government Auditing Standards (GAS and/or Yellow Book) CPEs

Government Auditing Standards are a set of auditing standards established by the U.S. Government Accountability Office (GAO) that are distinct from the AICPA’s auditing standards but incorporate them by reference.

Misconception: Auditors must have CPE in Government Auditing Standards (GAS or Yellow Book) CPE before starting an engagement that is performed under GAS.

Reality: There are no GAS CPE requirements that are required to be met prior to an auditor starting an engagement under GAS. Auditors need to be competent in their roles before performing work on a GAS engagement and must meet the CPE requirements at the end of the organization’s two-year period as defined by the Yellow Book.

Misconception: The GAS 24-hour CPE requirement can only be met by taking government accounting, single audit, or Government Auditing Standards courses.

Reality: This is not true. GAS encompasses the AICPA’s auditing standards, therefore courses that cover a new auditing standard, such as the AICPA’s new risk assessment standards, count toward the 24-hour requirement. Courses where the subject matter includes accounting standards also qualify under the 24-hour requirement. [For complete GAS CPE requirements, see chapter 4 of the 2018 Yellow Book (GAO-21-368G, Government Auditing Standards: 2018 Revision Technical Update April 2021, https://tinyurl.com/349sx4re).]

Misconception: Only a self-interest threat and performing non-audit services can impair an auditor’s independence.

Reality: Independence can be impaired by any of these threats:

Understanding these misconceptions can help organizations better prepare navigate the single audit process. For auditors, misconceptions can lead to improper testing and major program determination, potentially resulting in inaccuracies in the single audit. Clearing up misconceptions early in the audit process provides accurate risk assessment on federal programs, thereby streamlining the audit process.

John D’Amico, CPA, is a managing director in the professional standards group, CBIZ Marks Paneth, and shareholder of Mayer Hoffman McCann.

Xixi Dong, CPA, is a director within the not-for-profit & government practice at CBIZ Marks Paneth.