SAS 117: The New Auditing Standard on Compliance May 11, 2010 Eric Formberg, Plante & Moran, PLLC Randy Roberts, AZ Auditor General Office 1

What This Session Will Cover What the new Compliance Audit SAS will require How a compliance audit differs from the financial statement portion of an audit Insight on how to implement the compliance audit requirements Questions 2

What the New Standard Will Do Supersedes AU section 801, Compliance Auditing Considerations... (SAS 74) Uses new clarity format Effective for audits of periods ending June 15, 2010 and later 3

What the New Standard Will Do Address some of the recommendations in the PCIEs study on single audit quality Clarify its applicability Update for changes in the compliance audit environment Clarify that, and which, generally accepted auditing standards apply to the compliance portion of an audit Identify auditor requirements and provide guidance that are unique to a compliance audit Update the elements to be included in an auditors report on compliance for current standards 4

New Compliance SAS – Content Intro and Applicability Objectives Definitions Requirements and Guidance 5

This new SAS applies when all of the following are required: Generally accepted auditing standards (GAAS) Financial audit standards for Government Auditing Standards A governmental audit requirement that requires the auditor to express an opinion on compliance Applicability 6

Applicability Examples Requirement Single Audit (A-133) HUD Guide audit State Grant State law to determine that gas tax monies spent for road purposes Bond monies spent per debt covenants Type of engagement Compliance audit (AU801) Compliance attestation (AT601) Agreed-upon procedure (AT101) In connection with (AU c) 7

Objectives Obtain sufficient appropriate audit evidence to form an opinion and report at the level specified by the government audit requirement on whether the entity complied in all material respects with the applicable compliance requirements Identify audit and reporting requirements specified in the governmental audit requirement that are supplementary to GAAS and GAGAS, if any, and perform procedures to address those requirements. 8

Definitions Terms Unique to Compliance Audit Environment Applicable Compliance Requirements Governmental Audit Requirement Compliance Audit Terms Adapted for Compliance Audit Environment from Financial Audit Standards Audit Risk of Noncompliance Risk of Material Noncompliance Significant Deficiency in Internal Control over Compliance Material Weakness in Internal Control over Compliance 9

Definitions – Examples Applicable compliance requirements Risk of material noncompliance All laws and regulations a govt. follows Laws and regulations related to a program to be audited Laws and regulations that could have a material effect on compliance with a program Compliance = F/S = materially accurate 10

Requirements Adapt and apply AU sections to compliance objectives Appendix has the laundry list, but whatre the key ones? Materiality Risk assessment process Gotta do the tests – internal controls, tests of compliance, analytical procedures – sufficient to give an opinion Reporting Documentation 11

Materiality Materiality set based on governmental audit requirement, GAAS and GAGAS supplement how Different levels of materiality Different nature Unique qualitative & quantitative factors Opinion on program Compliance Require- ments Findings 12

Risk Assessment Procedures Gaining an understanding First, which programs, which requirements? Inquiries, past experience, federal regulations What are the risk factors? Newness, complexity, knowledge, nature of services, level of oversight, past external and internal reports, management's corrective actions What are the internal controls? Five elements of COSO for compliance objectives 13

Risk of Material Noncompliance Factors relative to the applicable compliance requirements when assessing this risk: Complexity Susceptibility to noncompliance Length of time the entity has been following them The auditors observations about the entitys compliance in prior years The potential effect on the entity of noncompliance The degree of judgment involved to adhere to them The auditors assessment of the risks of material misstatement in the financial statement audit Design and implementation of relevant internal controls 14

Matching Controls with Related Risks Controls over compliance – Controls with a purpose! Value of control dependent on compliance risk it offsets Risk assessment process Identify compliance risk Identify control(s) that reduce risk Determine if risk is reduced sufficiently (a relatively low level) Do deficiencies exist? Impact on compliance tests? DOCUMENT YOUR THINKING! Are tests of control effectiveness necessary? Governmental audit requirement (A-133) Reduce overall audit effort to issue an opinion 15

Match Game ControlCompliance Susie approves the reimbursement request The grant department budget is approved annually by the Board Cash needs projections for grants are updated monthly by the business office Harry checks the suspended and debarred website for each contract The grants director obtains certified payrolls every 2 weeks from the contractor Fixed assets are tagged Pete keeps a calendar showing due dates for grant reports 16

Performing Further Procedures Pervasive risks – how its different than a F/S audit Compliance: Trip across what affects multiple programs/ requirements; Respond to overall risk F/S: Look at both overall and assertion level; Respond to risks at both Examples: Centralized recordkeeping with poor internal controls Tone at the Top suggests lack of concern for compliance Overall grants management centered on one individual Decentralized operation with no monitoring 17

Performing Further Procedures Tests of compliance Tests of details, tests of transactions Tests of internal control, if: Risk assessment is based on expectation that controls are operating effectively Substantive procedures alone wont provide sufficient appropriate audit evidence, or Required by governmental audit requirement Portions of AU 318 related to evidence of operating effectiveness obtained in prior audits are not applicable to compliance audits 18

Performing Further Procedures New chapter about sampling in Government Auditing Standards and A-133 Audit Guide Perform any supplementary audit requirements e.g., specific procedures to identify major programs e.g., assess reasonableness of summary schedule of prior audit findings Where analytical procedures fit in For planning As tests of compliance Other evidence 19

How Does Fraud Fit In? It does!.. Focus - Impact of Fraud Risks on noncompliance Fraud Triangle in a compliance environment Example Areas of Concern Funding pressure Maximizing reimbursement Job security Program or Participant Utilization Compliance world often a separate part of the entity Power of the journal entry! SAS 99 documentation requirements apply Hot Topic………ARRA concerns 20

Forming an Opinion Do you have enough relevant evidence to determine whether an entity materially complied? Consider: The frequency of the noncompliance The nature of the noncompliance The adequacy of the entitys system for monitoring compliance Whether any identified noncompliance resulted in likely questioned costs that are material to the government program 21

Forming an Opinion Making the decision about material noncompliance Is it big enough (per the governmental audit requirement [GAR]) to be: A finding? Material to the requirement? Material to the program? Look to the GAR – could be noncompliance, internal control deficiencies, questioned costs $ or % for monetary transactions (e.g., cost principles, cash management); # or % for nonmonetary (e.g., eligibility, reporting) Significance of requirement to program; degree to which requirement was not complied with 22

Subsequent events Financial statement audits versus compliance audit Financial statement audit Focus on event affecting F/S Procedures looking after period for signs of F/S misstatement or future events to disclose in current F/S Procedures applied to transactions of subsequent period Procedures include looking for significant events Compliance audit Focus on events affecting noncompliance Procedures looking after period for signs of noncompliance during the period No procedures applied to compliance in subsequent period Procedures focused on inquiries and info reported in subsequent period Explanatory paragraph in auditors report for subsequent period whoppers 23

Reporting and Reports Reporting Opinion on compliance Other required reporting per the governmental audit requirement (e.g., instances of noncompliance, internal control deficiencies, questioned costs) Reports Report on compliance Report on internal controls Can be combined 24

Documentation All of AU section 339 applies Key areas: Risk assessment procedures Response to risk of material noncompliance Materiality levels used and the basis on which they were determined Can there be more than one? How should it be applied to specific requirements? Compliance with supplemental audit requirements No expectation to document how the auditor adapted and applied every applicable AU section 25

Reissuing a Compliance Report Hopefully, this never happens to you! Explanatory paragraph describing reason for reissuance or report and changes made Dating Update if all programs affected Dual date if not all programs affected A need to reissue auditor-prepared documents referred to in the compliance report is considered to be a reissuance of the report itself 26

AICPA Audit Resources Auditing & Accounting Guides will continue to be important for meeting standards for Single Audits Government Auditing Standards and Circular A- 133 State & Local Governments 27

Questions ????? 28