Circular A-133 Audit Internal Control Refresher

Various organizations that monitor the quality of Office of Management and Budget (OMB) Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations (Circular A-133) audits are identifying problem areas that include the Circular's internal control requirements. As a result, we present this “refresher” on certain of the internal control requirements of Circular A-133. Auditors also should refer to Circular A-133, the Compliance Supplement, Government Auditing Standards, and the Audit Guide, Government Auditing Standards and Circular A-133 Audits, for the underlying requirements. (You also may want to consider referring to those sources to refresh yourself on the Circular A-133 requirements concerning applying materiality, selecting major programs, compliance testing, and reporting.)

Circular A-133 Internal Control Requirements

In addition to the consideration of internal control over financial reporting required by generally accepted auditing standards (GAAS) and the Yellow Book, Circular A-133 requires auditors to perform procedures to obtain an understanding of internal control pertaining to the compliance requirements for federal programs. That understanding has to be sufficient to plan the audit to support a low assessed level of control risk for major programs. There are fourteen types of compliance requirements provided in the OMB Circular A-133 Compliance Supplement. Procedures to obtain an understanding of these requirements have to be applied only to the applicable compliance requirements that could have a direct and material effect on the major programs. Further, Circular A-133 requires auditors to plan and perform tests of internal control over compliance to evaluate the effectiveness of controls unless the internal control is likely to be ineffective in preventing or detecting noncompliance with those requirements.

If the auditor determines that internal control is likely to be ineffective in preventing or detecting noncompliance, Circular A-133 requires the auditor to (1) assess control risk at maximum, (2) consider the effect of the ineffective control on the extent of substantive compliance testing, and (3) report a reportable condition or material weakness as an audit finding.¹

In performing tests of internal control over compliance, the evidential matter that would be sufficient to support a low assessed level of control risk is a matter of professional judgment. In evaluating the results of tests of controls, the auditor may find that the controls do not support a low assessed level of control risk. In this situation, the auditor is not required to expand testing of internal control over compliance; he or she may choose to assess control risk at other than low, design the extent of compliance testing accordingly, and consider the need to report an audit finding. On the other hand, the auditor may decide to expand the testing of internal control over compliance if he or she believes that expanded internal control testing would support a reduced assessed level of control risk and be more efficient than additional tests of compliance.

In applying the provisions of Circular A-133, ineffective internal control relates to individual compliance requirements for each major program. For example, controls over eligibility requirements may be ineffective because access to participant eligibility records is not limited to appropriate persons and there is no review or reperformance of eligibility determinations. The entity may, nonetheless, have sufficient controls over allowable costs. In this case, the auditor would be required to plan and perform tests of controls over allowable costs and to report a reportable condition for the lack of control related to eligibility (including whether such condition is a material weakness) as part of the audit findings and in the auditor's report on internal control over compliance. The auditor in this example would also be required to assess the extent of procedures designed to test compliance with eligibility requirements. In most cases, the extent of that testing would need to be expanded.

Because reportable conditions and material weaknesses for the purpose of reporting audit findings in accordance with Circular A-133 are in relation to a type of compliance requirement for a major program or an audit objective identified in the Supplement, the auditor may not be required to report an audit finding if a control that is likely to be ineffective is not material at either of those levels. For example, for the program income type of compliance requirement, auditees must comply with requirements that specify the use of income that is directly generated by a program during the grant period. The audit objective identified in the Supplement is to determine whether program income is correctly recorded and used in accordance with the program requirements, the Circular A-102 Common Rule, and Circular A-110, as applicable. Suppose that an auditor assesses the control risk for an auditee's internal control over program income at the auditee's headquarters location as low, but finds that the internal control over program income at a satellite location is likely to be ineffective. However, the extent of program activities conducted at the satellite location, including those that generate program income, are not material to the type of compliance requirement. In this situation, the auditor could conclude that the lack of control over program income requirements at the satellite location does not constitute a reportable condition for the purpose of reporting an audit finding.

The auditor has no responsibility under Circular A-133 to obtain an understanding of internal control or to plan or perform any tests of controls over federal programs that are not determined to be major, except as may be necessary to follow up on prior audit findings as required under Circular A-133, section 500(e).

The auditor should thoroughly document his or her work in assessing control risk and in testing internal control. Note that Government Auditing Standards requires the audit documentation to contain sufficient information to enable an experienced auditor who has had no previous connection with the audit to ascertain from the audit documentation the evidence that supports the auditors’ significant judgments and conclusions.

1. For the purpose of reporting internal control audit findings in accordance with Circular A-133, reportable conditions and material weaknesses are evaluated at a lower level than the major program level—they are evaluated in relation to a type of compliance requirement for a major program or an audit objective identified in the OMB Compliance Supplement. Also, reportable conditions may individually or cumulatively be material weaknesses, whether for purposes of reporting internal control over compliance or internal control over financial reporting.