Articles, Primers, Tools, and Research AidsMember Discussion Forum and GAQC Executive CommitteeAICPA Conferences and Training ProgramsMembership Requirements, Dues Information, and Membership ApplicationAICPA Publications, CPE, and Conferences
 
Search
 

Search Options
GAQC Home > Resources > OMB Circular A-133 > Common Engagement Deficiencies in Audits Performed Under OMB Circular A-133 Noted in Peer Reviews, Ethics Investigations, and Federal OIG Quality Control Reviews

Common Engagement Deficiencies in Audits Performed Under OMB Circular A-133 Noted in Peer Reviews, Ethics Investigations, and Federal OIG Quality Control Reviews

Both the AICPA peer review and disciplinary processes continue to indicate that that there are problems in the single audits they are reviewing. Federal Offices of Inspectors General (OIGs) have also found problems based on their quality control reviews of single audit work that are consistent with those found by the AICPA. The following discussion describes the most common deficiencies being found. You should consider reviewing your firm’s policies and procedures to see whether your single audits also might have these kinds of issues. The first several problems in this listing are the result of errors being made by auditors in applying the risk-based approach required by Office of Management and Budget (OMB) Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations (Circular A-133) for determining major programs. 


View the refresher on determining major programs.

 

·         Failure to audit as major programs type A programs not qualifying as low risk. Circular A-133 requires a type A program to be audited as a major program unless it qualifies as a low-risk program. For a program to be considered low risk, it must, among other criteria, have been audited as a major program in at least one of the two most recent audit periods. Auditors have made errors in applying this criterion. No auditor judgment is permitted in evaluating this historical two-year look-back criterion, and the reason a type A program was not audited in the prior two audit periods is irrelevant. Errors often occurred when a type A program was not audited in the first year it became a type A program (for example, a new program or a program that had previously been type B).

·         Failure to audit type A programs as major because of errors made in determining the type A/type B program dollar threshold. Circular A-133 includes criteria for determining the dollar threshold for type A programs. Any program that does not meet those criteria is considered a type B program. No rounding is permitted for that threshold. Some auditors made mathematical computation errors in determining the threshold and some erroneously based calculations on interim rather than final federal awards expended amounts. You should note that federal awards expended for purposes of determining type A and type B programs are the amount of cash and noncash awards, after all adjustments are made, in the final current-year schedule of expenditures of federal awards (SEFA), including the notes thereto. An auditor who uses the prior-year schedule or preliminary current-year estimates to plan the audit should recalculate the threshold for type A programs based on the final amounts to ensure that federal awards are properly classified as type A or B.

·         Failure to audit all programs included in a cluster of programs. Clusters are defined in Part 5 of the Supplement and should be considered as one program in determining major programs. Auditors made errors in identifying programs as part of a program cluster.

·         Failure to meet the percentage-of-coverage requirement in Circular A-133, section 520(f). The percentage-of-coverage requirement is applied as the last step in the risk-based approach and must always be met. At least one program must always be audited as a major program. In some cases, there were errors in the reviewed audits' compliance with the percentage-of-coverage requirement.

·         Inadequate  or outdated reference material. The auditor used inadequate or outdated reference material related to the engagement performed. Be sure to be familiar with new Statements on Auditing Standards (SASs) and accounting standards that are issued. Further, you should ensure that you are using the most up-to-date versions of the Compliance Supplement, Yellow Book, and the AICPA Audit Guide Government Auditing Standards and Circular A-133 Audits.

·         Documentation problems noted in various areas. Internal control and compliance tests were not always adequately documented to support the reports issued. In some cases the auditor did not document that an auditee was considered a low-risk auditee (to support the reduced testing that was performed). Further, in a few other cases items such as the subsequent events review and litigation follow-up were not documented. SAS No. 103, Audit Documentation (AICPA, Professional Standards, vol. 1, AU sec. 339), provides guidance on the content, retention, and confidentiality of audit documentation as required by generally accepted auditing standards (GAAS). Among other things, SAS No. 103 requires audit documentation to be sufficient to enable members of the engagement team with supervision and review responsibilities to understand the nature, timing, extent, and results of auditing procedures performed, and the evidence obtained. Government Auditing Standards includes an additional standard that requires audit documentation to contain sufficient information to enable an experienced auditor having no previous connection with the audit to ascertain the evidence that supports the auditor's significant conclusions and judgments. You should keep these SAS No. 103 and Government Auditing Standards requirements in mind when you are preparing your audit documentation. It is possible that problems with audit documentation could be the root of many of the other problems discussed in this section.

·         Problems with the GAAS audit of the financial statements. Generally accepted accounting principles (GAAP) requirements were not followed in all cases. Further, the auditor’s report was not always qualified for GAAP departures. While Circular A-133 does not require the financial statements to be prepared in conformity with GAAP, if the entity has chosen to follow GAAP, the financial statements should include all appropriate requirements. Further, the auditor’s report should be appropriately modified for any GAAP departures.

·         Engagement letter deficiencies. The engagement letter did not include proper references to Circular A-133 requirements or record retention policies, or include a copy of the latest peer review report. Refer to SAS No. 83, Establishing an Understanding With the Client, as amended by SAS No. 89, Audit Adjustments (AICPA, Professional Standards, vol. 1, AU sec. 310.06-.07), for a listing of the matters that should generally be included when the auditor establishes an understanding with the auditee. The AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits, also includes additional matters that the auditor might want to consider in the communication when engaged to perform a single audit.

·         Inadequate Government Auditing Standards reporting. The required Government Auditing Standards reporting for internal control or compliance were not prepared or were not referred to in the report on the financial statements. Remember to prepare a Yellow Book report when the audit is required to be performed in accordance with Government Auditing Standards (either by law, regulation, or contract). Remember, also, that there is a required linkage paragraph required in the report on the financial statements that informs the reader that the Yellow Book report has been issued and that it is an integral part of the audit and should be read in conjunction with the financial statement report.        

·         Inadequate Circular A-133 reporting. The appropriate Circular A-133 reporting was not included in some cases. In others, the appropriate report wording was not used. You are required to issue a Circular A-133 report in every single audit.

·         Inappropriate compliance opinion. Sometimes the Circular A-133 report was not modified when it appeared that it should be. In other words, an unqualified opinion was provided when there were material instances of noncompliance. When the audit of an auditee's compliance with requirements applicable to a major program detects material instances of noncompliance with those requirements, you should express a qualified or adverse opinion. You should also consider whether the noncompliance is the result of a related reportable condition or material weakness and, if so, report it in the Circular A-133 report. The AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits, discusses compliance auditing requirements and auditor reporting. Further, it discusses materiality differences between the single audit and the financial statement audit.

·         Problems with compliance and internal control work. In some cases, the required compliance testing was not performed, sometimes because the auditor did not follow the guidance in Part 7 of the Compliance Supplement for identifying the applicable compliance requirements to test and report on. In other cases, internal control and compliance tests were not adequately designed or documented to support the reports issued. In performing compliance tests, be sure that you have identified which of the applicable compliance requirements may have a direct and material effect on each major program. It is imperative that you use the most recent version of the Supplement to make this identification. If the program you are auditing is not included in the Supplement, you should follow the guidance in Part 7 of the Supplement for identifying the applicable compliance requirements. Further, in performing compliance tests, be sure to consider relevant portions of the entity's internal control over compliance. Remember that you must test controls (to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program) unless they are likely to be ineffective in preventing or detecting noncompliance.


View the refresher on internal control requirements

You should consult the AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits, for detailed guidance on both compliance and internal control testing.

·         Audit findings and supporting documentation lacking. Audit findings reported by auditors in the schedule of findings and questioned cost have been found to be lacking required information. Further, in some cases federal agencies have reviewed audit documentation supporting audit findings for purposes of assisting them in seeking recovery of questioned costs. In performing those reviews, they have found that the audit documentation lacked information on the specific items tested and the transactions for which exceptions were found. Circular A-133 requires that audit findings should be presented in sufficient detail for the auditee to prepare a corrective action plan and take corrective action and for federal agencies and pass-through entities to arrive at a management decision. You should refer to the AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits, for a discussion of the specific requirements of Circular A-133 as it relates to audit findings. Further, you should ensure that your audit documentation clearly identifies the work performed and conclusions reached. Remember that SAS No. 103, Audit Documentation (AICPA, Professional Standards, vol. 1, AU sec. 339) requires that audit documentation related to tests of operating effectiveness of controls and substantive test of details that involve inspection of documents or confirmation to include an identification of the items tested.

·         Inadequate management representation letter. The management representation letter did not follow the requirements of SAS No. 85, Management Representations (AICPA, Professional Standards, vol. 1, AU sec. 333), as amended, or include the additional representations required by the AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits, for a Circular A-133 audit. Refer to both SAS No. 85 and the Guide to ensure all required components of the management representation letter are included.

·         Issues with the schedule of expenditures of federal awards. In some instances, the SEFA was not presented or reported upon. In others, the schedule was presented but it did not accurately reflect the federal expenditures of the auditee and the auditor’s reporting on the schedule was not modified. Circular A-133 requires the auditor to determine whether the SEFA is presented fairly in all material respects in relation to the auditee's financial statements taken as a whole. The schedule, prepared by the auditee, reports the total expenditures for each federal program. Refer to the AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits, which cover the identification of federal awards, the general presentation requirements governing the schedule, pass-through awards, noncash awards, endowment funds, and the auditor's reporting on the schedule.

·         Noncompliance with Yellow Book continuing professional education (CPE) requirements. The engagement team did not meet the Government Auditing Standards or state licensing board CPE requirements. 

View the description of the Yellow Book’s CPE requirement.

·         Concurring review process failed. In several of the cases, engagements that were reviewed before completion by a concurring reviewer had a multitude of problems. If your firm uses concurring reviewers as part of your quality control system, you should consider ensuring that the reviewer has knowledge of Government Auditing Standards and Circular A-133 requirements.

 

View common engagement deficiencies noted in Government Auditing Standards audits.

Copyright © 2007 by the American Institute of Certified Public Accountants, Inc., New York, New York.