Add to collection(s) Add to saved
  1. Business
  2. Management

AICPA Compliance Audits

advertisement 
May 6, 2009
Auditing Standards Board
American Institute of Certified Public Accountants
1211 Avenue of the Americas
New York, NY 10036-8775
Audit – Tax – Advisory
Grant Thornton LLP
175 W Jackson Boulevard, 20th Floor
Chicago, IL 60604-2687
T 312.856.0200
F 312 565 4719
www.GrantThornton.com
Dear Board Members and Staff:
We appreciate the opportunity to comment on the proposed Statement on Auditing Standards
(SAS), Compliance Audits, approved for exposure by the Auditing Standards Board (Board) of
the American Institute of Certified Public Accountants (AICPA), and we respectfully submit
our comments and recommendations.
We understand the Board issued the proposed SAS in response to the Report on National Single
Audit Sampling Project issued in June 2007 by the President’s Council on Integrity and Efficiency
(PCIE) to the Office of Management and Budget, which recommended revising and improving
single audit criteria, standards, and guidance to address deficiencies in the performance of
compliance audits. Although we believe the proposed SAS is an improvement over the extant
standard and a step forward in the performance of more effective and efficient compliance
audits, we have significant concerns with the understandability and implementation of the
proposal. We recommend the Board continue its efforts to advance the standards in this area
by working collaboratively with the appropriate regulatory bodies.
Audit versus attest standard
To fully respond to the findings of the PCIE report, we believe the Board must eliminate the
compliance audit standard and strengthen the compliance attestation standard in AT section
601, Compliance Audits. The performance of compliance audits under two different sets of
standards that provide the same level of assurance is unnecessary and perplexing.
To achieve higher-quality compliance audits, we believe it is in the public’s best interest to
strengthen the attestation standards, in lieu of adapting the audit standards. In our view, the
audit standards were written specifically for a financial statement audit. To adapt those
standards to a compliance audit causes a lack of consistency in the performance of such
engagements, which is a likely cause of deficiencies in practice.
We understand that some put forth the argument that certain laws and regulations specifically
require a compliance audit in accordance with the Board’s audit standards and therefore,
compliance audits, as required by those laws and regulations, must be contained within
Grant Thornton LLP
U.S. member firm of Grant Thornton International Ltd
2
generally accepted auditing standards, as codified in the AU sections. We do not agree with the
premise that geography between the audit standards (AU sections) and the attestation standards
(AT sections) causes this requirement to not be met. AT section 601 provides the same level of
assurance as the extant standard at AU section 801, Compliance Auditing Considerations in Audits of
Governmental Entities and Recipients of Governmental Financial Assistance, and we consider both to be
auditing standards. In fact, Statement on Standards for Attestation Engagements 15, An
Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of
Its Financial Statements, recently stated that the examination may be referred to as an audit.
Accordingly, we do not see a need to maintain two different sets of standards that address the
same subject matter, and question whether this is more of an educational matter. Our
overriding concern is the quality and clarity of the Board’s standards, and the ability to apply
those standards consistently, which we believe has been compromised.
Management’s responsibilities
We note that AT section 601, in combination with AT section 101, Attest Engagements, requires a
written assertion from management about the entity’s compliance. It also requires management
to perform an evaluation of the entity’s compliance. Similar to an audit of internal control over
financial reporting, we believe these are essential elements in the performance of a compliance
audit that are lacking in the proposed SAS, which places a higher burden on the auditor with
respect to the determination of material noncompliance. Users of both reports should be able
to expect the same level of work effort on the part of the auditor, and the auditor should be
able to report in the same manner under both sets of standards.
Overall, we believe that “assertion-based” engagements provide a more appropriate reflection
of the accountability relationship between management and the auditor. Furthermore, such
reporting is consistent with the direction the Board’s other standards are taking, including
engagements to report on controls at a service organization.
Establishing materiality
In paragraph 13, the proposed SAS requires the auditor to establish materiality levels for the
audit based on the governmental audit requirement. We believe materiality is established in
consideration of the defined terms, specifically the terms compliance audit and material
noncompliance. Both of these terms run to the specific program and therefore, materiality would
be established at the government program level and findings of noncompliance would be
evaluated in relation to that materiality. As such, we suggest the term “compliance audit”
replace the term “audit” in this paragraph. However, paragraph A4 could cause confusion by
inferring that materiality may be established at a lower level. For example, in the second
sentence, we do not understand what “one or more of these purposes” refers to, other than to
establish materiality. The third sentence offers an example that infers reporting materiality may
differ from materiality for the government program taken as a whole and therefore, the auditor
would be required to establish materiality for specific compliance requirements. We do not
believe this is what was intended. If, however, we are mistaken, in our opinion, this guidance is
problematic and not operational.
Grant Thornton LLP
U.S. member firm of Grant Thornton International Ltd
3
We also believe the Board should reconsider the guidance in paragraph A5, which states that
the governmental audit requirement usually is established by the grantors, and the auditor’s
report on compliance is primarily for their use. The paragraph goes on to state that the
auditor’s judgment about materiality is also based on the consideration of the needs of users as
a group, including the grantors. Although this paragraph identifies the grantors as the primary
user of the report on compliance, it seems to us that it also suggests that there is a wider group
of users that includes the grantors. We believe this is confusing, particularly with respect to
which users the auditor should consider. We view the grantors as being the primary group of
users and would not object to mentioning these “other” additional users, provided such
reference is downplayed as being less of a factor in determining materiality.
Material noncompliance
In paragraph 11 of the proposed SAS, we believe the definition of material noncompliance should
be revised to include the concept of user expectations and eliminate the notion that the terms
material and significant are equivalent. We suggest the definition be aligned with how the board
describes a material misstatement in paragraph 2 of proposed SAS, Materiality in Planning and
Performing an Audit (Redrafted). For example, the definition may be worded as follows: “A
failure to follow requirements or a violation of prohibitions included in an applicable
compliance requirement that results in noncompliance that, individually or when aggregated
with other noncompliance, could reasonably be expected to influence the decisions of users
taken on the basis of the affected government program. Noncompliance can be quantitatively
or qualitatively material. Governmental audit requirements may provide an alternative definition
of material noncompliance.”
In addition to modifying the definition, we believe the Board should provide more guidance on
determining what constitutes material noncompliance. Paragraphs .36, .37 and .53 of AT
section 601 provide some guidance on this matter, which not only acknowledges the needs and
expectations of users, but also the fact that noncompliance may not be quantifiable in monetary
terms. At a minimum, these paragraphs should be incorporated in the proposed SAS. Although
we believe additional guidance is necessary in consideration of audit findings and our previous
comments on materiality, we do acknowledge that guidance of such significance would need to
be the subject of future deliberations.
Further, we believe the primary responsibility for determining whether the entity is in
compliance with the applicable compliance requirements should rest with management.
Accordingly, we also suggest the proposed SAS include a requirement for the auditor to obtain
a written representation relating to noncompliance that management believes is not material to
the government program. We do not believe the auditor should bear the sole responsibility for
determining when noncompliance is material or immaterial.
Modifying the opinion
We bring to the Board’s attention that paragraph 30(l) simply refers to noncompliance that
results in an opinion modification. We believe the standard should be very clear that material
noncompliance should result in a qualified or adverse opinion on compliance with the
Grant Thornton LLP
U.S. member firm of Grant Thornton International Ltd
4
applicable compliance requirements, which would be consistent with AT section 601. In this
regard, paragraph 33 could be expanded to also include this opinion modification.
We note, however, that in an engagement to examine an entity’s internal control over financial
reporting, internal control is either effective or it is not. In this regard, the Board should
consider whether it is appropriate to qualify the opinion when material noncompliance exists.
Responding to pervasive risks
Paragraph 18 requires the auditor to develop an overall response for those assessed risks of
material noncompliance that are pervasive to the entity’s compliance. This requirement seems
to be in alignment with the requirement in a financial statement audit to develop an overall
response to pervasive risks at the financial statement level. However, the examples in paragraph
A15 of the proposed SAS are risks that can be effectively addressed at the compliance
requirement level, where an overall response does not seem necessary. We believe better
examples of pervasive risks that affect all of the applicable compliance requirements need to be
provided, including how the auditor should respond to such risks. We suspect the same
responses would apply as set forth in AU section 318, Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence Obtained, in which case we would question
whether paragraph 18 is even necessary.
Effective date
We note the effective date of the proposed SAS is prior to the effective date of the Board’s
clarified standards. The proposed SAS is written in the clarified format, which we support.
However, the requirements and guidance related to the clarified format are located in the
proposed SAS, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with Generally Accepted Auditing Standards, which will become effective at a later date. Although
we do not have significant concerns with the implementation of the proposed SAS prior to the
effective date of the clarified standards, we are concerned with the incremental changes that will
be made to the applicable AU sections, and those that are not applicable to a compliance audit
in Exhibit A, based on the Board’s convergence with International Standards on Auditing and
the clarity drafting conventions. The Board would need to issue a new SAS, within six months
of the effective date of the proposed SAS, that aligns with the final clarified standards. We
believe the Board should consider whether this is feasible, and if so, expose, finalize and
publish a new SAS with a new effective date, along with the Board’s other clarified standards.
Paragraph-level comments
The following offers specific paragraph-level comments for the Board’s consideration.
Paragraph
Comment
2
Although we understand the intent of the phrase “all AU sections are applicable to the audit of
financial statements performed in conjunction with a compliance audit,” we believe the phrase
should be deleted and the last sentence reworded to simply state that not all AU sections are
applicable (or relevant) to a compliance audit.
Our concern is with the fine line between applicability and relevance. Under the clarified
standards, we believe the proposed SAS, Overall Objectives of the Independent Auditor and the
Conduct of an Audit in Accordance with Generally Accepted Auditing Standards, clearly
Grant Thornton LLP
U.S. member firm of Grant Thornton International Ltd
5
Paragraph
Comment
describes, in paragraph 18, the auditor’s responsibility to comply with relevant AU sections in a
financial statement audit. Accordingly, the phrase indicated above is not necessary and could be
potentially confusing.
4, 5
We believe paragraphs 4 and 5 can be combined by deleting the last two sentences in
paragraph 4. To eliminate any potential for misunderstanding, our preference would be to state
that (a) the AU sections that are not applicable (or relevant) to a compliance audit are in exhibit
A, and (b) all other AU sections are applicable and generally can be adapted to the objectives of
a compliance audit. We also believe these paragraphs, along with paragraph 6, would fit better
as application guidance to paragraph 12.
12
In connection with a new SAS under the clarified standards, we propose this requirement
incorporate the concept of “relevant to the audit” to align with paragraph 18 of the proposed
SAS, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with Generally Accepted Auditing Standards.
20
Paragraph 12 of the proposed SAS establishes the requirement to adapt and apply the
applicable AU sections. We believe it is not necessary to require the auditor to adapt and apply
the requirements in the specific paragraphs listed. Accordingly, we believe the first sentence of
this paragraph should be streamlined.
We also believe this requirement could be clearer with respect to using audit evidence about the
operating effectiveness of controls obtained in prior audits. Although the requirement currently
refers to “each compliance audit,” we believe this matter can be easily misunderstood.
23, A20
We agree with the requirement to obtain written representations and to tailor those
representations to the entity, the governmental audit requirement, and the applicable compliance
requirements. However, we believe the examples of representations in paragraph A20 are those
the auditor should be required to obtain, and would obtain in adapting AU section 333,
Management Representations, to a compliance audit. As such, we believe the minimum required
representations should be brought forward to the requirements section.
In addition, in connection with our previous comment relating to management’s evaluation and
assertion of compliance, we refer the Board to the representations in paragraph .68 of AT
section 601. Since both engagements provide the same level of assurance, the representations
to be obtained from management should be equivalent.
24, A21
We suggest referring to the report release date, in lieu of the issuance of the auditor’s report (or
the date the report is issued). We believe this would be more consistent with generally accepted
auditing standards (GAAS).
26, A21
Although we agree with the requirement in this paragraph, we note that it does not address the
auditor’s responsibility for identified noncompliance between the auditor’s report date and the
report release date. Paragraph A21, however, provides an example of noncompliance that might
occur subsequent to the period being reported on, but before the report is issued, that may
warrant disclosure in the auditor’s report. We believe this matter should be considered by the
Board and appropriately addressed in the proposed SAS.
It might also be helpful to state in the application and other explanatory material that AU section
561, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report, applies when
the auditor becomes aware of facts, subsequent to the date of the auditor’s report, that may
have existed at that date and might have affected the report.
30(n)
According to paragraph 1, the proposed SAS applies when the auditor is engaged to perform a
compliance audit in accordance with GAAS, the standards for financial audits under Government
Auditing Standards (GAGAS), and a governmental audit requirement. This paragraph discusses
report restrictions when the criteria are established or determined by contractual agreement or
regulatory provisions that are developed solely for the parties to the agreement or regulatory
agency, or the criteria are available only to the specified parties. We believe this is inconsistent
with paragraph 1, as it is inconceivable, due to the governmental audit requirement, that the
proposed SAS would apply under a contractual agreement or when the criteria are not available.
We would argue that AT section 601 would apply in those circumstances.
Grant Thornton LLP
U.S. member firm of Grant Thornton International Ltd
6
Paragraph
Comment
31, 32, 34
Paragraph 34 requires the auditor to communicate, in writing, to management and those
charged with governance identified significant deficiencies and material weaknesses in internal
control over compliance. Paragraphs 31 and 32 also address the communication of significant
deficiencies and material weaknesses. The Board should clarify that the report described in
paragraphs 31 and 32 would be sufficient to meet the written communication requirement in
paragraph 34.
32(b)
In referring to the auditor’s report on compliance, we believe the auditor should also be required
to include the nature of opinion that was expressed.
35
We believe this requirement should be deleted because (a) AU section 380, The Auditor’s
Communication With Those Charged With Governance, already applies to a compliance audit,
(b) the requirement is not specifically tailored to a compliance audit, and (c) the proposed SAS
does not include any application or other explanatory material on how to tailor the requirements
in AU section 380 to a compliance audit.
39
We prefer the auditor be required to document the “basis” for the materiality determination and
not “how” materiality was determined.
41, A27
It is unclear as to whether GAAS, GAGAS, or the governmental audit requirement would require
the auditor to “reissue” the auditor’s compliance report. We believe this is an area that requires
additional guidance, as the proposed SAS should be very clear on when the auditor is required
to reissue the report.
A11
We believe this paragraph is not necessary and can be deleted. AU section 314, Understanding
the Entity and Its Environment and Assessing the Risks of Material Misstatement, adequately
discusses the auditor’s responsibility for internal control.
A23
We believe this paragraph would be clearer by describing the fact that a compliance audit in
accordance with the proposed SAS covers a period and is not as of a point in time.
A25
A similar paragraph is included in AU section 325, Communicating Internal Control Related
Matters Identified in an Audit. We do not fully understand why the Board chose to include or
adapt certain paragraphs in the proposed SAS, while not including or adapting others. With
respect to this particular paragraph, we would assume that the same paragraph in AU section
325 could be adapted to a compliance audit and therefore, is not required in the proposed SAS.
Exhibit A
Because this exhibit identifies the AU sections that are not applicable to a compliance audit, we
believe it should be elevated to an appendix and be subject to the Board’s due process
procedures.
With respect to the reference to AU section 316, Consideration of Fraud in a Financial Statement
Audit, we do not believe it is necessary to list a single bullet point as not being applicable.
With respect to the reference to AU section 317, Illegal Acts by Clients, we believe certain
paragraphs would be applicable to a compliance audit; specifically, those paragraphs dealing
with the auditor’s response to possible or detected illegal acts and communications with those
charged with governance. Alternatively, the applicable requirements may be incorporated
directly in the proposed SAS.
We note that AU section 550, Other Information in Documents Containing Audited Financial
Statements, is not applicable to a compliance audit. We suggest, however, the Board consider
the requirements and guidance therein, and those in paragraphs .91-.94 of AT section 101,
Attest Engagements, and include specific responsibilities in this regard in the proposed SAS.
Grant Thornton LLP
U.S. member firm of Grant Thornton International Ltd
7
We would be pleased to discuss this letter with you. If you have any questions, please contact
Mr. John L. Archambault, Managing Partner of Professional Standards, at (312) 602-8701.
Sincerely,
Grant Thornton LLP
U.S. member firm of Grant Thornton International Ltd
Related documents
Electronic Data Processing * Audit Sistem Informasi
Electronic Data Processing * Audit Sistem Informasi
Case
Case
Green Impact Auditor
Green Impact Auditor
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Download
advertisement