Add to collection(s) Add to saved
  1. Business
  2. Management

Internal Control over Compliance Web Event

advertisement 
Internal Control Over Compliance:
Getting it Right Using the GAQC Practice Aids
A Governmental Audit Quality Center Web Event
December 1, 2010
1 1
Administrative Notes
If you encounter any technical difficulties (e.g., audio
issues) during this event please take the following
steps:
•
•
•
•
•
•
•
Press the F5 key on your computer to refresh
Close and re-start your browser
Check your speakers, ensure they are not on mute
Turn off your pop-up blocker
Re-start you computer
Call InterCall Genesys Tech support 866.871.4318, Conf ID# 1497539
If none of the above work, submit a request for help on the “Send a
Question Box” located on the left hand side of your screen.
If are unable to get assistance from Genesys for
some reason, e-mail gaqc@aicpa.org or call 202-4349207
Governmental Audit Quality Center
2 2
Administrative Notes
We encourage you to submit your technical
questions – please limit your questions to the
content of today’s program
To submit a question, type it into the “Send a
Question” box on left side of your screen; we will
answer as many as possible
You can also submit questions to the GAQC member
forum for consideration by other members
This event is being recorded and will be posted in an
archive format to the GAQC Web site
Governmental Audit Quality Center
3 3
Continuing Professional Education
Must have registered for CPE credit prior to this
event; a link to the CPE Credit Approval Form was emailed to you
Listen for announcement of 4 CPE codes (7 digit
codes: ALL_ _ _ _ ) and 4 polling questions during
the event
Record CPE Codes on CPE Credit Approval Form
and return completed form (by fax or mail) to AICPA
Service Center for record of attendance; keep a copy
for your records
If you are not receiving CPE for this call, ignore the
CPE codes that we announce, but please answer the
polling questions
Governmental Audit Quality Center
4 4
Presenters
Joel Black
Mauldin & Jenkins CPAs
John Good
Ernst & Young LLP
Governmental Audit Quality Center
5 5
Background
Federal study on single audit quality showed numerous
deficiencies in the auditor’s testing of compliance and
understanding and testing of internal control over compliance
GAQC task force reviewed the study results for the purpose of
determining needed actions to improve the quality of work
relating to compliance and internal control over compliance
Actions taken:
• Clarifications made in the 2008 AICPA Audit Guide, Government
Auditing Standards and Circular A-133 Audits
• Issuance of Practice Aids to assist auditors in ensuring that their audit
documentation relating to compliance and internal control over
compliance is responsive to underlying audit requirements
Governmental Audit Quality Center
6 6
GAQC Practice Aids for Documenting
Internal Control Over Compliance and
Compliance Testwork
Available Now!
• GAQC members – free access to word and excel versions on
GAQC Web site
• GAQC members and non-members – small fee ($39.99) for
purchase of electronic PDF product where responses can be
input into form (order through CPA2BIZ at
http://www.cpa2biz.com)
Product #
006662PDF
Governmental Audit Quality Center
7 7
Purpose of Today
To help you understand what the Practice Aids are
and how they are to be used
• Even if you don’t wish to incorporate the Practice Aids directly,
you should review them to determine if there are any
weaknesses in your current audit documentation strategy that
could be improved upon
But first….let’s be sure we are all are on the same
page regarding the actual audit requirements
Governmental Audit Quality Center
8 8
What We Will Cover
Determining Direct & Material Compliance
Requirements & Using the Matrix Practice Aid
Specific Requirements of the Circular Related to
Internal Control
Using Part 6 of the OMB Compliance Supplement
Using the Controls Overview Documents
Common Deficiencies and Avoiding Them
Planning & Performing Dual Purpose Tests
Governmental Audit Quality Center
9 9
Determining Direct &
Material Compliance
Requirements
Governmental Audit Quality Center
10
10
Determining Direct & Material Compliance
Requirements
Do auditors look at all applicable compliance requirements?
• No
• Direct and material compliance requirements
Should an auditee comply with all applicable compliance
requirements?
• Yes
• Do not try to predict an auditor’s scope
Governmental Audit Quality Center
1111
Determining Direct & Material Compliance
Requirements
Obtain an understanding of Major Programs
• Compliance Supplement – Parts 2, 3, 4, 5 and 7
• Review contracts and grant documents
- Determine key elements
- Amount
- Timing
- Applicable compliance requirements
- Indirect cost considerations
- Regulations
• Expenditure Patterns
- Wages, benefits, equipment, etc.
Governmental Audit Quality Center
12
12
Determining Direct & Material Compliance
Requirements
What compliance requirements are applicable?
• Part 2 – Matrix of Compliance Requirements
• Part 7 – Guidance for Auditing Programs Not Included
Very subjective, meaning
•
•
•
•
Personal views / auditor judgment
Experience
Accepted risk
Industry expectation
Qualitative and quantitative factors
Governmental Audit Quality Center
13
13
Determining D & M Compliance Requirements:
Part 2 – Matrix of Compliance Requirements
Governmental Audit Quality Center
14
14
Determining Direct & Material Compliance
Requirements
Qualitative Factors
Needs and expectations of federal or pass-through
agencies
Noncompliance could cause federal agency to take
action
Seeking reimbursement of program costs
Suspending participation in the program
Public or political sensitivity
Federal, state, local oversight
Internal or other external audits
Previous findings
Governmental Audit Quality Center
15
15
Determining Direct & Material Compliance
Requirements
Quantitative Factors
Noncompliance could likely result in questioned
costs
Requirement affects large part of the program
Material amount of program dollars
• For example: 5% of expenditures, +/- 1 day, etc.
• Auditor’s tolerance, not an auditee concept
Governmental Audit Quality Center
16
16
Major Program Risk Matrix
Applicable
per
Compliance
Supplement
(Yes or No)
Governmental Audit Quality Center
Direct &
Material to
Program
(Yes or No)
17
17
Major Program Risk Matrix
How to document which of the 14 types of compliance
requirements ultimately will be subject to audit for each
major program.
Lists 14 compliance requirements and denotes
applicability of each or reason for consideration as not
direct and material
For direct and material requirements - documents risk
assessments (IR x CR = RoMN)
• RoMN = Risk of Material Noncompliance
Governmental Audit Quality Center
18
18
Specific Requirements of
the Circular Related to
Internal Control
Governmental Audit Quality Center
19
19
Specific Requirements of the Circular
Related to Internal Control
§ 500 (c) (2)
- Auditors should perform procedures to obtain an
understanding of I/C over Federal programs sufficient to plan
the audit to support a low assessed level of control risk for
major programs.
- Plan testing of IC over the relevant compliance
requirements for each MP
- Perform testing of internal control as planned
Governmental Audit Quality Center
20
20
Specific Requirements of the Circular
Related to Internal Control
Each major program
Each direct & material compliance requirement
Each of the 5 elements of COSO
•
•
•
•
•
Control Environment
Risk assessment
Information and Communication
Control Activities
Monitoring
A-133 says to plan testing of internal control to
support low level of control risk
Governmental Audit Quality Center
21
21
Specific Requirements of the Circular
Related to Internal Control
Test of design and implementation
• Walkthrough our understanding
• Conclusion: Control has been properly designed and
implemented
Test of effectiveness
• Test key control attributes
• Conclusion: Control is effective
Control must be effective or you should have a
finding
Governmental Audit Quality Center
22
22
Specific Requirements: Design &
Implementation
AU 314 (SAS 109): Understanding the Entity and Its Environment
and Assessing the Risks of Material Misstatement
Involves evaluating design and determining if control has been
placed in service
• Design: Is the control capable of functioning effectively
- Preventing non-compliance
- Detecting non-compliance
- Correcting non-compliance
• Placed in Service: Has the auditor reviewed documentation
that the control is in place?
Document Understanding of the Control
• Who, what and when
Governmental Audit Quality Center
23
23
Specific Requirements: Design &
Implementation
AU 314 (SAS 109): Understanding the Entity and Its Environment
and Assessing the Risks of Material Misstatement
Procedures include
-
Inquiry of personnel
Observations of application
Inspecting document reports
Reperformance of controls
Inquiry alone is not sufficient
Governmental Audit Quality Center
24
24
Specific Requirements: Operating
Effectiveness
Tests of operating effectiveness different than
determining that control has been implemented (AU
318.26)
Evidence of who, when, what
Procedures include:
-
Inquiries
Inspection of documents indicating performance
Observation of application of specific controls
Reperformance of controls by auditor
Generally involves combination of procedures
- Inquiry alone is not sufficient
Governmental Audit Quality Center
25
25
Control vs. Compliance Tests
CONTROL TEST:
• What did they do to make sure the grant’s objective was
attained?
COMPLIANCE TEST:
• Was the grant’s objective attained?
Governmental Audit Quality Center
26
26
Specific Requirements: Operating Effectiveness
Test controls
• Throughout the period under audit
• Every period under audit
Internal controls that cross major programs
• Are they really the same?
• Representative sample
Governmental Audit Quality Center
27
27
Specific Requirements: Operating
Effectiveness
Evaluating results of tests of controls
• Deviations may occur
- Understand deviation and consequences
- Determine if the expansion of the sample would provide
evidence of containment of the error
- Assess the deviation and determine proper reporting
- Control deficiency
- Material weakness
- Significant deficiency
- Assess impact on tests of compliance
Governmental Audit Quality Center
28
28
Using Part 6 of the OMB
Compliance Supplement
Governmental Audit Quality Center
29
29
Using Part 6 of the OMB Compliance
Supplement
Internal control considerations for each compliance
requirement for each major program
Guidance not a checklist
Facilitates discussions with management
Governmental Audit Quality Center
30
30
Using Part 6 of the OMB Compliance
Supplement
Describes characteristics of IC relating to each of
the five components of internal control that should
reasonably assure compliance with the
requirements of Federal laws, regulations, and
program compliance requirements.
Describes the components of IC and examples of
characteristics common to the 14 types of
compliance requirements.
Provides objectives of IC and examples of
characteristics specific to each of 13 of the 14 types
of compliance requirements follow this introduction
(Special Tests and Provisions excluded).
Governmental Audit Quality Center
31
31
Using Part 6 of the OMB Compliance
Supplement – Excerpt
CASH MANAGEMENT
Control Objectives: To provide reasonable assurance
that the (1) drawdown of Federal cash is only for
immediate needs, (2) reimbursement is requested only
after costs have been incurred, (3) States comply with
applicable Treasury agreements, and (4) recipients limit
payments to subrecipients to immediate cash needs.
Governmental Audit Quality Center
32
32
Using Part 6 of the OMB Compliance
Supplement – Excerpt from Cash Management
Control Environment
• Appropriate assignment of responsibility for approval of cash
drawdowns, requests for reimbursement, and payments to
subrecipients.
• Budgets for drawdowns are consistent with realistic cash needs.
• Reimbursement is requested only have costs have been
incurred.
Risk Assessment
• Mechanisms exist to anticipate, identify, and react to routine
events that affect cash needs.
• Routine assessment of adequacy of subrecipient cash needs.
• Management has identified programs that receive cash
advances and/or reimbursements and is aware of cash
management requirements.
Governmental Audit Quality Center
33
33
Using the Controls
Overview Documents
Governmental Audit Quality Center
34
34
Using the Controls Overview Documents
Illustrates how an auditor might document the audit work
associated with internal control over compliance for the
types of compliance requirements selected for testing for
each major program
Two versions
• Narrative
• Robust Checklist
Governmental Audit Quality Center
35
35
Narrative
Governmental Audit Quality Center
36
36
Template – Documenting Internal Control
Narrative
• Section to document controls under each element of COSO
• Space for documenting procedures to determine if control(s) are
placed in operation for each element of COSO
• Summary section to select key control(s) that will be tested for
operating effectiveness
• Standard conclusion space which references finding if less than
low control risk
Governmental Audit Quality Center
37
37
Robust Checklist
Governmental Audit Quality Center
38
38
Template – Documenting Internal Control
Robust Checklist
• Part 6 of the Compliance Supplement used for items down left
side of the sheet – each element of COSO separated
• Columns allow documentation of who, what, when the control is
performed and how determined it was placed in operation
• Column to denote if it is a key control and how tested for
operating effectiveness
• Standard conclusion space which references finding if less than
low control risk
Governmental Audit Quality Center
39
39
Common Deficiencies &
Avoiding Them
Governmental Audit Quality Center
40
40
Common Deficiencies
Compliance testing not documented as performed
or not applicable.
• This condition ranges from one of the 14 compliance
requirements not being documented as covered to all
compliance requirements not documented as covered.
• Need to document rationale for “applicable” requirements being
N/A.
Governmental Audit Quality Center
41
41
Common Deficiencies
Not documenting understanding of internal control
over compliance in a manner that addresses the five
elements of COSO.
Not documenting testing of internal controls over
compliance.
• OMB Circular A-133 §.500(c)(2) provides that, generally, the
auditor shall plan the testing of internal control over major
programs to support a low level of assessed control risk for the
assertions relevant to the compliance requirements for each
major program, and perform that testing as planned.
Governmental Audit Quality Center
42
42
Common Deficiencies
Indication that current compliance requirements or
compliance supplements were not considered.
• Using old Compliance Supplements / old compliance steps.
• Compliance Supplement is updated and published every year –
typically in the Spring.
• Download the 2010 Compliance Supplement
- http://www.whitehouse.gov/omb/grants_circulars/
Governmental Audit Quality Center
43
43
Avoiding Deficiencies
Preliminary assessment of control risk may be
facilitated through a checklist or narrative
Evaluate ineffective control
• SAS 115 criteria
• Evaluation guidance
Internal controls must be continually reevaluated
throughout the audit process
Governmental Audit Quality Center
44
44
Avoiding Deficiencies
Testing compliance gives indirect evidence on
controls, but cannot serve as the basis for
assessing controls as operating effectively
• Controls: What did entity do to ensure compliance?
• Compliance: Did entity comply?
Ensure dual purpose testing is properly documented
• Properly identify compliance tests & controls tests
Utilize a template to write findings so that all
elements are properly captured
Governmental Audit Quality Center
45
45
Avoiding Deficiencies
Understand the difference between process and
control
Process
• Procedures that originate, transfer or change data
• Can introduce errors
• Example: Employees complete their timesheets
Controls
• Procedures designed to prevent, detect and correct errors
resulting from processing of accounting information
• Cannot generate errors
• Example: Project manager approves timesheets
Governmental Audit Quality Center
46
46
Planning & Performing
Dual Purpose Tests
Governmental Audit Quality Center
47
47
Planning & Performing Dual Purpose Tests
Common practice to utilize a single sample to
achieve multiple audit objectives
• Internal control over compliance testing
• Compliance testing
• Financial statement balance testing
Exercise caution:
• Different characteristics are for different objectives
• If there are errors in internal control, compliance sample
may not be adequate
Governmental Audit Quality Center
48
48
Planning & Performing Dual Purpose Tests
Sample size designed for a dual purpose test should
be the larger of the samples designed for the
separate tests
Evaluate findings separately for compliance and
controls
Separate documentation for I/C and Compliance
tests
-
Objectives
Population considerations
Deviations/Exceptions
Conclusions
Governmental Audit Quality Center
49
49
Testing Compliance –
Practice Aids & Tips
Tickmark/Procedure Description for an Allowability Test
Insufficient
√ = Allowable
Governmental Audit Quality Center
Better
√ = Cost met criteria for being
allocable, allowable, reasonable,
and net of applicable credits.
Cost charge was in accordance
with A-122
50
50
Dual Purpose Testwork Example
Governmental Audit Quality Center
51
51
Dual Purpose Test
Shows a design for a workpaper with IC and
compliance tests included
Separate columns (for compliance & internal control
over compliance) to document results
Separate tests/tickmarks
Both compliance & internal control over compliance
concluded upon
Governmental Audit Quality Center
52
52
Internal Control over Compliance
Practice Aids
Practice Aids
• Major Program Risk Matrix
• Controls Overview Document (Narrative & Checklist)
• Dual Purpose Testwork
GAQC members can access the Practice Aids for free through
www.aicpa.org/GAQC
GAQC members may also wish to purchase an electronic PDF
“form” version of the Practice Aids titled, Documenting and
Testing Compliance and Internal Control Over Compliance in a
Single Audit, that is also available to the general public
• Allows responses to be directly input
• Purchase through www.cpa2biz.com
Governmental Audit Quality Center
53
53
Questions
Governmental Audit Quality Center
54
54
Related documents
Marketing Plan Rubric
Marketing Plan Rubric
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
LGFMA Presentation - Internal Audit Program Model
LGFMA Presentation - Internal Audit Program Model
Download
advertisement