CH 15- AUDITING GOVERNMENTS AND NOT-FOR-PROFIT ORGANIZATIONS

Analyzing Ethical Dilemmas

· A dilemma, by definition, is a situation that requires a choice between two equally balanced alternatives—a predicament that seemingly defies a satisfactory solution. Few ethical dilemmas can be resolved without an individual selecting among, or compromising between, competing ethical values. There is almost never a single "correct" course of action. Nevertheless, by identifying and analyzing the factors relevant to the issue at hand, the individual can better develop available options and understand their consequences. · The following questions are indicative of an approach (merely one of several possibilities) that can be taken to resolve ethical dilemmas: o (1) What are the relevant facts? (Although many situations are seemingly complex, there may be only a small number of facts that are genuinely germane.) o (2) Who are the major parties affected, and what are their interests in how the dilemma is resolved? o (3) What are the ethical values that are in question? How do they rank in importance? o Examples of these values include: § Honesty and integrity § Loyalty and obligations to colleagues § Responsibilities to family § Obligation to make full and fair disclosures to appropriate parties § Loyalty and other obligations to one's employer § Responsibilities as a citizen § Pursuit of excellence o (4) What are the alternative courses of action? o (5) What are the consequences of each course of action? Which values would have to be sacrificed or compromised?

What approach do auditors take in performing single audits?

· A single audit has two main components: o An audit of the financial statements conducted under GAGAS o An audit of federal financial awards · Per Circular A‐133, these two types of audits should culminate in at least four types of reports (which are commented on in greater detail in the following section): o Opinions on whether the financial statements are fairly presented in accord with GAAP and on whether a schedule of expenditures of federal awards is fairly presented o A report on compliance and on internal controls relating to the financial statements o An opinion on whether the organization complied with the requirements of major programs o A schedule of findings and questioned costs. Questioned costs are those that are not subject to federal reimbursement because they are in violation of laws or provisions pertaining to a grant, are not supported by adequate documentation, or appear to be unreasonable or imprudent · Although single audits incorporate a conventional financial audit, they are characterized by their focus on compliance with laws and requirements applicable to federally funded programs. Therefore, this section on single audits will focus mainly on the compliance component of single audits. · Identifying Major Programs: A Risk-Based Approach · Key Procedures

How do audits of governments and not-for-profits differ from those of businesses?

· An audit is defined in general‐purpose dictionaries as an examination of records or accounts to check their accuracy. Business‐sector financial audits are characterized by the attest function. Attest means "to affirm, to be correct, true, or genuine; corroborate." The attest function adds credibility to the assertions of others—in the case of an independent financial audit, to an entity's financial data as presented by management. · In the government and not‐for‐profit sectors, auditing extends beyond the attest function. Auditors not only attest to the data reported in financial statements. They also make, and report on, their own independent evaluations as to whether auditees have complied with appropriate laws, regulations, and terms of grants. Further, they assess whether the auditees have achieved their objectives and carried out their missions efficiently and effectively.

Public availability

· As a general rule, government documents, unless explicitly excluded by legislation, are in the public domain. Hence, auditors must assume that their audit reports will be available for public inspection. Nevertheless, the GAO standards make it clear that certain circumstances, such as those associated with public safety, privacy, or security, justify omitting from a report certain items that would otherwise be included. Thus, detailed information relating to computer systems could undermine data security. In such instances, the auditor might omit such information from reports that would be widely distributed and include it only in those of officials that need to know. However, when auditors exclude information that they deem to be confidential, they should so note that they have done so.

(4) Scheduling Disbursements or Other Populations

· As in a financial engagement, auditors will likely have to rely on sampling; they may not be able to review all activities within a program and seldom can test all transactions. · To determine which activities and transactions to test, the auditors must be aware of the nature and amount of disbursements. Therefore, they should schedule all outlays, summarizing them as appropriate. · However, depending on the objective of the audit, disbursements might not be the proper population from which to select a test sample. For example, to test whether participants in a job‐training program satisfied admissions criteria, the auditors would want to obtain a list of either program participants or program applicants.

What reports result from single audits?

· As noted in the previous section, auditors are expected to produce four types of reports as part of their single audit. · Opinion on the Financial Statements and on the Schedule of Expenditures of Federal Awards · Reporting on Compliance and on Internal Control Over Financial Reporting · Reporting on Compliance with Requirements of Major Programs · Schedule of Findings and Questioned Costs

Key differences between financial and performance audits

· Attest Function versus Independent Assessment · Focus: Organization at Large versus Specific Programs · Timing: Routine versus Occasional · Evidence: Well-Delineated versus Broad · Auditor Knowledge: Financial versus Programs · Manner of Conducting

(1) Selecting the Audit Target

· Audit organizations target for examination the programs for which the potential for cost savings or impact on citizens is the greatest—those in which expenditures or risk of inefficiencies, ineffectiveness, or noncompliance is substantial. Thus, large programs are more likely to be selected than small ones; risky programs more likely than safe ones. The extent to which risk is substantial is a matter of auditor judgment. However, the following are examples of factors that add to a program's exposure to risk: o Recently installed and untested computer systems o Past inefficiencies as revealed in previous audits o Ineffective administration or poor results as reflected in reports to supervisory agencies or higher levels of management o Opportunities or incentives for illegal activities o Adverse press reports or tips from employees or other knowledgeable parties o Known deficiencies in financial or performance management systems · Some audit organizations are required either by law or political necessity to perform audits at the request of members of legislative or other governing bodies to which they are responsible. The GAO, for example, reports to Congress and therefore responds to requests, if reasonable, from its members. The audit departments of municipalities may be similarly responsive to suggestions from members of city councils. · Perhaps most important, audit organizations may have to rely on intangible factors to detect programs of high risk. Experienced auditors tend to develop long‐term relations with personnel of the departments that they have examined in the past. Often, they become as knowledgeable of a department's operations as its most senior managers. Further, like streetwise detectives, they develop an intuitive sense as to where the entity hides its skeletons.

Attest Function versus Independent Assessment

· Performance audits differ conceptually from financial audits. In carrying out financial audits, the auditors attest to the fairness of the assertions of management. These assertions are incorporated in the entity's financial statements and for the most part relate to constructs, such as revenues, expenditures, assets, and liabilities, that are well defined and subject to accepted accounting standards of measurement. · In performance audits, the auditors make independent assessments on whether an entity is operating economically and efficiently and is achieving anticipated results. But the constructs to be measured and the standards of measurement, especially those relating to outcomes, are far less clear and precise than for financial audits.

Opinion on the Financial Statements and on the Schedule of Expenditures of Federal Awards

· Auditors may combine in a single report their opinions on the basic financial statements and the schedule of expenditures of federal awards. The section of the report pertaining to the financial statements is that required for any audit conducted in accord with Government Auditing Standards (i.e., one that is not necessarily a single audit). It includes a brief description of the audit work and the standard opinion as to whether the information in the statements is fairly presented. The Schedule of Expenditures of Federal Awards is a listing of total expenditures made by the organization under each federal program from which it received funding. Its main purpose is to enable the federal grantor agencies to coordinate their audit efforts and ensure adequate audit coverage. Per relevant OMB directives, the schedule must identify each program by its number as listed in the Catalog of Federal Domestic Assistance (CFDA). It must include expenditures to be reimbursed both directly from the federal government and indirectly through other governments (i.e., "pass‐through" awards). The schedule should indicate whether programs are major or nonmajor and may include optional information as to matching contributions, the total amount of the program awards, and the time periods that are covered by them. · The auditors' responsibility for this schedule is to ensure that the information presented is materially complete and accurate and that the expenditures are properly categorized. In their report, the auditors should express an opinion on whether the information in the schedule is fairly stated in relation to the basic statements taken as a whole.

(2) Establishing Scope and Purpose

· Auditors must begin their engagement by establishing the scope and purpose of the audit. Because an organization's programs and objectives may be ill defined and overlap, the auditors must delineate specifically the activities and outcomes to be addressed. · Auditors can best establish the scope and purpose of an engagement by taking a preliminary survey, the aim of which is to gain an understanding of the entity's mission, personnel, history, and operating procedures. The survey might include o Interviews with key executives on what they see as the mission of the program and its strengths and weaknesses o A review of the legislation that established the program o A review of other laws, governing board resolutions, contracts, and administrative regulations to which the organization is subject o An examination of reports from previous audits. These audits may have been performed by the same or a different audit organization. The importance of these reports as a source of information cannot be overemphasized. Often, they spell out deficiencies that existed in the past and provide a map that marks out the entity's problem areas o A review of the entity's financial statements, as well as related schedules that indicate the sources and uses of entity resources o A search for literature (such as the GASB studies on service efforts and accomplishments) that sets forth potentially applicable performance measures and standards of economy and efficiency o A review of management controls o A search for newspaper articles, press reports, transcripts of legislative hearings, and other literature that might provide insight into the organization's strengths and weaknesses o Explicit consideration of the organization's vulnerabilities to fraud and mismanagement and the "things that might go wrong"

Continuing Professional Education

· Both the AICPA standards and GAGAS require that auditors be professionally competent. Per GAGAS, this means that they must be knowledgeable of government auditing standards and accounting principles in addition to those of general auditing standards and accounting principles. Auditors who perform government audits must complete at least 80 hours of continuing professional education (CPE) every two years, of which 24 hours must be related directly to the government environment and to government auditing. The requirement for 24 hours of specialized government education goes beyond the CPE standards of both the AICPA and state CPA licensing boards, which make no demands as to specific industry content. The good news for college and university students is that the standard does not apply to interns or other students temporarily employed as part of a college‐or university‐sponsored program. Also exempt are nonsupervisory auditors who charge less than 40 hours of time per year to government engagements.

What levels of standards are applicable to all engagements?

· Chapters 3, 4, and 5 of the Yellow Book set forth standards that are applicable to all three types of engagements. · Ethics · Independence · Continuing Professional Education · Quality Control · Standards for Financial Audits

What unique ethical issues do governmental and not-for-profit accounting and auditing present?

· Determining Right from Wrong · Characteristics of Governments that Justify a Unique Perspective on Ethical Questions · Analyzing Ethical Dilemmas

Determining Right from Wrong

· Discussions of ethics as they apply to accountants are often made more complex—as well as more controversial—by the difficulties of establishing what is right and wrong, what is ethical and unethical. In fact, many issues faced by government accountants and other finance managers are less questions of "ethics" than they are of "values." Values are the principles, standards, and qualities considered desirable or worthwhile and as such are the foundation of ethics. Whereas ethics is concerned with doing the right thing, values define what is the right thing. Inasmuch as values are often established by religion or culture, we typically are reluctant to make judgments regarding the values of others. Accordingly, we often take a legalistic view as to what constitutes unethical behavior, restricting it to violations of laws, policies, or accepted organizational practices or standards rather than extending it to infringements of our own individual systems of values. Consider a wealthy family that spends its fortune exclusively on material possessions. It never donates to charity. Few would accuse the family of acting unethically by choosing to spend its wealth as it sees fit. Yet few would respect such a family or hold its values in high regard. Similarly, and of more relevance to accountants, some believe it is perfectly legitimate to structure a transaction so that it is in accordance with either the letter of the law or GAAP even though it may be in violation of its spirit. Thus, they would be completely comfortable with configuring a borrowing transaction as a lease agreement if doing so would be a legally acceptable means of avoiding debt limitations or voter approvals. Others, by contrast, see the law as the starting, not the ending, point of virtue. They would not countenance the lease transaction as long as it is intended to circumvent what would otherwise be illegal.

What are performance audits?

· Financial audits are intended to ensure that financial statements are fairly presented and that the organization has complied with applicable laws and regulations. Performance audits, by contrast, focus on organizational accomplishments. Inasmuch as the goals of a government or not‐for‐profit are seldom limited to profitability or other financial measures, the auditors may have to assess organizational performance on a wide range of nonfinancial dimensions, each of which relates to an entity's individual objectives. · Performance audits are most commonly carried out by "internal" audit departments—organizations that may be independent of the various agencies or departments that they examine, but not separate from the government or other entity at large. They are not typically required by creditors, regulatory agencies, or other outside parties. Therefore, the accounting profession, other than the GAO, has not developed a detailed set of standards for performance audits comparable to those for financial audits. However, the Yellow Book standards do provide auditors with fundamental guidance on how to carry out performance audits. They also clarify the auditors' responsibility for reporting the views of responsible officials, for reporting on confidential and sensitive information, and for issuing and distributing reports. · The GAO standards for performance audits have had a substantial influence on practice mainly because audit departments have elected voluntarily to adhere to them. These standards are divided into two sections: field work and reporting. In addition, the general standards that apply to financial audits and attestation engagements also apply to performance audits.

Auditor Knowledge: Financial versus Programs

· Financial audits are performed mainly by specialists in accounting—CPAs or others with similar educational and experiential backgrounds. For some engagements, nonaccountants with expertise in areas such as computers, statistical sampling, or specific industries (e.g., jewelry appraisers or geologists) may be brought in as consultants to address certain phases of the examination. They generally play only supporting roles. · Owing to the wider range of evidence that must be examined, performance audits may require more program‐specific knowledge and fewer traditional accounting skills. Thus, the GAO and many other government audit organizations have on their staff economists, engineers, health‐care specialists, and statisticians. At the same time, however, "generalists"—those with MBA degrees or master's degrees in public administration or policy—make valuable additions to an audit team. Often, in fact, the contributions of accountants are not so much their knowledge of accounting per se, but rather their ability to define a problem and resolve it in a logical and orderly manner. As the inspector general of one federal agency put it, "We need broad‐based skills, creative thinking, interpersonal skills, analytic ability, etc., if we're going to be effective in doing performance audits."

Timing: Routine versus Occasional

· Financial audits are typically conducted annually. They are routine elements of an organization's operating cycle. · Performance audits, however, are conducted irregularly. Unlike financial audits, they need not coincide with the issuance of the entity's annual financial statements. · Audit organizations have limited resources and generally cannot afford to expend them on audits of the same programs year after year. Instead, they target programs that will likely yield the greatest benefits (such as cost savings or improvements in results) per dollar of audit cost. Their prime selection criteria are the dollar magnitude of the program and the probability of significant audit findings. Therefore, they may examine large, high‐risk programs with some frequency (perhaps even annually) but small, low‐risk programs only occasionally.

Focus: Organization at Large versus Specific Programs

· Financial statement audits focus on the organization as a whole. An entity's statement of activities (or income statement) and balance sheet summarize virtually every transaction in which the entity has engaged. Auditors do not, of course, verify each of these transactions. Nevertheless, each is within the population from which they draw their samples. · Performance audits are almost always carried out on a specific program or activity, not on the organization in its entirety. Unless the entity is extremely limited in its aims, determining whether the organization as a whole is carrying out its mission is generally infeasible. Imagine attempting to assess the performance of a major university or metropolitan health‐care center. As long as their various programs have different objectives, are targeted toward different segments of the population, and are conducted by different employees, little is accomplished by performing a single, unified assessment of the complete entity. · This is not to say, however, that the particular program or activity cannot affect the entire organization. Thus, a performance audit can focus on organization‐wide safety or environmental programs or on various internal control systems that cut across departmental lines.

Quality Control

· GAGAS requires that audit organizations establish policies and procedures to ensure that they maintain control over quality. The Yellow Book includes standards, backed by specific guidance, to make certain that its personnel satisfy all independence, ethical, and legal requirements, that they are competent to perform government audits, and that there is ongoing monitoring of quality. · Notably, the standards require each audit organization to obtain an external peer review to determine whether its quality control system is suitably designed and is being complied with. Audit organizations affiliated with certain specified organizations, such as the AICPA or the National State Auditors Association, can satisfy this requirement by meeting the standards of that organization. Thus, CPA firms can satisfy this requirement by adhering to the peer review standards of the AICPA. Organizations not already subject to some other peer review requirement must obtain an external review at least once every three years.

Reporting on Compliance and on Internal Control Over Financial Reporting

· The report on compliance and on internal control over financial reporting, like the opinion on the financial statements, is directed toward the basic financial statements rather than the laws and provisions pertaining to federal awards. That is, it focuses on internal controls and on compliance with provisions of laws, regulations, contracts, or grant agreements that have a material effect on the financial statements. It is based on the audit requirements of Government Auditing Standards rather than those of Circular A‐133. · Per Government Auditing Standards, the auditors must issue this report, on internal control and compliance regardless of whether or not they identify internal control deficiencies or instances of noncompliance. They should describe (either in the same report that they express an opinion on the financial statements or in one or more separate reports) the scope of their testing and should indicate whether the tests performed were sufficient to support opinions on the effectiveness of internal control and on compliance.

Characteristics of Governments that Justify a Unique Perspective on Ethical Questions

· Governments (and to a lesser extent many not‐for‐profits) have characteristics that present their employees with ethical decisions different from those faced by employees of businesses. These include the following: o Public expectations. The public holds employees of governments to a higher standard of conduct than those of businesses. Whereas it may accept that private companies—and hence, their employees—act in their own self‐interest, it expects government employees to put the welfare of the public above that of themselves. o Stewards of public funds. Government accountants are guardians of public funds and are accountable to the public on how they use them. Although corporate managers are accountable to stockholders, the public has far more rigorous standards than investors of what constitutes proper use of resources and is far less tolerant of frivolous expenditures. For example, investors may tolerate lavish entertainment, personal use of company jets, and palatial offices as acceptable management perks. The public, however, permits few government officials the same luxuries. o Activities carried out in open view. Virtually all government activities are carried out in broad daylight. Public officials are answerable to the public for almost all their actions. Under federal and state "open records" and "freedom of information" statutes, relatively few types of documents, not even internal memos and correspondence, are immune from public scrutiny. "No comment—that's proprietary information," in response to a reporter's question may be acceptable from corporate executives, but it is seldom countenanced from government officials. o Special powers. Governments have powers that businesses do not. For example, they may compel citizens to reveal to them personal information, such as earnings and holdings of personal property. Moreover, many citizens see as legitimate requests for data from government officials that they would view with suspicion if they came from private businesses. Therefore, government officials have a particular obligation to maintain the confidentiality of information that is not in the public domain and not to exceed the limits of their authority in their dealings with the public. o Conflicting loyalties. Government workers are not only government employees but also citizens to whom the government is accountable. Government decisions may be made in a highly charged political atmosphere and may involve the most basic of human values. The government may be led by officials of a political party different from that of an individual employee. Hence, individual employees may be faced with a conflict between loyalty to their organization and their superiors and to their own political and moral values.

(3) Discerning the Objectives of the Programs

· If the objectives of a program are clearly spelled out, are outcome oriented, and are both quantifiable and measurable, then the program is readily auditable. The auditors have either to measure the outcomes themselves or to verify the measurements of management or others. · Well‐defined operational objectives are central to sound management. Yet auditors cannot always expect managers to have established a clear statement—written or even oral—as to the intended outcomes of their programs. The absence of clearly articulated objectives should itself be a reportable audit finding. Nevertheless, if a program is to be audited for performance, then the auditors may themselves have to discern its objectives. Auditors can take several steps to determine a program's objectives: o Examine the legislation that created the program or authorized funds for it; governing bodies can greatly facilitate audits by explicitly incorporating program objectives into their authorization or appropriation measures, but often they do not. o Study the "legislative history" of the program, including committee reports, various versions of the authorization bills as they passed through the legislative process, statements of the bills' sponsors, and transcripts of committee and floor debates. o Review budgets, especially if they are in a program format. o Read internal performance reports and memos. o Interview program managers and other key personnel.

How has the yellow book influenced governmental and not-for-profit auditing?

· In 1972, the GAO issued the first edition of Government Auditing Standards (Standards for Audit of Governmental Organizations, Programs, Activities, and Functions), commonly referred to (because of the color of its cover) as the Yellow Book. The GAO is headed by the Comptroller General of the United States, who is appointed by the president, with the advice and consent of the Senate, for a term of 15 years. The GAO audits many, but not all, of the federal government's departments and agencies. Other departments and agencies are audited by independent Certified Public Accountant (CPA) firms. · Government Auditing Standards was issued to elevate the practice of auditing by both federal agencies and state and local governments. The GAO has no direct authority over state and local governments, but by publishing—and publicizing—the standards, it exerts its influence through the force of persuasion and example. · Federal legislation now requires that the inspectors general (the chief auditors) of all federal agencies apply the Yellow Book to their own audits. In addition, they must also ensure that all audits for which they are responsible, mainly those of entities to which their agencies provide funds, satisfy the GAO standards. Thus, if a federal department were to make an award to a state or local government or to a not‐for‐profit organization, then that organization's auditors, even if an independent CPA firm, must adhere to the GAO standards. o inspectors general § The heads of the internal audit departments of federal agencies. The GAO standards constitute "generally accepted government auditing standards," commonly referred to as GAGAS. GAGAS—that is, the Yellow Book—incorporates, by reference, many of the auditing standards applicable to financial audits established by the American Institute of Certified Public Accountants (AICPA). The GAO revises the Yellow Book every several years. The most recent version was issued in July 2018. Whereas the original 1972 edition was a mere 54 pages, the current edition is 4½ times as long. · Until 2002, the AICPA had primary responsibility for promulgating the audit standards that had to be followed by all CPAs. However, owing to accounting scandals involving Enron and numerous other major corporations, Congress (through the Sarbanes-Oxley bill) created the Public Company Accounting Oversight Board (PCAOB) to which it assigned the authority to establish auditing standards for public corporations (i.e., those corporations the shares of which are publicly traded). · The International Auditing and Assurance Standards Board (IAASB) also establishes auditing standards that have been adopted by many countries (although not the United States). Per the most recent edition of the Yellow Book, the standards of both the PCAOB and the IAASB may now be used "in conjunction with GAGAS."

Manner of Conducting

· In light of the dissimilarities among programs, each performance audit is unique. Consequently, no generic audit program can readily be tailored to specific engagements. Therefore, the following discussion is necessarily general and may not be applicable to all types of performance audits · Selecting the Audit Target · Establishing Scope and Purpose · Discerning the Objectives of the Programs · Scheduling Disbursements or Other Populations · Assessing Management Controls · Preparing a Written Audit Plan · Gathering Evidence · Reporting the Results of the Audit

How have the Single Audit Act and other pronouncements influenced auditing?

· In the 1960s, the federal government greatly increased the number, funding, and complexity of its assistance programs. These programs, which were directed to a wide range of activities including education, health and welfare, job training, and transportation, were typically funded by the federal government but administered by the states. However, the federal agencies in charge of the programs were responsible for auditing them. · As a result of congressional disclosures of severe deficiencies in federal audit practices, the Office of Management and Budget (OMB) urged that federal agencies rely more on CPA firms and other independent auditors than on their own "in‐house" auditors. Nevertheless, federal agencies were interested mainly in whether grant recipients complied with the applicable laws, regulations, and grant provisions. Independent auditors, adhering to then‐current standards, focused on financial statements and thereby did not provide the compliance assurances needed by the agencies. Hence, the agencies continued to perform their own audits. · Further, many grant recipients, especially local governments, received funds from several federal agencies and were subject to audits from each. Although each audit team directed its attention primarily to the grants from its own agency, they all had to review common books and records, accounting systems, and internal controls. The result was both costly duplication of audit effort and inadequate audit coverage of the entity as a whole. · In 1979, the OMB issued a directive calling for organization‐wide single audits to be performed by CPAs or other independent auditors. The directive did not preclude federal agencies from conducting their own examinations but instructed them to build on the independent audits. o single audit § An audit by a single audit organization intended to meet the needs of more than one regulatory agency or funds provider; an audit performed in accordance with the Single Audit Act and supporting Office of Management and Budget (OMB) circulars. · To give legislative sanction to the directive, Congress enacted the Single Audit Act of 1984. Amended in 1996 to make it easier to administer and supplemented by periodic updates of OMB regulations, the act now applies to both direct and indirect recipients of federal assistance and requires that organizations expending more than $750,000 in federal assistance under more than one program be subject to a single audit. · The objectives of a single audit are to ensure that: o The financial statements of the entity as a whole can be relied on o The entity is adhering to the common set of federal laws and regulations that apply to all recipients of federal aid o The entity is satisfying the laws, regulations, and provisions that apply to each specific federal award · Whereas prior to the act a recipient of federal funds had to submit audit reports to each agency from which it received funds, now a recipient has to deal with only a single agency. That agency, referred to as the cognizant agency, is responsible for ensuring that all audit standards are met and for coordinating the special audit requirements of each of the individual agencies providing funds. The cognizant agency is typically the agency that provides the greatest portion of federal funds to the recipient. · The Single Audit Act specifies that single audits be conducted in accord with the GAO's Government Auditing Standards. However, it requires that federal recipients be subject only to financial audits, not to performance audits. Therefore, the sections of Government Auditing Standards on performance audits need not be applied. · To provide additional guidance on single and other government‐related audits, the AICPA issued Statement on Auditing Standards (SAS) No. 74, Compliance Auditing Considerations in Audits of Governmental Entities and Other Recipients of Governmental Financial Assistance. By issuing this statement, the AICPA established that CPAs who conduct audits of financial assistance but fail to meet the federal audit requirements also fail to adhere to AICPA standards. More recently (2009), it issued SAS 117, Compliance Audits, as well as numerous practice aids.

(5) Assessing Management Controls

· It is no less important for auditors to obtain an understanding of relevant internal controls as part of a performance audit than it is as part of a financial audit. Relevant controls are those that encompass the policies and procedures intended to ensure that: o Programs meet their objectives o The data regarding the programs are valid and reliable o The organization has complied with all laws, regulations, and contractual provisions o Resources are properly safeguarded · The specific controls to be assessed and the means of reviewing them will depend on the objectives of the audit and the nature of the program. Controls that ensure that a program meets its objectives may be of a different type from those intended to safeguard assets or ensure compliance. In general, however, the procedures that auditors follow to gain an understanding of financial controls are equally applicable to the other types of controls. They include: o Making inquiries of employees o Flowcharting appropriate systems o Reviewing and inspecting policy manuals and other documents o Preparing and administering questionnaires

Key Procedures

· Once the auditors have identified the major programs, their audit procedures follow a pattern similar in many respects to that of a financial engagement. Identify the applicable compliance requirements. Compliance requirements include those that are specific to the program itself and those that are applicable to all federal awards. The compliance supplement to OMB Circular A‐133 as revised in 2020 describes 12 types of requirements that apply to all federal awards. o Tests for compliance with these general requirements may seem far afield from conventional audit procedures. In practice, however, auditors are not expected to assume the role of detectives or law‐enforcement investigators, and their tests may be comparable to those used to assess internal and administrative controls. For example, with regard to a proscribed activity such as political lobbying, auditors might examine personnel and payroll records to identify employees whose responsibilities or activities include partisan political activity. They would then review the accounts to make certain that neither the salaries of these employees nor related costs were improperly charged to a federally assisted program. The specific compliance requirements are set forth in the rules and regulations of each federal program or contract. In general, they relate to matters such as: § The individuals or groups that are eligible to participate in the program or to receive financial assistance § The types of goods or services that may be acquired § The percentage of its own funds that an entity must contribute to a program § Any special reports that the organization must submit to the sponsoring agency § sponsoring agency o Plan the engagement. The auditors must develop a strategy to understand the events, transactions, and practices that will have a significant impact on compliance and to ensure that their tests of transactions and other procedures are sufficient to detect material noncompliance. In planning their engagement, auditors must give paramount consideration to the various risks associated with an audit. These include: § Inherent risk. The risk that material noncompliance could occur assuming that no internal controls have been established to prevent it § Control risk. The risk that material noncompliance that could occur would not be prevented by the entity's internal controls § Fraud risk. The risk that intentional material noncompliance could occur § Detection risk. The risk that the auditors will be unable to detect noncompliance that does occur o Assess the internal control structure related to compliance requirements. Circular A‐133 explicitly requires the auditor to assess, test, and report on the controls over compliance requirements. The auditor's tests of the controls should be adequate to ensure a low level of control risk (e.g., the risk that the internal controls fail to prevent noncompliance). o Obtain sufficient evidence. Auditors must test transactions and perform other audit procedures to determine whether the entity has complied with relevant requirements. The compliance supplement suggests several audit procedures that can form the basis of an audit program. However, every entity is unique, and, therefore, the tests must be custom‐tailored to the engagement at hand. Needless to say, auditors are not expected to test every transaction. They must rely on the same type of statistical sampling techniques that they do in conventional financial audits. o Consider subsequent events. Auditors must take into account relevant information that comes to their attention after the end of the audit period but before they issue their report. This information is typically contained in reports of regulatory agencies or other auditors that identify instances of noncompliance. o Evaluate and report on noncompliance. Having detected instances of noncompliance (referred to as "findings"), auditors must assess how (and to whom) they will report the violations and how the instances of noncompliance will influence the opinions that they must express. Compliance violations may require that the entity return funds to the granting agencies and may result in fines and other financial penalties. Hence, they are likely to have an impact on the auditors' opinion not only on compliance but also on the financial statements. o Perform follow‐up procedures. Circular A‐133 requires auditors to follow up on findings and recommendations from both their current audit and previous audits (even if by other auditors). Correspondingly, it requires the auditee to develop a plan for appropriate corrective actions. To follow up on audit findings and recommendations, auditors should discuss with management the measures they have taken, review decisions of the federal agencies with respect to actions they have taken, and test transactions of the type that previously resulted in noncompliance. · These procedures are by no means discrete; they are intertwined. The auditors' study of the entity's internal controls, for example, strongly influences their assessment of risks and thereby affects the extent of testing. At the same time, however, the results of transaction tests bear heavily on the auditors' evaluation of internal controls.

What types of audits do governments conduct?

· The 2018 edition of Government Auditing Standards divides government audits into three categories: financial audits; attestation engagements and reviews of financial statements; and performance audits. · Financial audits determine whether an entity's financial statements are presented fairly in accordance with generally accepted accounting principles (GAAP). They typically provide users with an opinion on whether the entity's financial statements are fairly presented. They may also have related objectives, such as ensuring that the entity has complied with laws and regulations that may have a material effect on the financial statements, providing special reports on selected accounts or items of a financial statement, issuing letters for underwriters or other parties, and reviewing internal control systems. · Attestation engagements cover a broad range of financial or nonfinancial objectives depending on the needs of the intended audience. Unlike financial statement audits which ensure that the statements are in accord with generally accepted accounting standards, attestation engagements measure or evaluate whether assertions adhere to suitable criteria. Attestation engagements include: "examinations"—engagements in which the level of assurance provided by the auditors is the same as that in a financial statement audit—as well as "reviews" and "agreed‐upon procedures" in which the auditors provide lesser degrees of assurance. The subject matter of these engagements may include the following: o Historical or projective financial information or specific performance measures o Physical characteristics, such as square footage of facilities o Analyses, such as break‐even analyses o Systems and processes, including internal controls o Compliance with laws, regulations, and policies · Performance audits, which in the private sector are often referred to as operational audits, may be intended to achieve a variety of different purposes. These include the following: o Measuring the extent to which a program is achieving its goals and objectives and determining whether the entity is using its resources in the most effective and economical manner o Determining whether an organization's internal controls are effective in relation to management's goals and objectives o Verifying that the organization is complying with the terms of laws, grants, and contracts in that its programs are serving the appropriate population and delivering the intended services o Analyzing assumptions about events that may occur in the future and identifying actions that may be taken in response to future events

Reporting the Results of the Audit

· The GAO reporting standards specify that auditors should prepare timely written reports of each engagement. Auditors' reports on financial statement engagements generally constitute several standardized paragraphs in which the auditors explain the scope and nature of their engagement and attest to information included in the statements. Those on performance audits, however, set forth data and findings as generated by the auditors, not merely the auditors' opinion on the assertions of others. Therefore, the auditors' reports are often 50-100 pages long. · Per the GAO standards, the reports should include: o An explanation of the audit's objectives and of its scope and methodology. o The significant auditing findings and the auditors' conclusions. The findings should relate to the objectives of the engagement. The report should indicate not only the quantitative measures of performance but also, if the program did not meet expectations, the reasons why. It should back any general assertions with specific examples. As noted by the GAO, -Report conclusions are logical inferences about the program based on the auditors' findings, not merely a summary of the findings. The strength of the auditors' conclusions depends on the persuasiveness of the evidence supporting the findings and the soundness of the logic used to formulate the conclusions. Conclusions are more compelling if they lead to recommendations and convince a knowledgeable user of the report that action is necessary. o Recommendations as to how to correct problems and improve operations. To be most useful, audits should be as much concerned with the future as with the past. They should be at least as constructive as they are critical. o An indication of all significant instances of illegal acts or noncompliance with regulations and contractual provisions. o A description of any significant deficiencies in management controls. · The GAO standards also require that the auditors include in the report the views of officials responsible for the program as to the auditors' conclusions and recommendations. To enable them to comment, the auditors should present the officials with a preliminary version of the report and solicit their written response as to why they agree or disagree with the report and what corrective measures, if any, they plan. · If the auditors agree that the objections of the officials are valid, then they can modify their report before issuing a final version. However, if the auditors do not believe that the officials' concerns are legitimate, they can include in their report their reasons why they believe they are invalid and, in effect, have the last word. · Per the GAO standards, reports on governmental performance audits, like those on governmental financial audits, should be made public, unless their distribution is limited by law or regulation. Some government agencies, such as the GAO, now promote wide distribution of their reports by making them available on the Internet. · Although it is difficult to predict the future of accounting and auditing, it is almost certain that performance auditing will play an increasingly prominent role. As both governments and not‐for‐profits place greater emphasis on achieving their objectives, it is inevitable that increasing attention will be paid to reports as to the extent that they accomplished what was expected of them.

Identifying Major Programs: A Risk-Based Approach

· The Single Audit Act distinguishes between major and nonmajor programs and requires a substantially higher level of auditing of major programs. Circular A‐133 directs that in distinguishing between major and nonmajor programs, auditors focus on potential losses owing to noncompliance. As a general rule, major programs are those that make up a relatively large proportion of the total federal awards received by an entity and for which there is a high risk of noncompliance. · To determine whether a program is relatively large, the auditor must apply a sliding scale based on the percentage that federal funds received by the program bears to total federal funds received by the entire entity. For example, if an entity receives $100 million in federal awards, then any program on which it expends more than $3 million (3 percent of the total) would be considered large. On the other hand, if it receives $20 billion in federal awards, then only programs on which it expends more than $30 million (0.15 percent of the total) would be considered large. · To determine whether a program is high risk, auditors must exercise professional judgment. Examples of factors that would point to a high risk of noncompliance include: o Weakness in internal controls over federal programs, taking into account competence and experience of personnel, systems for recording transactions, and effectiveness of management oversight o Significant portions of federal funds being passed through to subrecipients without effective systems of monitoring whether subrecipients comply with applicable laws and grant requirements o Newly installed computer systems that have not been adequately tested o Absence of recent audits o Complex compliance requirements o Relatively new program · OMB Circular A‐133 provides a detailed set of guidelines on how size and risk must be combined to establish whether a program is major and thereby subject to comprehensive auditing.

Independence

· The Yellow Book is especially concerned with issues of independence that are unique to governments. Consistent with the AICPA standards, it underscores that auditors must be independent of the audited entity in both mind and in appearance. Going beyond the AICPA standards, it also establishes a conceptual framework as to how auditors should identify, evaluate, and apply safeguards to address threats to independence. Per the framework, they should o identify threats to independence; o evaluate the significance of the threats identified, both individually and in the aggregate; o apply safeguards to eliminate the threats or reduce them to an acceptable level. · Threats to independence can take many forms. Like those facing auditors of businesses or not‐for‐profit organizations, they can be the result of the auditor having personal relationships with management, participating in managerial decisions, having financial interests in the outcome of the audit, or providing nonaudit services. But government auditors also face threats that are not typical of those facing business auditors. · In the private sector, auditors cannot be considered independent if employed by the entity they are to audit. However, most government audit agencies are part of the government that they have been established to audit. To ensure that a government audit agency is nevertheless viewed as being independent, the GAO requires it be from a different branch (e.g., legislative, executive) of the government than the particular units that it is to examine or from a different level of government (e.g., a federal auditor may audit a state program). Moreover, even when there are "structural" threats to independence, they may be mitigated by safeguards such as the auditor being directly elected by the jurisdiction's voters or by being elected or appointed by, and subject to removal by, a legislative body.

Evidence: Well-Delineated versus Broad

· The evidence examined in financial audits is relatively well delineated and limited to a few major categories. These include the following: o Books and records that are created by the organization itself, such as journals and ledgers, schedules, canceled checks, purchase orders, and receiving reports o Documents prepared by outside parties, such as invoices, contracts, and notes o Physical assets, such as inventories and capital assets o Letters of confirmation or assurance from creditors, debtors, banks, and attorneys · Performance audits are characterized by a broader range of evidence, much of which may be engagement specific. Depending on the objectives of a program, the auditors may have to review—in addition to financial data—economic and demographic statistics, engineering reports, and medical records.

(7) Gathering Evidence

· The overall objectives of performance audits are typically twofold: to provide information on the extent to which a program achieved its objectives and to explain the reasons for its successes or failures (in addition, of course, to making recommendations as to how the program can be improved). · In gathering evidence on program outcomes, auditors must either make their own observations and measurements or rely on those of others—that is, either the auditee or third parties. If they intend to rely on those of others, then they must either test the data or ensure their reliability by other means. · The specific evidence to be gathered stems directly from the program's objectives. For example, if the objective of a computer‐training program were to obtain employment for participants, then the auditors would need to obtain appropriate placement data. If it were to improve high school graduation rates, then they would require data on the percentage of students graduating. · The reasons why a program failed to achieve its objectives can generally be attributed to one of three fundamental causes. Taken together, the three imply the auditors' approach to identifying a program's shortcomings: o Shortcoming: The program's policies and procedures were poorly designed and, therefore, even if properly executed, would not lead to success. § Auditor approach: The auditors should examine the policies and procedures, including controls, noting any logical or conceptual flaws. o Shortcoming: The program's policies and procedures (including those for supervision and review), although properly designed, were not properly executed. § Auditor approach: The auditors should test the policies and procedures to gauge the extent to which they were being followed. o Shortcoming: The program was inherently flawed owing to incorrect assumptions or failure to take into account significant factors that would affect its success. For example, a computer‐training program may have been based on the assumption that if participants learned certain skills, they would be able to find employment. In fact, there may be no demand for those skills in the community served. Hence, even if the policies and procedures were properly executed, the program was destined to be unsuccessful. § Auditor approach: The auditors should identify the conditions that would have been necessary for its success and assess whether they were satisfied. · In obtaining and assessing evidence, auditors must document their procedures and findings. By the time the audit is completed, every assertion in the auditors' report should be backed by working papers setting forth the underlying evidence. Auditors should always assume that any unfavorable determinations will be challenged by the managers accountable for them. Therefore, they must be certain their working papers, when subjected to the most rigorous (and hostile) of analysis, can withstand assault.

Reporting on Compliance with Requirements of Major Programs

· The report on compliance with major program requirements, along with the schedule of findings and questioned costs, is the centerpiece of the Circular A‐133 provisions. In this report, the auditors should state that they have audited the entity's compliance with the requirements that are applicable to each of its major programs and explain briefly the nature of their examination. They should then express an opinion on whether the auditee complied "in all material respects" with those requirements. They should define what is meant by "significant deficiencies," and if the auditors detected any, they should indicate whether they were material. They should then refer the reader to the schedule of findings and questioned costs in which these deficiencies would be described.

Schedule of Findings and Questioned Costs

· The schedule of findings and questioned costs is perhaps the most distinctive—and often the most informative—of the auditors' reports. In the first section of this report, the auditors should first summarize the results of their audit. They should indicate, for example, the type of opinions (e.g., qualified, adverse) they expressed on the financial statements and on compliance with major programs and whether the audit disclosed material weaknesses in internal control. · In the second section, the auditors should describe in detail any significant deficiencies relating to the financial statements. These would include weaknesses in internal controls, material violations of the provisions of contract or grant agreements, and instances of fraud and illegal acts. In presenting this information, however, the auditors must put it into perspective, noting, for example, the number of questioned transactions and their dollar value in relation to the entire universe of transactions. · In the third section, the auditors should set forth their findings pertaining to the major programs. These include: o Significant deficiencies in internal control o Material noncompliance with provisions of laws, regulations, contracts, or grant agreements o Known questioned costs that are above a specified amount (currently $25,000) o The circumstances as to why the auditors' report on compliance is other than unqualified o Instances of known fraud · The report should be forward‐looking in that it should be in sufficient detail to allow the audited entity to prepare a plan of corrective action. It should also include the auditors' recommendations on how the violations could be prevented in the future.

Waste and abuse

· The standards for financial audits and attest engagements supplement those of the AICPA. They incorporate, by reference, the AICPA standards and make clear that government auditors must adhere to those standards. · At the same time, however, they recognize that, owing to the nature of the transactions in which governments engage and the interest of their constituents, government auditors must take a broader view of accountability than do their private sector counterparts. Thus, the Yellow Book encourages auditors to expand the traditional boundaries of their reviews of internal control to encompass deficiencies that result in waste or abuse. While the standards do not require that auditors perform specific procedures to detect waste or abuse, they say that they may do so and "may consider whether and how to communicate such matters if they become aware of them." · The Yellow book defines waste as "the act of using or expending resources carelessly, extravagantly, or to no purpose," even if they do not necessarily involve a violation of law. Thus, making unnecessarily expensive travel arrangements might be considered an example of waste. · Abuse, by contrast, is "behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practices." Abuse would include practices such as creating unneeded overtime, requesting staff to perform personal services, and misusing an official position for personal gain.

Compliance and internal controls

· The standards relating to financial audits are generally more rigorous with respect to both compliance and internal control than those of the AICPA. Both the AICPA and the GAO standards require auditors to design their financial engagements to provide "reasonable assurance" of detecting fraud and material misstatements resulting from illegal acts or similar irregularities, such as intentional omissions or fabrications. But because governments and not‐for‐profits are typically more directly accountable than businesses to the parties from which they receive grants or have contracts, the GAO standards also require auditors to design their audits to provide reasonable assurance of detecting noncompliance with the terms of both grants and contracts. · The AICPA standards of reporting require that auditors evaluate internal controls and communicate in writing to management significant deficiencies and material weaknesses. The GAO standards go further. In light of the importance governments place on both compliance and internal controls, the GAO stipulates that auditors must explicitly describe (either in their reports on the financial statements or in separate reports) the scope of their compliance and internal control testing. They must also indicate any irregularities, illegal acts, and other instances of material noncompliance that they found. To put the violations in perspective, the auditors should also indicate the number of infractions and their dollar amount. The GAO has issued Standards for Internal Control, better known as the Green Book, that provides a framework for establishing and maintaining an effective internal control system.

(6) Preparing a Written Audit Plan

· To satisfy the standard that work be adequately planned, auditors must prepare a written plan (i.e., an audit program) that sets forth audit goals, procedures, staff assignments, and anticipated reports. Based on the preliminary survey, review of controls, and other beginning steps, the plan should always be seen as tentative, subject to change as additional insights into the entity are obtained during the evidence‐gathering process.

Standards for Financial Audits

· Waste and abuse · Compliance and internal controls · Public availability

Introduction

· Whereas in the development of financial auditing standards and practices the independent public accounting profession has played the leadership role, in the areas of reporting on compliance and assessing performance, the government and not‐for‐profit sectors have been at the forefront of progress. The advances in compliance and performance auditing can be attributed mainly to the federal government, especially to the leadership of the Government Accountability Office (GAO) and the requirements of the Single Audit Act. The federal government provides financial assistance, either directly or indirectly through the states, to almost all general‐purpose local governments, most colleges and universities, and a substantial portion of not‐for‐profit entities. As a condition of awarding financial assistance, it requires that the entities submit financial statements that are audited in accord with federally specified standards. The federal government is thereby able to influence the auditing standards applicable to entities as disparate as major state governments and small‐town soup kitchens. In addition, inasmuch as the internal audit departments of more progressive corporations began to focus on performance audits as early as the 1960s, the Institute of Internal Auditors, the professional association of internal auditors, has also made substantial contributions to promoting performance auditing and to developing appropriate concepts and practices.

Ethics

· With respect to ethics, the Yellow Book standards are generally comparable to those of the AICPA. Like those of the AICPA, they emphasize that the work of auditors must be guided by principles of public interest, integrity, objectivity, and professional behavior. They add, however, that the government auditor must also be concerned with the proper use of government information, resources, and positions. This principle implies that government auditors must be mindful that many government programs are subject to laws and regulations that limit disclosure of sensitive, classified, or similar types of information.