OMB Circular A-133 Rules To The Game

1

• OMB Circular A-133Rules To The Game
• Audits of States, Local Governments
• and UniversitiesPresented by Alicia Foster,
  Graylin Smith and Donna Dancy for Governors
  Grants Office

Governors Grants Office
2
Presenters

• Alicia Foster, Audit Director
• Abrams, Foster, Noles Williams, PA
• 410-433-6830
• Graylin Smith, Managing Partner
• SB Company
• 410-584-1401

3
Presenters

• Donna Dancy
• Director, Internal Audit Services
• Maryland Department of the Environment
• 410-537-3429

4
Presentation Objectives

• Recap OMB A-133 Circular Overview - Donna Dancy
• Clarify why we care about OMB A-133 compliance
  Donna Dancy
• Define key terms and roles responsibilities
  Donna Dancy

5
Presentation Objectives

• Explain internal controls reviewed during the
• A-133 audit and the internal control
  questionnaire - Graylin Smith
• Purpose, Process, Outcomes An Auditors
  Prospective - Alicia Foster

6
LETS RECAP
7
Recap A-133 Overview

• Single Audit Act was enacted in 1984
• Annual audit required for Non-Federal Entities
  that receive Federal funds
• Shows the whole picture

8
Recap A-133 Overview

• Single Audit is two-fold - Financial and
  Compliance
• Uses a risk-based audit approach
• Cost effective way to obtain audits
• because one audit is conducted instead
• of multiple audits of individual programs

9
Recap A-133 Overview

• OMB Circular A-133 was issued in 1990
• Extended Single Audit process to universities and
  non-profits
• Set standards for consistency and uniformity for
  audits. Provided specific policy, procedures and
  criteria

10
Federal Circulars
Grantee Type Administrative Requirements Cost Principles Audit Requirements
State Local Governments A-102 A-87 A-133
Educational Institutions A-110 A-21 A-133
Non-Profit Organizations A-110 A-122 A-133
11
Where to Find the Rules

• OMB Circular A-133 - http//www.whitehouse.gov/omb
  /circulars/
• a133/a133.html
• Single Audit Act - http//thomas.loc.gov/cgi-bin/q
  uery/ z?c104S.1579.ENR
• CFR - http//gpoaccess.gov/cfr/index.html

12
A-133 COMPLIANCEWHYDO WE CARE?
13
A-133 Compliance WHY . . . Do We Care?

• Findings are reported to Federal government and
  become public
• record, distributed to all Federal
• Agencies through a clearing house.
• Federal and Non-Federal sponsors look at
• A-133 as a report card of how we spend their
  money.

14
A-133 Compliance WHY . . . Do We Care?

• It strengthens the relationship of trust
• that exists between the sponsor and recipient
• It suggests a presence of the stewardship
  necessary to properly safeguard the Federal
  Governments investment in programs

15
A-133 Compliance WHY . . . Do We Care?

• Negative publicity, may cause harm
• to reputation and prestige
• May cost millions in payback
• Loss of Federal expanded authorities, additional
  oversight burden

16
What Does Compliance Mean?

• Effective management of public funds to maximize
  outcomes
• The avoidance of fraud, mismanagement, and poor
  management of Federal funds
• Adherence to laws, rules and regulations
• Check and balances - internal controls
• Stewardship of Federal funds

17
Compliance Pitfalls

• Delinquent financial reporting
• Inaccurate effort reporting/improper allocation
  of staff time
• Inadequate subrecepient monitoring

• Misuse of funds
• Unallowable costs
• Misallocation of costs
• Excessive cost transfers

18
Why We Have Problems With Compliance

• Lack of understanding by staff of
• roles and responsibilities
• Inadequate resources
• Incomplete, outdated or nonexistent
• policies and procedures
• Inadequate staff training and education

19
Why We Have Problems With Compliance

• Inadequate systems
• Lack of documentation and audit
• trail to support claimed expenses
• Perception that internal control systems are not
  necessary

20
Compliance - Back to the Basics

• Do the right thingfrom the start!!!
• Keep policies current with Federal
• requirements
• Perform risk assessments and implement
• adequate internal controls

21
Compliance - Back to the Basics

• Develop a continuing training program
• Monitor first, audit second
• COMMUNICATE, COMMUNICATE, COMMUNICATE!!!
• with employees and Federal
  agency.
• DOCUMENT, DOCUMENT, DOCUMENT!!!
• Always remember, if you didnt write it down, it
  didnt happen.

22
KEY DEFINITIONS
23
Terms You Should Know

• Assistance
• Procurement
• Award
• Sub-Award
• Grant
• Cooperative Agreement
• Contract

• Pass-Through Entity
• Recipient
• Sub-recipient
• Vendor
• Direct Costs
• Indirect Costs
• Internal Control

24
Assistance vs. Procurement

• Financial Assistance Provides support or
  stimulation to accomplish a public purpose.
  Award can be a grant or cooperative agreement.
• Procurement Purchase of goods and services to
  accomplish a government purpose services can
  include research. Award is a contract.

25
Definition of Award

• Financial assistance that provides support to
  accomplish a public purpose.
• Includes grants and other agreements
• in the form of money or property in
• lieu of money by the Federal
• Government

26
Awards Do Not Include

• Technical assistance
• Loans, loan guarantees, interest subsidies,
  insurance
• Direct payments of any kind to individuals
• Contracts, which are required to be entered into
  and administered under procurement laws and
  regulations

27
Definition of Subaward

• Financial assistance made by a
• recipient to an eligible subrecipient
• Includes any financial assistance when provided
  by legal agreement, even if the agreement is
  called a contract
• Does not include the purchase of goods and
  services

28
Definition of Grant

• Purpose is to transfer money, property,
• services or anything of value to recipient in
• order to accomplish a public purpose.
• No substantial involvement is
• anticipated between government
• and recipient during performance
• of activity.

29
Definition of Cooperative Agreement

• Purpose is to transfer money, property, services
  or anything of value to recipient in order to
  accomplish a public purpose.
• Substantial involvement is anticipated
• between government and recipient
• during performance of activity.

30
Definition of Contract

• Primary purpose is to acquire property or
  services for direct benefit or use of the
• Federal Government.
• Government determines whether
• procurement contract is appropriate.
• Allowable activities based on terms and
  conditions of contract
• Governed by terms of the contract and State law

31
Definition of Pass-Through Entity

• A Non-Federal Entity that provides a Federal
  award to a subrecipient to carry out a Federal
  program

32
Definition of Recipient

• Organization receiving financial assistance from
  a Federal Agency to carry out a project or
  program
• Term may include commercial, foreign or
  international organizations which are recipients
  and subrecipients

33
Subrecipient Versus Vendor

• Subrecipent
• A Non-Federal Entity that expends Federal awards
  received from a pass-through entity to carry out
  a Federal program
• Has performance measured against whether the
  objectives of a Federal program are met

34
Subrecipient Versus Vendor

• Subrecipient
• Has responsibilities for programmatic decisions
• Is responsible for complying with Federal program
  requirements
• Uses Federal funds to carry out a program as
  compared to providing goods or services for a
  program

35
Subrecipient Versus Vendor

• Vendor
• Provides goods and services within normal
  business operations
• Operates in a competitive environment
• Provides similar goods or services to
• many different purchasers

36
Subrecipient Versus Vendor

• Vendor
• Retains no rights to intellectual property
• Provides the goods or services that are required
  for the conduct of a Federal program but are
  ancillary to the operation of the Federal program
• Is not subject to compliance requirements of the
  Federal program

37
Direct Versus Indirect Costs

• Direct Costs
• Can be identified with a specific project or
  activity relatively easily with a high degree of
  accuracy
• Direct Salaries Wages
• Materials Supplies
• Consultants Subcontractors

38
Direct Versus Indirect Cost

• Indirect Costs
• Referred to as Facilities Administrative costs
• Indirect costs are those that are incurred for
  common or joint objectives and therefore cannot
  be identified readily and specifically with a
  particular project or activity
• Fringe Benefits
• Overhead
• G A

39
Internal Control

• A process designed to provide reasonable
• assurance of achieving the following
• Effective and efficient operations
• Reliable financial reporting
• Compliance with laws, rules, regulations and
  guidelines

40
Roles and Responsibilities

• The Players
• Principal Investigator (PI)/Project Manager
• Department/Unit Administrator
• Department Chair/Program Manager
• Dean/Division Director
• Central/Grant Administration

41
Roles and Responsibilities

• PI/Project Manager
• Awareness of requirements
• Monitor and oversight of day-to-day
• aspects of the project
• Prepare required progress reports

42
Roles and Responsibilities

• PI/Project Manager
• Authorize all project expenditures and payments
  to consultants and subcontractors
• Adhere to terms and conditions of award
• Retain project data and materials as required

43
Roles and Responsibilities

• Department/Unit Administrator
• Provide administrative support to the
• project
• Assist in complying with award terms
• and conditions, regulations and policies
• Monitor expenditures of award funds, obtain
  necessary authorized signatures

44
Roles and Responsibilities

• Department/Unit Administrator
• Coordinate with Central/Grant Administration on
  reporting
• Assist Central/Grant Administration
• with closeout and audit activities

45
Roles and Responsibilities

• Department Head/Program Manager
• Overall administrative and financial operation of
  the department/program
• Oversight of all project activity and
• staff other resources

46
Roles and Responsibilities

• Dean/Division Director
• Management support, sets tone at top,
• broad oversight of projects/programs
• Provide divisional/unit concurrence in
  negotiation and acceptance of awards
• Provide divisional/unit oversight for compliance
  with regulatory requirements

47
Roles and Responsibilities

• Central/Grant Administration
• Management of all aspects of an
• award throughout its life cycle from
• pre-award through closeout activities.
• Liaison with Federal Agencies
• Assistance in locating funding opportunities
• Negotiation and acceptance of awards

48
Roles and Responsibilities

• Central/Grant Administration
• Prepare billings, financial reports
• and other electronic submittals
• Maintain time reporting and grant accounting
  system
• Provide advise on financial matters
• Coordinate A-133 and other audits

49
INTERNAL CONTROLS REVIEWED/INTERNAL CONTROL
QUESTIONNAIRE
50
Single Audit Test of Controls is Built On
Foundation of Government Audit
51
OMB Compliance Supplement (Part 6) Follows the
COSO Model of Internal

• Controls
• Control Environment
• Risk Assessment
• Control Activities
• Information and communications
• Monitoring

52
COSO Committee of Sponsoring Organizations of
the Treadway Commission

• Report on how to look at controls, assess risk
  and the limitations of controls
• Widely used as a framework to understand controls
  but is not the only one
• Framework
• - Definitions - Monitoring
• - Control environment - Limitation of
  internal controls
• - Risk assessment - Information and
  communications
• - Roles and responsibilities

53
Following COSO Model, OMB Selected Control
Activities for Each of the Compliance Requirements

• A. Activites allowed or unallowed
• B. Allowable costs/cost principles
• C. Cash management
• D. Davis-Bacon Act
• E. Eligibility
• F. Equipment real property mgmt
• G. Matching level of effort,
• earmarking
• H. Period of availability of Federal
• Funds
• Note Does not have to use those in the
• compliance supplement or

• I. Procurement and suspension
• and debarment
• J. Program Income
• K. Real property acquisition/
• relocation assistance
• L. Reporting
• M. Subrecipient monitoring
• N. Special test and provisions
• (control procedures not listed)
• all of them and should use
  
• others if more are appropriate.

54
Assessment of Risk

• General Risk Consideration
• - Experience
• - Length of time
• - Effect of non compliance
• - Routine/non-routine transaction
• - Estimate or judgment

55
Assessment of Risk

• Inherent Risk - risk that material noncompliance
  with a major programs compliance requirements
  could occur, assuming there are no related
  controls.
• - Factors to consider
• - Size of the program - Subrecipients
• - Program maturity - Level of oversight
• - Complexity - Prior audit findings
• - Extent of contracting - Identified as high
  risk
• - Other factors

56
Assessment of Risk

• Control Risk - risk that material noncompliance
  that could occur in a major program will not be
  prevented or detected on a timely basis by the
  programs internal control.
• - Preliminary control risk
• - Final control risk
• Fraud Risk - risk that intentional material
  noncompliance with a major programs compliance
  requirements could occur.

57
Assessment of Risk

• Detection Risk - risk that the audit procedures
  will lead to the conclusions that noncompliance
  that could be material to a program doesnt exist
  when in fact it does exist.
• - Factors to consider
• - Inherent risk
• - Control risk
• - Fraud risk

58
Assessment of Risk

• Risk of Material Misstatement - combination of
  inherent risk and control risk. Based on
  professional judgments.
• Audit Risk - risk that the auditor may
  unknowingly fail to appropriately modify his or
  her opinion on compliance. It is comprised of
  inherent risk, control risk, fraud risk and
  detection risk.

59
What Are We Looking for Controls to Do?

• Prevent or detect material noncompliance
• Initial assessment to be at low controlled risk
• Final analysis does not need to be at a low level
  of controlled risk

60
Types of Controls
Pervasive Controls - Controls around the process, i.e., separation of duties, supervision, hiring, training, skills
Specific Controls - Preventative - Detective - Stop error from occurring Identify and notify that an error has occurred
Monitoring Control - Identify when a preventative or detecting control is not working
61
Process to Test Single Audit Controls
62
Process to Test Single Audit Controls

• A. Identify the Control Objectives or What Can
  Go Wrong -
• Can use the compliance supplement
• Only need to access those requirements that are
  direct and material
• Can develop on your own control procedures

63
Process to Test Single Audit Controls

• B. Understand the Risk Prevention Process
• Using the COSO Model -
• Control Environment - sets the tone of an
  organization influencing the control
  consciousness of its people. It is the
  foundation for all other components of internal
  control, providing discipline and structure.

64
Process to Test Single Audit Controls

• B. Understand the Risk Prevention Process
• Using the COSO Model (contd) -
• Risk Assessment - is the entitys identification
  and analysis of risks relevant to achievement of
  its objectives, forming a basis for determining
  how the risks should be managed.

65
Process to Test Single Audit Controls

• B. Understand the Risk Prevention Process
• Using the COSO Model -
• Control Activities - are the policies and
  procedures that help ensure that managements
  directives are carried out.
• Information and Communication - are the
  identification, capture, and exchange of
  information in a form and time frame that enable
  people to carry out their responsibilities.

66
Process to Test Single Audit Controls

• B. Understand the Risk Prevention Process
• Using the COSO Model (contd) -
• Monitoring - is a process that assesses the
  quality of internal control performance over
  time.

67
Process to Test Single Audit Controls

• Control Environment
• Sense of conducting operations ethically, as
  evidenced by a code of conduct or other verbal or
  written directive.
• If there is a governing Board, the Board has
  established an Audit Committee or equivalent that
  is responsible for engaging the auditor,
  receiving all reports and communications from the
  auditor, and ensuring that audit findings and
  recommendations are adequately addressed.

68
Process to Test Single Audit Controls

• Control Environment (contd)
• Managements positive responsiveness to prior
  questioned costs and control recommendation.
• Managements respect for and adherence to program
  compliance requirements.
• Key managers responsibilities clearly defined.
• Key managers have adequate knowledge and
  experience to discharge their responsibilities.

69
Process to Test Single Audit Controls

• Control Environment (contd)
• Staff knowledgeable about compliance requirements
  and being given responsibility to communicate all
  instances of noncompliance to management.
• Managements commitment to competence ensures
  that staff receive adequate training to perform
  their duties.
• Managements support of adequate information and
  reporting system.

70
Process to Test Single Audit Controls

• Risk Assessment
• Program managers and staff understand and have
  identified key compliance objectives.
• Organizational structure provides identification
  of risks of noncompliance
• - Key managers given responsibility to identify
  and communicate changes.
• - Employees who require close supervision (e.g.
  inexperienced) are identified.

71
Process to Test Single Audit Controls

• Risk Assessment (contd)
• Organizational structure provides identification
  of risks of noncompliance (contd)
• - Management has identified and assessed
• complex operations, programs, or projects.
• - Management is aware of results of monitoring,
  audits, and reviews and considers related risk of
  noncompliance.
• - Process established to implement changes in
  program objectives and procedures.

72
Process to Test Single Audit Controls

• Control Activities
• Procedures in place to implement changes in laws,
  regulations, guidance, and funding agreements
  affecting Federal awards.
• Management prohibition against intervention or
  overriding established controls.
• Adequate segregation of duties provided between
  performance, review, and recordkeeping of a task.
  

73
Process to Test Single Audit Controls

• Control Activities (contd)
• Computer and program controls should include
• - Data entry controls, e.g., edit checks. -
  Exception reporting.
• - Computer general controls and security
  controls.
• - Reviews of input and output data.
• - Access controls.

74
Process to Test Single Audit Controls

• Control Activities (contd)
• Operating policies and procedures clearly written
  and communicated.
• Supervision of employees commensurate with their
  level of competence.
• Personnel with adequate knowledge and experience
  to discharge responsibilities.

75
Process to Test Single Audit Controls

• Control Activities (contd)
• Equipment, inventories, cash, and other assets
  secured physically and periodically counted and
  compared to recorded amounts.
• If there is a governing Board, the Board conducts
  regular meetings where financial information is
  reviewed and the results of program activities
  and accomplishments are discussed. Written
  documentation is maintained of the matters
  addressed at such meetings.

76
Process to Test Single Audit Controls

• Information and Communication
• Accounting system provides for separate
  identification of Federal and non-Federal
  transactions and allocation of transactions
  applicable to both.
• Adequate source documentation exists to support
  amounts and items reported.

77
Process to Test Single Audit Controls

• Information and Communication (contd)
• Recordkeeping system is established to ensure
  that accounting records and documentation
  retained for the time period required by
  applicable requirements such as the A-102 Common
  Rule, 0MB Circular A-133, and the provisions of
  laws, regulations, contracts or grant agreements
  applicable to the program.

78
Process to Test Single Audit Controls

• Information and Communication (contd)
• Reports provided timely to managers for review
  and appropriate action.
• Accurate information is accessible to those who
  need it.
• Reconciliations and reviews ensure accuracy of
  reports.

79
Process to Test Single Audit Controls

• Information and Communication (contd)
• Established internal and external communication
  channels.
• - Staff meetings. - Bulletin boards. -
  Memos, circulation files, e-mail. - Surveys,
  suggestion box.
• Employees duties and control responsibilities
  effectively communicated.

80
Process to Test Single Audit Controls

• Information and Communication (contd)
• Channels of communication for people to report
  suspected improprieties established.
• Actions taken as a result of communications
  received.
• Established channels of communication between the
  pass-through entity and subrecipients.

81
Process to Test Single Audit Controls

• Monitoring
• Ongoing monitoring built-in through independent
  reconciliations, staff meeting feedback, rotating
  staff, supervisory review, and management review
  of reports.
• Periodic site visits performed at decentralized
  locations (including subrecipients) and checks
  performed to determine whether procedures are
  being followed as intended.

82
Process to Test Single Audit Controls

• Monitoring (contd)
• Follow up on irregularities and deficiencies to
  determine the cause.
• Internal quality control reviews performed.
• Management meets with program monitors, auditors,
  and reviewers to evaluate the condition of the
  program and controls.

83
Process to Test Single Audit Controls

• Monitoring (contd)
• Internal audit routinely tests for compliance
  with Federal requirements.
• If there is a governing Board, the Board reviews
  the results of all monitoring or audit reports
  and periodically assesses the adequacy of
  corrective action.

84
Process to Test Single Audit Controls

• Walk Through the Control Process to Understand
  What It is and Whether It is Operational
• One transaction from start to finish
• Have the processors show what they do, what they
  review, exceptions uncovered and how exceptions
  are handled
• Observe and review documentation

85
Process to Test Single Audit Controls

• Assess if the Procedures in Place As Designed Are
  Effective at Reducing the Risk on Non Compliance
  to A Low Level
• Requires judgment
• Believe no material errors would occur undetected
• If the procedures are designed effectively, must
  test to ensure operating throughout the period
• If not designed effectively, no need to test as
  you can write your finding

86
Process to Test Single Audit Controls

• Test the Controls Throughout the Period to
  Determine if They Were Operating As Desired
• Perform test in compliance supplement or design a
  test to ensure controls were working throughout
  the period
• Sample size is a matter of judgment
• Suggested sample size of 40 or 60 because of low
  level of assessed risk while some firms use 25
  for moderate level risk

87
Types of Control Tests

• Inquiry
• Re-performance
• Corroborative inquiry
• Confirmation
• Computation
• Operating test

• Observation
• Inspection
• Knowledge assessment
• System query
• Reconciliation
• Physical examination
• Review

88
Process to Test Single Audit Controls
F. Assess the Operating Effectiveness
Number of Expected or Actual Deviations Number of Expected or Actual Deviations Number of Expected or Actual Deviations Number of Expected or Actual Deviations
Planned Assessed Level of Control Risk 0 1 2 3
Low 60
Moderate 25 40 60 60
Slightly Below Maximum 25 25 40
Maximum
Omit test because tests of controls would most
likely be inefficient or ineffective
89
Process to Test Single Audit Controls

• Reporting Findings
• Identify the following
• Finding or non compliance
• Compliance requirement
• Known dollars of non compliance
• Likely dollars of non compliance
• Cause
• Effect

90
Process to Test Single Audit Controls

• Reporting Findings
• Type of Finding
• -Control-
• Deficiency
• Significant deficiency
• Material weakness
• -Specific Test-
• Material non compliance
• Non compliance

• Type of Report
• Unqualified
• Qualified
• Adverse
• Disclaimer

91
Type of Control Weaknesses
Significant Deficiency Quantitative Deficiencies - Any internal control related findings quantitatively less than the Program Tolerable Noncompliance should be classified as a Significant Deficiency to the program. Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Material Weakness Quantitative Considerations - Any internal control related findings quantitatively equal to or greater than the Program Tolerable Noncompliance should be classified as a Material Weakness in the program. Qualitative Considerations - There may be instances, based on auditor judgment, where internal control related findings that quantitatively would not be considered material, may be deemed material weaknesses by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
92
Type of Compliance Finding
Material Noncompliance Quantitative Considerations - Any noncompliance quantitatively equal to or greater than the Program Tolerable Noncompliance should be classified as Material Noncompliance to the program. Qualitative Considerations - There may be instances, based on auditor judgment, where noncompliance that quantitatively would not be considered material, may be deemed material noncompliance by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Noncompliance Quantitative Considerations - Any internal control related findings quantitatively less than the Program Tolerable Noncompliance should be classified as Noncompliance to the program. Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
93
Examples of Strong Internal Controls

• Activities Allowed or Unallowed and
• B. Allowable Costs/Cost Principles
• Control Environment
• Management sets reasonable budgets for Federal
  and non-Federal programs so that no incentive
  exists to miscode expenditures.

94
Examples of Strong Internal Controls

• A. Activities Allowed or Unallowed and
• B. Allowable Costs/Cost Principles
• Risk Assessment
• Key manager has a sufficient understanding of
  staff, processes, and controls to identify where
  unallowable activities or costs could be charged
  to a Federal program and not be detected.

95
Examples of Strong Internal Controls

• Activities Allowed or Unallowed and
• B. Allowable Costs/Cost Principles
• Control Activities
• Supporting documentation compared to list of
  allowable and unallowable expenditures.
• Adequate segregation of duties in review and
  authorization of costs.

96
Examples of Strong Internal Controls

• A. Activities Allowed or Unallowed and
• B. Allowable Costs/Cost Principles
• Information and Communication
• Reports, such as a comparison of budget to
  actual
• provided to appropriate management for review
  on
• a timely basis.

97
Examples of Strong Internal Controls

• Cash Management
• Control Environment
• Budgets for drawdowns are consistent with
  realistic cash needs.

98
Examples of Strong Internal Controls

• C. Cash Management (contd)
• Control Activities
• Appropriate level of supervisory review of
• cash management activities.
• Written policy that provides
• - Procedures for requesting cash advances as
• close as is administratively possible to
  actual
• cash outlays

99
Examples of Strong Internal Controls

• C. Cash Management (contd)
• Information and Communication
• Variance reporting of expected versus actual cash
  disbursements of Federal awards and drawdowns of
  Federal funds.

100
Examples of Strong Internal Controls

• D. Davis-Bacon Act
• Control Activities
• Contractors informed in the procurement
  documents of
• the requirements for prevailing wage rates.
• Monitoring
• Management reviews to ensure that certified
  payrolls
• are properly received.

101
Examples of Strong Internal Controls

• E. Eligibility
• Control Environment
• Staff size and competence provides for proper
  making
• of eligibility determinations.
• Risk Assessment
• Conflict-of-interest statements are maintained
  for
• individuals who determine eligibility.

102
Examples of Strong Internal Controls

• E. Eligibility (contd)
• Control Activities
• Eligibility objectives and procedures clearly
• communicated to employees.
• Authorized signatures (manual or electronic)
• on eligibility documents periodically
  reviewed.
• Manual criteria checklists or automated process
• used in making eligibility determinations.

103
Examples of Strong Internal Controls

• E. Eligibility (contd)
• Monitoring
• Program quality control procedures performed

104
Examples of Strong Internal Controls

• F. Equipment and Real Property Management
• Control Activities
• Accurate records maintained on all acquisitions
  and dispositions of property acquired with
  Federal awards.
• A physical inventory of equipment is
  periodically taken and compared to property
  records.

105
Examples of Strong Internal Controls

• F. Equipment and Real Property Management
  (contd)
• Monitoring
• Management reviews the results of periodic
  inventories and follows up on inventory discrepa
  ncies.

106
Examples of Strong Internal Controls

• G. Matching, Level of Effort, Earmarking
• Control Environment
• Budgeting process addresses/provides adequate
• resources to meet matching, level of effort, or
• earmarking goals.
• Risk Assessment
• Identification of areas where estimated values
  will be
• used for matching, level of effort or earmarking.

107
Examples of Strong Internal Controls

• H. Period of Availability of Federal Funds
• Control Activities
• Accounting system prevents obligation or
  expenditure
• of Federal funds outside of the period of
  availability.
• Cancellation of unliquidated commitments at the
  end of
• the period of availability.

108
Examples of Strong Internal Controls

• H. Period of Availability of Federal Funds
  (Contd)
• Monitoring
• Periodic review of expenditures before and after
  cut-off date to ensure compliance with period of
  availability requirements.

109
Examples of Strong Internal Controls

• I. Procurement and Suspension and Debarment
• Risk Assessment
• Procedures to identify risks arising from
  vendor inadequacy, e.g., quality of goods and
  services, delivery schedules, warranty
  assurances, user support.
• Control Activities
• Contractors performance with the terms,
  conditions and specifications of the contract is
  monitored and documented.

110
Examples of Strong Internal Controls

• I. Procurement and Suspension and Debarment
  (contd)
• Monitoring
• Management periodically conducts independent
  reviews of procurements and contracting
  activities to determine whether policies and
  procedures are being followed as intended.

111
Examples of Strong Internal Controls

• J. Program Income
• Control Environment
• Realistic performance targets for the generation
  of program income.
• Risk Assessment
• Mechanisms in place to identify the risk of
  unrecorded or miscoded program income.

112
Examples of Strong Internal Controls

• J. Program Income (contd)
• Monitoring
• Internal audit of program income.

113
Examples of Strong Internal Controls

• L. Reporting
• Control Environment
• Managements attitude toward reporting promotes
• accurate and fair presentation.
• Control Activities
• Tracking system which reminds staff when reports
  
• are due.

114
Examples of Strong Internal Controls

• M. Subrecipient Monitoring
• Control Environment
• Sufficient resources dedicated to subrecipient
  monitoring.
• Appropriate sanctions taken for subrecipient
  noncompliance.

115
Examples of Strong Internal Controls

• M. Subrecipient Monitoring (contd)
• Risk Assessment
• Key managers understand the subrecipients
  environment, systems, and controls sufficient
  to identify the level and methods of monitoring
  required.

116
Examples of Strong Internal Controls

• M. Subrecipient Monitoring (contd)
• Monitoring
• Supervisory reviews performed to determine the
  adequacy of subrecipient monitoring.

117
Walk Through the Internal Controls Questionnaire
of Part 6 of the Compliance Supplement
118
PURPOSE, PROCESS, OUTCOMES AN AUDITORS
PROSPECTIVE
119
Purpose - As Described By Donnas
Presentation

• Single Audit enacted 1984 Circular A-133 1990
• Non-Federal Entities receiving Federal Funds
• Set standards for consistency and uniformity
• Provided specific policy, procedures and criteria

120
Process - An Auditors Prospective

• Understanding the entity and their internal
  controls over financial reporting and compliance
  by discussions, observations, and testing and
  assessing risk for audit planning
• Following GAAS, GAS, And OMB A-133 Standards

121
Process - An Auditors Prospective

• Providing clear guidance to auditees about audit
  requirements, testing criteria needs and
  documenting results of audit procedures
• Concluding and reporting results

122
Outcomes Auditors Findings Reports

• Controls in place, documented, and good
• audit trails exist
• Controls effective?
• Are you prepared?

123
Outcomes Auditors Findings Reports

• GAS Report on internal controls over
  financial
• reporting and on compliance other matters
• Control Objectives Environment, risk
  assessment, and control activities (attributes an
  auditee strives to achieve)
• Control Component Information, communication
  monitoring (attributes needed to achieve the
  objectives)
• Finding? Significant deficiency or material
  weakness

124
Outcomes Auditors Findings Reports

• Compliance and Other Matters GAS
• FINANCIAL STATEMENTS Reasonable assurance is
  obtained - they are free of material misstatement
  due to compliance with certain provisions of
  laws, regulations, contracts, and grant
  agreements AND free of fraud and abuse
  concerns?
• FINDINGS? Compliant or Non-compliant?

125
Outcomes Auditors Findings Reports

• OMB Circular A-133 Report on compliance with
  requirements applicable to major programs and on
  internal control over compliance in accordance
  with Circular A-133
• COMPLIANT with the 14 types of compliance
  requirements in the compliance supplement?
• INTERNAL CONTROL over compliance effective?
• FINDINGS? Significant Deficiency or Material
  Weakness?

126
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Understanding Applicable State and Local
  Compliance and Reporting Requirements Steps to
  be Considered for audit preparation
• Each Department Head should complete the internal
  control questionnaire for the CFDAs under their
  responsibility and fully understand control
  objectives as they relate to each specific grant.
  Review prior year submitted information and
  update the questionnaire. Conduct meetings with
  auditors for clarification.

127
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Have annual, or more frequent, meetings with all
  individuals who have a part in grant
  disbursements, reporting and other compliance
  requirements to discuss the relevant controls for
  better understanding of all parties. Monitor
  compliance by timely review of all relevant
  procedures and reports prior to audit.
• Read and understand the Compliance Supplement for
  the CFDA for advance awareness of what will be
  tested. Typically, this does not change
  annually, so being prepared is essential to the
  audit.

128
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Communicate with grantor agencies for better
  understanding of what is significant about the
  grant and determine if they are aware of any
  overall control deficiencies experienced with
  grant funds. This may assist in avoiding such
  experiences.

129
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Subscribe to Federal single audit references and
  circulate relevant information to the department
  this could have a significant impact on the
  identification of controls that are missing from
  your process. Meet and discuss how to address
  the requirements specified in the relevant
  literature.

130
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Monitor your compliance
• Supervision, reviews and approvals are essential
  to your success.

131
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Be aware of the applicable federal law and
• requirements using the Compliance Supplement
• and applicable references.
• Part 2 Matrix of Compliance Requirements (14
  types identified)
• Part 3 Compliance Requirements Applicable to
  the CFDA

132
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Compliance Supplement and applicable
• references (Contd)
• Part 4 Specific additional requirements of the
  federal program pertaining to provisions of
  contracts or grant agreements that are unique to
  a particular CFDA

133
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Compliance Supplement and applicable
• references (Contd)
• Part 5 Specific to Clusters of Programs
  (closely related programs with similar compliance
  requirements) - ( i.e) SFA
• Part 6 Internal control requirements and
  guide
• Part 7 Use of other specific industry or
  federal department guides to identify program
  objectives, procedures and compliance
  requirements

134
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Universities have significant references to Title
  IV Programs for SFA, and as such follow the
  guidance of 34 CFR section 691.

135
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• While Department of Educations (DOE) Audit Guide
  is not a requirement for the Single Audit,
  program objectives, procedures and compliance
  requirements provide additional understanding to
  the auditor for single audit compliance
  procedures
• RD Program requirements are very specific and
  monitoring is essential for success

136
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• The Federal Register (November 1, 2006) provided
  guidance in 34 CFR Parts 668, 682, and 685
  regarding SFA, Final Rule. This literature
  provides guidance to auditors as well as the
  auditee.
• Familiarity with such federal department
  literature is also noteworthy for SFA audits.

137
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• These items are just reminders of the need for
  timely meetings and communications to those
  individuals working with SFA to keep abreast of
  updates and to be prepared for the audit process.

138
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• II. Materiality Considerations Compliance
  Testing
• Auditors may use judgment in materiality
  considerations resulting from findings
  (or exceptions) noted during the audit.
  (Case-by-Case basis and is usually dependent on
  the impact on grant objectives).

139
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Materiality is Affected By
• The nature of the compliance requirements, which
  may or may not be quantifiable in monetary terms
• The nature and frequency of non-compliance
  identified with an appropriate consideration of
  sampling risk and

140
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Materiality is Affected By (Contd)
• Qualitative considerations, such as the needs and
  expectations of federal agencies and pass-through
  entities

141
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Qualitative Factors Include
• Low risk of public or political sensitivity
• A single exception that has a low risk of being
  pervasive

142
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Qualitative Factors (Contd)
• An indication, based on auditors judgment an
  experience, that the affected federal agency or
  pass-through entity normally would not need to
  resolve the finding or take follow-up action

143
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Recap A-133 Overview
• The single audit process is lengthy.
• The compliance requirements are to be
• tested as provided for in the Compliance
  Supplement.

144
Universities How to Manage Single Audit From A
Practical Viewpoint Your Internal
Controls

• Recap A-133 Overview (Contd)
• The auditees familiarity and understanding of
  Grants, is essentially the most important facet
  in achieving a smooth audit.
• The preparations undertaken to achieve your
  internal control objectives are important, and to
  a great extent, the means to reducing compliance
  findings.

145
Questions???