What Does an Auditor Do During an A-133 Audit?
When the leaders of any organization are first mandated to have an audit, whether by investors or the government, they often have the same question: what does an auditor do? The answer is relatively simple – an auditor must fulfill two responsibilities. The first is to determine whether the organization under audit has fairly represented its financial position in its financial statements. The second is to determine and report on the organization’s internal control system. Each of these elements also has within it other requirements which expand the complexity of “what” an auditor must do to fulfill his/her role in an audit.
Stepping on the GAAS
An auditor uses generally accepted auditing standards (GAAS) to conduct the audit. These standards are set by peers and experts as to how an audit shall be conducted. They are established to provide a mechanism for the auditor to meet expectations with regard to work product and procedures. GAAS enables a level of assurance that an auditor is following prescribed, proven techniques which other auditors also follow.
For government audits, the requirements specify that generally accepted government audit standards (GAGAS) are applicable. These standards are also known as the “Yellow Book”. These standards of audit are essential to the accountability of entities using government resources and provide guidance on what is to be audited and how.
Closing the GAAP
The auditor utilizes the GAAS methodologies to ensure that financial statements are prepared according to the accounting standards which have been established – generally accepted accounting principles (GAAP). These standards, like the auditing standards, are meant to facilitate the comparability of work and information. They also provide reasonable assurance that the information is useful, meaningful, and presented in a manner consistent with financial practices.
Through the application of GAAS and GAAP, the auditor focuses on determining key internal control components:
- The control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
These activities and how the organization executes these activities determine whether or not the auditor can provide assurance that the federal program objectives are being executed. Here are some of the primary objectives:
- Transactions are properly recorded and accounted for
- Assets are properly controlled
- There is demonstrable compliance with laws, regulations, terms and conditions
The auditor’s role is to determine if the entity is exercising due care in its role:
- Does the organization understand the requirements?
- Does the organization pay attention to the rules?
- Does the organization have an adequate control structure?
- Does the organization have have proper procedures in place?
- Does the organization follow the control structure it has?
The auditor must understand each organization’s specific structure, requirements, and programs. No two organizations will have the same programs, operations, or infrastructure, so the auditor is charged with developing an understanding of the unique combination of factors which exist in each one and auditing each organization based on those factors.
While the auditor is charged with the responsibility of auditing each unique entity, an audit is not expected to examine 100% of the transactions. The auditor relies on a sampling of transactions to identify potential weaknesses or problems. Where issues are identified, more extensive testing may be performed.
Compliance Audits the Steps
In conducting an audit, the auditor does not examine 100% of the programs. Instead, the auditor selects a representative sample of the programs and through that sample tests the compliance, controls, and activities of the recipient. These are generally the steps the auditor undertakes in the audit:
- Identify major programs
- Identify applicable compliance requirements.
- Plan the engagement
- Consider the internal control environment over major programs
- Test compliance with applicable requirements
- Evaluate subsequent events for the period between end of audit period and prior issuance of audit report
- Form and opinion on compliance
- Perform follow-up on identified findings
Defining a Major Program
The auditor begins the audit process by reviewing the recipient’s awards. The review is conducted to classify each award as to the size, nature, and risk of the program.
Risk Base Four Step Approach
The classification of each program determines how and if it will be reviewed during the current audit. The auditor examines each award to properly classify it based upon the characteristics of the programs – program type, size, previous findings, size, etc. The steps outlined below show the overall process the auditor uses in reviewing all programs:
- Identify the type A and B programs.
- Determine which Type A are low risk.
- Determine which Type B are high risk.
- Select which programs are to be audited as major programs.
Entity’s Expenditures | Type A/Type B Threshold |
At least $300K, $100 Million | $300 K or 3% of total federal awards expended, whichever is greater |
More than $100 Million < less than $10 billion | $3 million or .003% of total federal awards expended, whichever is greater |
More than $10 Billion | $30 million or .0015% of total federal awards expended, whichever is greater |
What Programs Must the Auditor Audit?
The objective for an A-133 audit is that the auditor must audit all high risk Type A programs. The auditor then has an option how to proceed for Type B programs. The auditor may choose to audit these programs:
- At least one-half of the high risk type B programs up to the number of low risk type A programs
- One high risk Type B program for every Type A low-risk program
In making the choice of what programs to audit, the auditor must keep in mind the following rule, known as the percentage of coverage rule:
The auditor must audit as major programs enough programs which account for at least 50% of total federal awards expended. The only exception is for a low-risk audittee. in this case the auditor must cover 25% of the federal awards expended.
Low Risk – What is it?
A program may be considered low risk if it has been audited as a major program in the two previous years and had no prior findings. The program cannot be low-risk if in prior years the findings were material, were specified in A-133 §_.510(a), the program has been designated as high-risk by the awarding agency, or in the auditor’s judgment prior findings are material in nature.
Auditors Judgment – Program Risk Assessments
A-133 audits require the auditor to determine the necessary level of compliance testing based upon the unique characteristics of the auditee. The auditor determines how much testing is required based upon the overall evaluation of the risk in areas where the organization is not complying and in which the effect could be material to the federal programs.
The non-compliance may relate to terms and conditions of agreement provisions, laws and regulations, tax codes, competence of personnel, expenditures within programs, consistency of cost treatment, or any number of other aspects of administration of the federal funds. The oversight extends to the management of the activities of subrecipients and monitoring of those relationships.
Key Compliance Areas
The testing of each area requires planning and analysis based upon the activities of the organization, the internal control structure, the systems, and the programs and awards. Again, the auditor must exercise due care and judgment in the development of samples, testing, and the extent to which each area of the organization will be examined. However, the areas to be examined are specified:
- Activities allowed and unallowed
- Allowable costs and cost principles
- Cash management
- Davis Bacon Act
- Eligibility
- Equipment and Real Property Management
- Matching, Level of Effort and Earmarking
- Period of Availability of Funds
- Procurement, Suspension and Debarment
- Program Income
- Real Property Acquisition and Relocation Assistance
- Reporting
- Subrecipient Monitoring
- Special Tests and Provisions
In order to fully execute his/her role and responsibility, the auditor must be cognizant of these compliance areas, the impact and implications of each as it applies to each program, the recipient, and the audit organization-wide
Copyright ©2007 F.O.C.U.S. Resource, Inc.
All Rights Reserved