Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

AU 801: Compliance Auditing

AU-C 935: Compliance Audits

AU EFFECTIVE DATE AND APPLICABILITY

Original Pronouncements	Statement on Auditing Standards (SAS) 117.
Effective Date	This statement currently is effective.
Applicability	Engagements to perform a compliance audit in accordance with generally accepted auditing standards (GAAS), the standards for financial audits under governmental auditing standards, or a governmental audit requirement that requires an auditor to express an opinion on compliance. Not applicable when government audit requirements call for an examination under the Statements on Standards for Attestation Engagements (SSAEs) of an entity’s internal controls over compliance.

AU-C EFFECTIVE DATE AND SUMMARY OF CHANGES

SAS No. 122, Codification of Auditing Standards and Procedures, is effective for audits of financial statements with periods ending on or after December 15, 2012.

To address practice issues, SAS No. 117, Compliance Audits, was one of the clarified standards issued before SAS No. 122. It was issued in December 2009 and is effective for compliance audits for fiscal periods ending on or after June 15, 2010.

SAS No. 117 was codified in AU 801 when issued, but was moved to AU-C 935 with the issuance of SAS No. 122. Some conforming changes were made in specific paragraphs and footnotes due to the issuance of SAS No. 122, but no substantive changes were made.

AU DEFINITIONS OF TERMS

Applicable risk of noncompliance. The risk that an auditor will express an inappropriate audit opinion on an entity’s compliance when there is a case of material noncompliance.

Compliance audit. An audit of an entity’s compliance with specific compliance requirements. These compliance requirements can include the laws, regulations, rules, and contract provisions applicable to government programs with which an entity is required to comply.

Detection risk of noncompliance. The risk that procedures performed by an auditor to reduce the risk of noncompliance will not detect material noncompliance, either individually or when aggregated with other cases of noncompliance.

Government program. The means by which a government entity achieves its objectives. Government programs relevant to this section include those in which the program provides an award to another entity, typically as a grant or contract.

Material noncompliance. If there is no definition of material noncompliance in a government audit requirement, material noncompliance is defined as the failure to follow compliance requirements or a violation of prohibitions included in applicable compliance requirements that result in material noncompliance, either individually or when aggregated.

Material weakness in internal control over compliance. A deficiency in internal control over compliance, such that there is a reasonable possibility that material noncompliance with a compliance requirement will not be prevented or detected and corrected on a timely basis. Reasonably possible is defined as the chance that a future event occurring is more than remote but less than likely. Remote is defined as the chance of a future event occurring is slight. Probable is defined as the chance that a future event occurring is likely.

Questioned costs. Those costs questioned by an auditor because of a possible violation of applicable compliance requirements, minimal supporting documentation, or the costs appearing unreasonable. Likely questioned costs are inferred by extrapolating from audit evidence obtained, while known questioned costs are those specifically identified by the auditor.

Significant deficiency in internal control over compliance. A deficiency in internal control over compliance that is less severe than a material weakness, yet which is important enough to merit attention by those in a position of governance.

AU-C 935 DEFINITIONS OF TERMS

Source: AU-C 935.11

Applicable compliance requirements. Compliance requirements that are subject to the compliance audit.

Audit findings. The matters that are required to be reported by the auditor in accordance with the governmental audit requirement.

Audit risk of noncompliance. The risk that the auditor expresses an inappropriate audit opinion on the entity’s compliance when material noncompliance exists. Audit risk of noncompliance is a function of the risks of material noncompliance and detection risk of noncompliance.

Compliance audit. A program-specific audit or an organization-wide audit of an entity’s compliance with applicable compliance requirements.

Compliance requirements. Laws, regulations, rules, and provisions of contracts or grant agreements applicable to government programs with which the entity is required to comply.

Deficiency in internal control over compliance. A deficiency in internal control over compliance exists when the design or operation of a control over compliance does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, noncompliance on a timely basis. A deficiency in design exists when (1) a control necessary to meet the control objective is missing, or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or the person performing the control does not possess the necessary authority or competence to perform the control effectively.

Detection risk of noncompliance. The risk that the procedures performed by the auditor to reduce audit risk of noncompliance to an acceptably low level will not detect noncompliance that exists and that could be material, either individually or when aggregated with other instances of noncompliance.

Government Auditing Standards. Standards and guidance issued by the Comptroller General of the United States, U.S. Government Accountability Office for financial audits, attestation engagements, and performance audits. Government Auditing Standards also is known as generally accepted government auditing standards (GAGAS) or the “Yellow Book.”

Government program. The means by which governmental entities achieve their objectives. For example, one of the objectives of the U.S. Department of Agriculture is to provide nutrition to individuals in need. Examples of government programs designed to achieve that objective are the Supplemental Nutrition Assistance Program and the National School Lunch Program. Government programs that are relevant to this section are those in which a grantor or pass-through entity provides an award to another entity, usually in the form of a grant, contract, or other agreement. Not all government programs provide cash assistance; sometimes noncash assistance is provided (for example, a loan guarantee, commodities, or property).

Governmental audit requirement. A government requirement established by law, regulation, rule, or provision of contracts or grant agreements requiring that an entity undergo an audit of its compliance with applicable compliance requirements related to one or more government programs that the entity administers.

Grantor. A government agency from which funding for the government program originates.

Known questioned costs. Questioned costs specifically identified by the auditor. Known questioned costs are a subset of likely questioned costs.

Likely questioned costs. The auditor’s best estimate of total questioned costs, not just the known questioned costs. Likely questioned costs are developed by extrapolating from audit evidence obtained, for example, by projecting known questioned costs identified in an audit sample to the entire population from which the sample was drawn.

Material noncompliance. In the absence of a definition of material noncompliance in the governmental audit requirement, a failure to follow compliance requirements or a violation of prohibitions included in the applicable compliance requirements that results in noncompliance that is quantitatively or qualitatively material, either individually or when aggregated with other noncompliance, to the affected government program.

Material weakness in internal control over compliance. A deficiency, or combination of deficiencies, in internal control over compliance, such that there is a reasonable possibility that material noncompliance with a compliance requirement will not be prevented, or detected and corrected, on a timely basis. In this section, a reasonable possibility exists when the likelihood of the event is either reasonably possible or probable as defined as follows:

Reasonably possible. The chance of the future event or events occurring is more than remote but less than likely.
Remote. The chance of the future event or events occurring is slight.
Probable. The future event or events are likely to occur.

Organization-wide audit. An audit of an entity’s financial statements and an audit of its compliance with the applicable compliance requirements as they relate to one or more government programs that the entity administers.

Pass-through entity. An entity that receives an award from a grantor or other entity and distributes all or part of it to another entity to administer a government program.

Program-specific audit. An audit of an entity’s compliance with applicable compliance requirements as they relate to one government program that the entity administers. The compliance audit portion of a program-specific audit is performed in conjunction with either an audit of the entity’s or the program’s financial statements.

Questioned costs. Costs that are questioned by the auditor because (1) of a violation or possible violation of the applicable compliance requirements, (2) the costs are not supported by adequate documentation, or (3) the incurred costs appear unreasonable and do not reflect the actions that a prudent person would take in the circumstances.

Risk of material noncompliance. The risk that material noncompliance exists prior to the audit. This consists of two components, described as follows:

Inherent risk of noncompliance. The susceptibility of a compliance requirement to noncompliance that could be material, either individually or when aggregated with other instances of noncompliance, before consideration of any related controls over compliance.
Control risk of noncompliance. The risk that noncompliance with a compliance requirement that could occur and that could be material, either individually or when aggregated with other instances of noncompliance, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control over compliance.

Significant deficiency in internal control over compliance. A deficiency, or a combination of deficiencies, in internal control over compliance that is less severe than a material weakness in internal control over compliance, yet important enough to merit attention by those charged with governance.

OBJECTIVES OF AU SECTION 801

Governments frequently require entities to undergo an audit of their compliance with various requirements. The auditor’s objectives in a compliance audit are to obtain sufficient audit evidence to form an opinion on whether an entity has complied in all material respects with the compliance requirements to a government entity, as well as to identify the audit and reporting requirements specified in governmental audit requirements that are in addition to GAAS and government auditing standards, and to perform procedures to address those additional requirements.

This section addresses the application of GAAS to a compliance audit, which is frequently performed in conjunction with a financial statements audit.

OBJECTIVES OF AU-C SECTION 935

AU-C 935 states that:

. . . the auditor’s objectives in a compliance audit are to

a. obtain sufficient appropriate audit evidence to form an opinion and report at the level specified in the governmental audit requirement on whether the entity complied in all material respects with the applicable compliance requirements; and

b. identify audit and reporting requirements specified in the governmental audit requirement that are supplementary to GAAS and Government Auditing Standards, if any, and perform procedures to address those requirements.

FUNDAMENTAL REQUIREMENTS

Application of AU Sections to a Compliance Audit

The auditor should adapt all other AU Sections to the objectives of a compliance audit, with limited exceptions as noted in Appendix A of SAS 117.

The Compliance Audit Process Flow

The auditor should follow these steps when conducting a compliance audit:

1. Materiality. Establish material levels and apply them to the compliance audit based on the governmental audit requirements.

2. Identify programs. Determine which government programs and compliance requirements to test.

3. Perform procedures. Perform risk assessment procedures to gain a sufficient understanding of the applicable compliance requirements and the entity’s internal control over compliance. Also see if there are findings from previous audits, attestation engagements, or other monitoring that relate to the compliance audit. Additionally, gain an understanding of management’s response to these findings that could have a material effect on the entity’s compliance with applicable compliance requirements. Use this information to assess risk, as well as to determine the audit procedures for the compliance audit.

4. Risk assessment. Assess the risks of material noncompliance, whether due to fraud or error, for each applicable compliance requirement.

5. Material noncompliance risk. Assess the risk of material noncompliance, whether due to fraud or error, for each compliance requirement.

6. Further audit procedures. If there are risks of material noncompliance that are pervasive, then develop an overall response to these risks. The response should include further audit procedures, including tests of details, to obtain sufficient audit evidence. Tests of controls, analytical procedures, and risk assessment procedures are not sufficient. Test controls over compliance if there is an expectation of the operating effectiveness of controls over compliance, or substantive procedures alone do not provide sufficient evidence, or if these tests are mandated by a government audit requirement.

NOTE: Sample tests of details can include the areas of grant disbursements or expenditures, eligibility files, cost allocation plans, and periodic reports filed with grantor agencies.

7. Supplementary audit steps. Determine if the government audit requirements include audit requirements that are in addition to GAAS and government auditing standards, and perform those procedures. If these requirements conflict with GAAS or government auditing standards, then use the GAAS or government auditing standards.

8. Written representations. Request from management written representations that align with the government audit requirement. Include the following items in the request:

a. Acknowledge management’s responsibility for understanding and complying with the pertinent compliance requirements.

b. Acknowledge management’s responsibility for a system of controls that provides reasonable assurance of administering government programs as per their compliance requirements.

c. State that management has identified and disclosed all of the programs related to the government audit requirement.

d. State that management has made available all contracts and related correspondence relevant to the programs subject to the government audit requirement.

e. State that management has disclosed all known noncompliance, or that there is no noncompliance.

f. State whether management believes the entity has complied with the compliance requirements.

g. State that management has made available all documentation related to compliance with the applicable compliance requirements.

h. Stating management’s interpretation of compliance requirements that are subject to interpretation.

i. Stating that management has disclosed any grantor communications concerning possible noncompliance, through the date of the auditor’s report.

j. Stating that management has disclosed the findings and related corrective actions taken for previous audits, attestation engagements, and monitoring related to the objectives of the compliance audit, through the date of the auditor’s report.

k. Stating that management has disclosed all noncompliance with the compliance requirements subsequent to the period covered by the auditor’s report, or states that there were no such cases.

l. Stating that management is responsible for taking corrective action on audit findings arising from the compliance audit.

9. Subsequent events. Perform audit procedures through the date of the auditor’s report, to obtain evidence that subsequent events related to the entity’s compliance have been identified.

NOTE: If the auditor becomes aware of noncompliance in the period subsequent to the report date that is of such significance that report users would be misled without this information (such as the discovery of noncompliance of such size that the grantor halted funding), then the auditor should discuss the matter with management and those charged with governance, and explain the noncompliance in the report.

10. Evaluate evidence. Evaluate the sufficiency and appropriateness of audit evidence. Then form an opinion on whether the entity materially complied with the compliance requirements. As part of this evaluation, review likely questioned costs, as well as known questioned costs.

NOTE: When evaluating evidence, the auditor can consider the frequency of noncompliance identified during the audit, the nature of the noncompliance, the adequacy of the entity’s system for monitoring compliance, the effect of noncompliance on the entity, and whether any identified noncompliance with the applicable compliance requirements resulted in likely questioned costs that are material.

Reporting Requirements

There are three types of compliance reports, which are (1) the report on compliance only, (2) the combined report on compliance and internal control over compliance, and (3) the separate report on internal control over compliance. The contents of these reports follow.

Report on compliance only. If the auditor is only reporting on compliance, then the report must:

Have a title containing the word “independent.”
Identify the government programs covered by the compliance audit.
State the compliance requirements.
State the period covered by the report.
State that compliance with the compliance requirements is the responsibility of management.
State that the auditor’s responsibility is to express an opinion on the entity’s compliance with the applicable compliance requirements, which is based on the compliance audit.
State that the compliance audit was conducted in accordance with GAAS, the standards applicable to financial audits in government accounting standards, and the government audit requirements.
State that the compliance audit included an examination of evidence about the entity’s compliance with such requirements, as well as other procedures considered necessary by the auditor.
State that the auditor believes the compliance audit provides a reasonable basis for an opinion.
State that the compliance audit does not provide a legal determination of the entity’s compliance.
State an opinion, at the level required by the government audit requirement, regarding whether the entity materially complied with the compliance requirements.
If there is an opinion modification due to noncompliance, describe the noncompliance.
If there is noncompliance that does not result in an opinion modification, describe it.
If the report is developed solely for specific parties, state that the report is intended solely for the use of the specified parties, and that it is not intended for use by any other parties.
Include the signature of the auditor’s firm.
Include the date of the report.

Combined report on compliance and internal control over compliance. If the auditor combines the auditor’s report on compliance with a report on internal control over compliance, then add the following items to the report just described for a report on compliance only:

State that management is responsible for internal controls over compliance with the requirements of laws, regulations, rules, and contract provisions applicable to government programs.
State that the auditor considered the entity’s internal control over compliance with the applicable compliance requirements while planning and performing the audit, but only to determine procedures for expressing an opinion on compliance—not for expressing an opinion on the effectiveness of internal controls over compliance.
State that the auditor is not expressing an opinion on internal control over compliance.
State that the auditor’s considerations were not designed to identify all deficiencies in internal control that might be significant deficiencies or material weaknesses in internal control over compliance.
Define a “deficiency in internal control over compliance” and “material weakness in internal control over compliance.”
Describe identified material weaknesses in internal control over compliance.
If there were significant deficiencies in internal controls over compliance, define “significant deficiency in internal control over compliance” and describe the deficiencies.
If there were no material weaknesses in internal control over compliance, make a statement to that effect.

A combined report on compliance and internal control over compliance is noted later in the section “AU Illustration” at the end of this chapter.

Separate report on internal control over compliance. If the auditor is required by the government audit requirements to report on internal control over compliance, and the auditor elects to issue a separate report on this matter, then add the following items to the report just described for a combined report on compliance and internal control over compliance:

A title containing the word “independent”
A statement that the auditor audited the entity’s compliance with the applicable compliance requirements for the named government program and specified time period, and refer to the auditor’s report on compliance
A statement that the compliance audit was conducted in accordance with GAAS, those government auditing standards applicable to financial audits, and the government audit requirement
The signature of the auditor’s firm
The date of the report

The auditor should also report noncompliance in the manner specified by the government audit requirement. Further, if the auditor communicates significant deficiencies or material weaknesses in internal control over compliance, government auditing standards require the auditor to obtain a response from the responsible officials regarding their views on the findings, conclusions, and recommendations in the auditor’s report, and to include a copy of any written response in the auditor’s report.

The auditor should modify his or her opinion on compliance in accordance with Section 508, Reports on Audited Financial Statements, if the audit identifies material noncompliance, or a restriction on the compliance audit’s scope.

NOTE: If there is no government audit requirement to report on internal control over compliance, the auditor should still report significant deficiencies and material weaknesses in internal control over compliance to both management and those charged with governance.

In addition to the reporting noted above, the auditor should report to those charged with governance the auditor’s responsibilities as noted in GAAS, government auditing standards, and the government audit requirements. This report should also include an overview of the planned scope and timing of the compliance audit, as well as significant findings arising from it.

NOTE: If a government agency has provided a report format that requires the auditor to make a statement for which there is no basis, reword the report or attach a properly worded separate report.

If the auditor reissues the report, include in it a note that the report replaces an earlier report, and explain why the report is replacing the prior report, as well as the changes from the prior report. Update the date of the reissued report if additional procedures were performed.

Management’s Responsibilities

Management is responsible for an entity’s compliance with compliance requirements. This responsibility includes:

Compliance. Comply with the compliance requirements of government programs.
Controls. Maintain a control system that gives reasonable assurance that the entity administers government programs that are in compliance with compliance requirements.
Monitoring. Evaluate and monitor compliance with the compliance requirements.
Corrective action. Take corrective action in the event of noncompliance.

Documentation

The auditor should document all risk assessment procedures performed, as well as any responses to assessed risks of material noncompliance, any procedures performed to test compliance with the applicable compliance requirements, and the results of those procedures. Further, document materiality levels and the basis on which they were calculated.

INTERPRETATIONS

There are no interpretations for this section.

TECHNIQUES FOR APPLICATION

Sources of Information Regarding Compliance Requirements

To gain an understanding of applicable compliance requirements, consult The Compliance Supplement, which is issued by the Office of Management and Budget. It contains the compliance requirements applicable to many federal government programs. It also includes a number of sample audit procedures that are applicable to compliance requirements. The grantor agency may also have issued a program-specific audit guide that similarly contains compliance requirements and suggested audit procedures.

Suggested Audit Procedures

If The Compliance Supplement or a program-specific audit guide are not available, the auditor may use the following procedures to obtain an understanding of the applicable compliance requirements:

1. Read the laws, regulations, rules, and contract provisions pertaining to the government program.

2. Make inquiries of management and other knowledgeable entity personnel.

3. Make inquiries of individuals outside the entity, such as government auditors, regulators, third-party specialists, and attorneys, regarding the laws and regulations applicable to entities within their jurisdictions.

4. Read the meeting minutes of the entity’s governing body.

5. Read the audit documentation about applicable compliance requirements that were prepared during prior audits.

6. Discuss applicable compliance requirements with the auditors who performed prior audits.

Material Noncompliance Risks

The auditor may consider the following factors when assessing the risks of material non-compliance:

1. Complexity of the applicable compliance requirements

2. Susceptibility of the applicable compliance requirements to noncompliance

3. The time period during which the entity has been subjected to the applicable compliance requirements

4. Observations about how the entity has complied with the requirements in prior years

5. The potential effect on the entity of noncompliance with the requirements

6. The degree of judgment involved in adhering to the compliance requirements

7. The assessment of the risks of material misstatement in the financial statement audit

AU ILLUSTRATION

If an auditor’s report contains a response from responsible officials concerning their views on the findings, conclusions, and recommendations included in the report, the auditor may include a paragraph, such as the following example, disclaiming an opinion on such information:

ABC Company’s written response to the significant deficiencies and material weaknesses in internal control over compliance identified in our compliance audit was not subjected to the auditing procedures applied in the compliance audit of ABC Company’s compliance and, accordingly, we express no opinion on it.

The following is an example of a combined report on compliance with applicable requirements and internal control over compliance, containing an unqualified opinion on compliance with no material weaknesses or significant deficiencies in internal control over compliance identified.

Illustration 1. Combined Report on Compliance with Applicable Requirements and Internal Control Over Compliance

Compliance

We have audited ABC Company’s compliance with the [identify the applicable compliance requirements or refer to the document that describes the applicable compliance requirements] applicable to ABC Company’s [identify the government program(s) audited or refer to a separate schedule that identifies the program(s)] for the year ended June 30, 20X2. Compliance with the requirements referred to above is the responsibility of ABC Company’s management. Our responsibility is to express an opinion on ABC Company’s compliance based on our audit.

We conducted our audit of compliance in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States; and [insert the name of the governmental audit requirement or program-specific audit guide]. Those standards and [insert the name of the governmental audit requirement or program-specific audit guide] require that we plan and perform the audit to obtain reasonable assurance about whether noncompliance with the compliance requirements referred to above that could have a material effect on [identify the government program(s) audited or refer to a separate schedule that identifies the program(s)]. An audit includes examining, on a test basis, evidence about ABC Company’s compliance with those requirements and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion. Our audit does not provide a legal determination of ABC Company’s compliance with those requirements.

In our opinion, ABC Company complied, in all material respects, with the compliance requirements referred to above that are applicable to [identify the government program(s) audited] for the year ended June 30, 20X2.

Internal Control over Compliance

Management of ABC Company is responsible for establishing and maintaining effective internal control over compliance with the compliance requirements referred to above. In planning and performing our audit, we considered ABC Company’s internal control over compliance to determine the auditing procedures for the purpose of expressing our opinion on compliance, but not for the purpose of expressing an opinion on the effectiveness of internal control over compliance. Accordingly, we do not express an opinion on the effectiveness of ABC Company’s internal control over compliance.

A deficiency in internal control over compliance exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, noncompliance on a timely basis. A material weakness in internal control over compliance is a deficiency, or combination of deficiencies in internal control over compliance, such that there is a reasonable possibility that material noncompliance with the compliance requirement will not be prevented, or detected and corrected, on a timely basis.

Our consideration of internal control over compliance was for the limited purpose described in the first paragraph of this section and was not designed to identify all deficiencies in internal control that might be deficiencies, significant deficiencies, or material weaknesses in internal control over compliance. We did not identify any deficiencies in internal control over compliance that we consider to be material weaknesses, as defined above.

This report is intended solely for the information and use of management, [identify the body or individuals charged with governance], others within the entity, [identify the legislative or regulatory body], and [identify the grantor agency(ies)], and is not intended to be and should not be used by anyone other than these specified parties.

Jones and Smith

June 30, 20X2

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for AU 801: Compliance Auditing

Create new playlist

Sign In

Sign Up