TOP TEN Audit Issues

1
TOP TEN Audit Issues

• Quality Control Review Findings - Doing it Right
  the First Time
• NGMA 25th Annual Training ConferenceApril 28-29,
  2004
• John Fisher
• Department of Health and Human Services
• Daniel Murrin, Americas Director of Government
  Public Sector Services, Ernst Young LLP

2
Objectives

• This session is intended to enable us all to
  learn from the work done by peer reviewers, and
  OIG review teams to
• Increase awareness of the more common
  deficiencies noted in audits performed by the
  nonfederal audit community the Top Ten
• Review a leading practice framework to prevent
  deficiencies
• Review a framework to work together to
  continuously improve the audit process and work
  cooperatively with federal inspectors general to
  enhance the value of the audit process

3
Oversight activity provides invaluable input to
allow us to continue to enhance quality

• QCR and Peer Reviews are ongoing
• OIG and other governmental entity desk and
  quality control reviews are on the upswing
• Clearinghouse edits and reviews
• National statistical sample of A 133 reports is
  on the way

4
but the worst case scenario can be unpleasant

• Disclosures in proposals of allegations of
  substandard work, suspensions and debarments all
  possible
• Non-conforming audits can
  impact grant recipients
• Referrals to AICPA and State
  Boards of Accountancy
  (roughly 100 per year)

5
First Lesson Client Acceptance and Continuance
Critical

• Avoid one-of engagementsor at least rigorously
  network, including independent review.
• Does the team have appropriate training and skill
  sets?
• Regrettably, even entities with the best
  missions, if they are lacking in appropriate
  financial management, may not be acceptable
  clients
• Eg. no good deed goes unpunished

6
Second Lesson Getthe Reporting Right

• Best way to trigger a time consuming QCR review
  is to submit a report that is obviously deficient
• Picked up in clearinghouse edit process
• Desk reviews at the major agencies
• Properly prepared schedules and data collection
  forms do matter prepared by client-punishment to
  auditor

7
Common Reporting Deficiencies

• Type A programs not reported as being audited in
  one of the two prior yearsshould it have been?
• Clearinghouse report edit, about 1/3 of time data
  collection form is wrong
• Report says audited, form filled out wrong
• Forgot to v low risk auditeelooks like shb 50
  coverage, when 25 ok
• 2/3 time appears something is wrong with the
  report
• Appears not audited in one of two prior years
• Letter goes out-appears may have violated
  standards

8
Common Reporting Deficiencies

• Type A programs not reported as being audited
  in one of the two prior yearsshould it
  have been?
• In about half of the cases when a letter goes
  out, the Firm asserts it really audited the
  program, but didnt report that it audited the
  program
• Prove it, show workpapers
• Correct data collection form and report
  and
  resubmit
• In the other half, was missed, generally excuse
  is that major programs
  were identified in planning,
  but not challenged
  when final schedule prepared
• Yet no finding on ability of auditee to prepare
  schedule
• Next step can be referral, depending on the
  agency, but in any case, time consuming rework

9
Reporting Lesson Get the Schedule and Data
CollectionForm Right

• Looking at the Schedule, and the clients process
  to prepare the Schedule, is a critical success
  factor
• Identify the programs right, and consistently,
  with the correct CFDA so that the year to year
  comparisons are done properly at the
  Clearinghouse
• Do final evaluations for type A and
  coverage tests before submitting

10
Each Firm Can Replicate the Data Collection
Review Process

• Go to Census website
• Search for entities with your firm as auditor
• Download Data Collection forms for 3 years and
  lay side-by-side
• Do the edits to identify potential problems
• Inquire of the teams
• Remediate issues

11
One False Step

• Get the clusters right, and dont create
  clusters which dont exist in the compliance
  supplement
• Foster care doesnt go in the SFA cluster
• Are all the research programs in the research
  cluster
• If the programs belong together, and one is
  missed, if it is at all material to the total for
  the cluster it should have been subject to audit
• Instances in which 10-20 or more of a cluster
  was not included in the sampling plan or reported
  as part of the cluster

12
Get the issues surfaced and reported

• Ensure data collection form is correct regarding
  whether there are reportable conditions,
  compliance findings
• If the data collection form says no compliance or
  internal control findings, but the reports have
  them, or significant findings in the management
  letter-
• Government will not have distributed the reports
  to the related federal agencies
• Very likely to trigger a QCR, with a mark against
  auditor to start with

13
Clarity and consistency is important

• If a finding isnt clear enough to resolve it can
  trigger a request to see the working papers to
  try to figure out what we are saying
• Double check management letter, sometimes they
  refer to material weaknesses/reportable
  conditions that didnt make it to the IC Report
  or a Compliance finding
• At the margin we can expect to be challenged on
  why a finding is in the management letter but
  isnt a material weakness or reportable
  condition, or didnt lead to a questioned
  costsee earlier distribution rule

14
Ok, so you want to lookat the papers

• Stay off the radar screen with compliant reports
• Eventually, your work will be reviewed
• Partner and executive involvement is critical in
  managing QCR process and projecting that the
  team knows what it is doing-earn the benefit of
  the doubt
• Learn from the process

15
Manage the Process

• Executives ensure papers are
  complete, any clarifications should be dated
  contemporaneously
• Partners at entrance and exit conferences-availabl
  e and engaged
• Listen-dont just hear what you want to hear
• Consider a follow up note summarizing

16
Peer reviews and QCRs are a Fact of Life

• When documenting your work, assume it will be
  reviewed by a third party and critically assessed
• To some extent, while an A 133 engagement is an
  audit, the evaluation process for quality can be
  viewed as akin to review of an agreed upon
  procedures engagement-
• Did we do everything in the compliance supplement
• Is it documented
• How has it been reported

17
The Top Ten From HHS QCRs

• No good deed goes unpunished
• It was only a typo
• But I thought I could use my judgment to select
  programs
• Horseshoes and auditing (Close does not win the
  cigar)
• Oh, thats what you meant

18
The Top Ten From HHS QCRs cont.

• The nuclear test (because it is so powerful)
• Accounting controls versus program controls, viva
  la difference
• Gone with the wind documentation
• After all tomorrow is another day
• Do not make a Federal case of an omission

19
Common deficiencies across all agencies

• Documentation, documentation, documentation
• Cant tell which specific items or reports were
  tested
• Cant see how internal control over compliance
  for each compliance area was evaluated and tested
• Cant see a conscious decision to conclude (or
  basis for conclusion) that a particular
  compliance requirement is not significant for
  purposes of further work
• Cant tell which control being tested covers
  which compliance requirementholes in the coverage

20
Common deficiencies across all agencies

• Documentation, documentation,
  documentation
• Have to read too much in the a v -does it mean
  item was tested for all of
  the relevant attributes, ie. Limit on
  yearly salary for a payroll item, te
  certification?
• Tests of transactions appear to cover some
  attributes, but not clear how reporting, special
  tests were covered
• Rationale for sample size, sample approach
• Disposition of errors noted
• If found an error, why no finding?
• If reason is that there is some other control,
  why did you test this one?
• Was a statistical test done of the compensating
  control?

21
Common deficiencies across
all agencies

• Documentation, documentation, documentation
• Potential Reportable finding gets dropped at the
  11th hour, but work papers dont make the case
  for why that was appropriate
• Lots of work, but no conclusions
• Non tests of transactions dont make a clear case
  for how the detect control being tested covers
  the compliance attribute
• No clear link between financial audit internal
  control work and A 133 work, yet want credit for
  the testing over there

22
Common deficiencies across all agencies

• Expenses consistently greater than revenues, with
  negative fund balance, but no consideration in
  workpapers or report of going concern
• Large deferred revenue balances, gross
  or net, may indicate cash management
  issues
• Internal Service Funds with profits not
  passed back to federal share
• Pension and other benefit/insurance funds with
  over funding accessed to balance budget, but no
  share to federal government

23
Inspectors General are well positioned for QCRs

• Generally try to use the same people for similar
  entities and programs, build expertise in a
  program/quirks
• Most are still using PCIE checklist, but
  informally tailored for their programs
• Push is for more to be done, but emphasis can
  vary
• Matching
• Cost allocation plans
• Diversion of funds
• Financial capability

24
Agency Specific HHS

• Application of risk based approach
• Significant number of type A programs that did
  not qualify as low risk were not audited
• Cash management
• Controls over compliance
• Reporting inconsistencies

• Medicare and Medicaid grant programs-DSH, school
  nurses charged against Medicaid
• Ryan White HIV/AIDS program
• Cost allocation plans

25
Agency Specific Education

• Inadequate documentation
• Compliance requirement not tested, and not clear
  whyno documentation
• Electronic work paper files lost
• Proprietary schools90/10 ratio fed versus
  private methodology mistakes
• References to work papers that do not exist or
  dont contain the referenced work
• No or inadequate testing of internal controls
• Errors in application of risk based approach
• Data collection form discrepancies
• Lack or required representations or written
  assertions

• Incomplete engagement letters for engagements to
  report on assertions
• Missing Education programs in the Schedule of
  Expenditures of Federal Awards-FFELP, Direct
  Loan, Pell Grants, and questions as to whether
  they were audited in the cluster if not included
  in the schedule
• Inadequate evaluation of materiality for each
  compliance requirement
• Audit findings that dont contain all elements of
  a finding
• Elements of finding dont make the prime facie
  case that funds should be repaidand work papers
  dont support the case

26
Agency Specific HUD

• Wrong guidance material-old compliance
  supplement, or HUD audit guide
• Wrong guide-HUD audit guide used for A 133,
  should have used A 133 guidance for NPOs
• Inadequate planning for industry, contractual
  obligations, special requirements
• Disbursements of project funds not appropriately
  assessed for compliance with HUD
  agreements-diversion

• Reportable conditions identified in workpapers,
  not reported
• Insufficient documentation of understanding of
  internal control at entity and/or service
  organizations to plan audit
• No preliminary materiality judgments
• Submission of report before receipt of critical
  audit documentation
• No analytical procedures documented in planning
  phase

27
Other Agencies and
Emerging issues

• Go to the AICPA Risk Alert
• DOT-revenue diversion at airports,
  DOL-eligibility for training programs, cash mgmt,
  sampling plans
• Refreshers on Risk based approach, internal
  control and other requirements
• Future focus on Independencenot clear how to
  mitigate an independence issue if the
  documentation wasnt prepared contemporaneously
  and judgment made/safeguards followed at the time

28
Seek help and leverage the
resources. Plan for the review of
the papers.Ensure the team meets the
education requirements, but more importantly, has
the skill sets and experienceat client
continuance/acceptance.