TOP TEN Audit Issues - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

TOP TEN Audit Issues

Description:

NGMA 25th Annual Training Conference. April 28-29, 2004. John Fisher. Department of Health and Human Services ... and exit conferences-available and engaged ... – PowerPoint PPT presentation

Number of Views:73
Avg rating:3.0/5.0
Slides: 29
Provided by: Ern187
Category:
Tags: ten | top | audit | issues

less

Transcript and Presenter's Notes

Title: TOP TEN Audit Issues


1
TOP TEN Audit Issues
  • Quality Control Review Findings - Doing it Right
    the First Time
  • NGMA 25th Annual Training ConferenceApril 28-29,
    2004
  • John Fisher
  • Department of Health and Human Services
  • Daniel Murrin, Americas Director of Government
    Public Sector Services, Ernst Young LLP

2
Objectives
  • This session is intended to enable us all to
    learn from the work done by peer reviewers, and
    OIG review teams to
  • Increase awareness of the more common
    deficiencies noted in audits performed by the
    nonfederal audit community the Top Ten
  • Review a leading practice framework to prevent
    deficiencies
  • Review a framework to work together to
    continuously improve the audit process and work
    cooperatively with federal inspectors general to
    enhance the value of the audit process

3
Oversight activity provides invaluable input to
allow us to continue to enhance quality
  • QCR and Peer Reviews are ongoing
  • OIG and other governmental entity desk and
    quality control reviews are on the upswing
  • Clearinghouse edits and reviews
  • National statistical sample of A 133 reports is
    on the way

4
but the worst case scenario can be unpleasant
  • Disclosures in proposals of allegations of
    substandard work, suspensions and debarments all
    possible
  • Non-conforming audits can
    impact grant recipients
  • Referrals to AICPA and State
    Boards of Accountancy
    (roughly 100 per year)

5
First Lesson Client Acceptance and Continuance
Critical
  • Avoid one-of engagementsor at least rigorously
    network, including independent review.
  • Does the team have appropriate training and skill
    sets?
  • Regrettably, even entities with the best
    missions, if they are lacking in appropriate
    financial management, may not be acceptable
    clients
  • Eg. no good deed goes unpunished

6
Second Lesson Getthe Reporting Right
  • Best way to trigger a time consuming QCR review
    is to submit a report that is obviously deficient
  • Picked up in clearinghouse edit process
  • Desk reviews at the major agencies
  • Properly prepared schedules and data collection
    forms do matter prepared by client-punishment to
    auditor

7
Common Reporting Deficiencies
  • Type A programs not reported as being audited in
    one of the two prior yearsshould it have been?
  • Clearinghouse report edit, about 1/3 of time data
    collection form is wrong
  • Report says audited, form filled out wrong
  • Forgot to v low risk auditeelooks like shb 50
    coverage, when 25 ok
  • 2/3 time appears something is wrong with the
    report
  • Appears not audited in one of two prior years
  • Letter goes out-appears may have violated
    standards

8
Common Reporting Deficiencies
  • Type A programs not reported as being audited
    in one of the two prior yearsshould it
    have been?
  • In about half of the cases when a letter goes
    out, the Firm asserts it really audited the
    program, but didnt report that it audited the
    program
  • Prove it, show workpapers
  • Correct data collection form and report
    and
    resubmit
  • In the other half, was missed, generally excuse
    is that major programs
    were identified in planning,
    but not challenged
    when final schedule prepared
  • Yet no finding on ability of auditee to prepare
    schedule
  • Next step can be referral, depending on the
    agency, but in any case, time consuming rework

9
Reporting Lesson Get the Schedule and Data
CollectionForm Right
  • Looking at the Schedule, and the clients process
    to prepare the Schedule, is a critical success
    factor
  • Identify the programs right, and consistently,
    with the correct CFDA so that the year to year
    comparisons are done properly at the
    Clearinghouse
  • Do final evaluations for type A and
    coverage tests before submitting

10
Each Firm Can Replicate the Data Collection
Review Process
  • Go to Census website
  • Search for entities with your firm as auditor
  • Download Data Collection forms for 3 years and
    lay side-by-side
  • Do the edits to identify potential problems
  • Inquire of the teams
  • Remediate issues

11
One False Step
  • Get the clusters right, and dont create
    clusters which dont exist in the compliance
    supplement
  • Foster care doesnt go in the SFA cluster
  • Are all the research programs in the research
    cluster
  • If the programs belong together, and one is
    missed, if it is at all material to the total for
    the cluster it should have been subject to audit
  • Instances in which 10-20 or more of a cluster
    was not included in the sampling plan or reported
    as part of the cluster

12
Get the issues surfaced and reported
  • Ensure data collection form is correct regarding
    whether there are reportable conditions,
    compliance findings
  • If the data collection form says no compliance or
    internal control findings, but the reports have
    them, or significant findings in the management
    letter-
  • Government will not have distributed the reports
    to the related federal agencies
  • Very likely to trigger a QCR, with a mark against
    auditor to start with

13
Clarity and consistency is important
  • If a finding isnt clear enough to resolve it can
    trigger a request to see the working papers to
    try to figure out what we are saying
  • Double check management letter, sometimes they
    refer to material weaknesses/reportable
    conditions that didnt make it to the IC Report
    or a Compliance finding
  • At the margin we can expect to be challenged on
    why a finding is in the management letter but
    isnt a material weakness or reportable
    condition, or didnt lead to a questioned
    costsee earlier distribution rule

14
Ok, so you want to lookat the papers
  • Stay off the radar screen with compliant reports
  • Eventually, your work will be reviewed
  • Partner and executive involvement is critical in
    managing QCR process and projecting that the
    team knows what it is doing-earn the benefit of
    the doubt
  • Learn from the process

15
Manage the Process
  • Executives ensure papers are
    complete, any clarifications should be dated
    contemporaneously
  • Partners at entrance and exit conferences-availabl
    e and engaged
  • Listen-dont just hear what you want to hear
  • Consider a follow up note summarizing

16
Peer reviews and QCRs are a Fact of Life
  • When documenting your work, assume it will be
    reviewed by a third party and critically assessed
  • To some extent, while an A 133 engagement is an
    audit, the evaluation process for quality can be
    viewed as akin to review of an agreed upon
    procedures engagement-
  • Did we do everything in the compliance supplement
  • Is it documented
  • How has it been reported

17
The Top Ten From HHS QCRs
  • No good deed goes unpunished
  • It was only a typo
  • But I thought I could use my judgment to select
    programs
  • Horseshoes and auditing (Close does not win the
    cigar)
  • Oh, thats what you meant

18
The Top Ten From HHS QCRs cont.
  • The nuclear test (because it is so powerful)
  • Accounting controls versus program controls, viva
    la difference
  • Gone with the wind documentation
  • After all tomorrow is another day
  • Do not make a Federal case of an omission

19
Common deficiencies across all agencies
  • Documentation, documentation, documentation
  • Cant tell which specific items or reports were
    tested
  • Cant see how internal control over compliance
    for each compliance area was evaluated and tested
  • Cant see a conscious decision to conclude (or
    basis for conclusion) that a particular
    compliance requirement is not significant for
    purposes of further work
  • Cant tell which control being tested covers
    which compliance requirementholes in the coverage

20
Common deficiencies across all agencies
  • Documentation, documentation,
    documentation
  • Have to read too much in the a v -does it mean
    item was tested for all of
    the relevant attributes, ie. Limit on
    yearly salary for a payroll item, te
    certification?
  • Tests of transactions appear to cover some
    attributes, but not clear how reporting, special
    tests were covered
  • Rationale for sample size, sample approach
  • Disposition of errors noted
  • If found an error, why no finding?
  • If reason is that there is some other control,
    why did you test this one?
  • Was a statistical test done of the compensating
    control?

21
Common deficiencies across
all agencies
  • Documentation, documentation, documentation
  • Potential Reportable finding gets dropped at the
    11th hour, but work papers dont make the case
    for why that was appropriate
  • Lots of work, but no conclusions
  • Non tests of transactions dont make a clear case
    for how the detect control being tested covers
    the compliance attribute
  • No clear link between financial audit internal
    control work and A 133 work, yet want credit for
    the testing over there

22
Common deficiencies across all agencies
  • Expenses consistently greater than revenues, with
    negative fund balance, but no consideration in
    workpapers or report of going concern
  • Large deferred revenue balances, gross
    or net, may indicate cash management
    issues
  • Internal Service Funds with profits not
    passed back to federal share
  • Pension and other benefit/insurance funds with
    over funding accessed to balance budget, but no
    share to federal government

23
Inspectors General are well positioned for QCRs
  • Generally try to use the same people for similar
    entities and programs, build expertise in a
    program/quirks
  • Most are still using PCIE checklist, but
    informally tailored for their programs
  • Push is for more to be done, but emphasis can
    vary
  • Matching
  • Cost allocation plans
  • Diversion of funds
  • Financial capability

24
Agency Specific HHS
  • Application of risk based approach
  • Significant number of type A programs that did
    not qualify as low risk were not audited
  • Cash management
  • Controls over compliance
  • Reporting inconsistencies
  • Medicare and Medicaid grant programs-DSH, school
    nurses charged against Medicaid
  • Ryan White HIV/AIDS program
  • Cost allocation plans

25
Agency Specific Education
  • Inadequate documentation
  • Compliance requirement not tested, and not clear
    whyno documentation
  • Electronic work paper files lost
  • Proprietary schools90/10 ratio fed versus
    private methodology mistakes
  • References to work papers that do not exist or
    dont contain the referenced work
  • No or inadequate testing of internal controls
  • Errors in application of risk based approach
  • Data collection form discrepancies
  • Lack or required representations or written
    assertions
  • Incomplete engagement letters for engagements to
    report on assertions
  • Missing Education programs in the Schedule of
    Expenditures of Federal Awards-FFELP, Direct
    Loan, Pell Grants, and questions as to whether
    they were audited in the cluster if not included
    in the schedule
  • Inadequate evaluation of materiality for each
    compliance requirement
  • Audit findings that dont contain all elements of
    a finding
  • Elements of finding dont make the prime facie
    case that funds should be repaidand work papers
    dont support the case

26
Agency Specific HUD
  • Wrong guidance material-old compliance
    supplement, or HUD audit guide
  • Wrong guide-HUD audit guide used for A 133,
    should have used A 133 guidance for NPOs
  • Inadequate planning for industry, contractual
    obligations, special requirements
  • Disbursements of project funds not appropriately
    assessed for compliance with HUD
    agreements-diversion
  • Reportable conditions identified in workpapers,
    not reported
  • Insufficient documentation of understanding of
    internal control at entity and/or service
    organizations to plan audit
  • No preliminary materiality judgments
  • Submission of report before receipt of critical
    audit documentation
  • No analytical procedures documented in planning
    phase

27
Other Agencies and
Emerging issues
  • Go to the AICPA Risk Alert
  • DOT-revenue diversion at airports,
    DOL-eligibility for training programs, cash mgmt,
    sampling plans
  • Refreshers on Risk based approach, internal
    control and other requirements
  • Future focus on Independencenot clear how to
    mitigate an independence issue if the
    documentation wasnt prepared contemporaneously
    and judgment made/safeguards followed at the time

28
Seek help and leverage the
resources. Plan for the review of
the papers.Ensure the team meets the
education requirements, but more importantly, has
the skill sets and experienceat client
continuance/acceptance.
Write a Comment
User Comments (0)
About PowerShow.com