Title: TOP TEN Audit Issues
1TOP TEN Audit Issues
- Quality Control Review Findings - Doing it Right
the First Time - NGMA 25th Annual Training ConferenceApril 28-29,
2004 - John Fisher
- Department of Health and Human Services
- Daniel Murrin, Americas Director of Government
Public Sector Services, Ernst Young LLP
2Objectives
- This session is intended to enable us all to
learn from the work done by peer reviewers, and
OIG review teams to - Increase awareness of the more common
deficiencies noted in audits performed by the
nonfederal audit community the Top Ten - Review a leading practice framework to prevent
deficiencies - Review a framework to work together to
continuously improve the audit process and work
cooperatively with federal inspectors general to
enhance the value of the audit process
3Oversight activity provides invaluable input to
allow us to continue to enhance quality
- QCR and Peer Reviews are ongoing
- OIG and other governmental entity desk and
quality control reviews are on the upswing - Clearinghouse edits and reviews
- National statistical sample of A 133 reports is
on the way
4but the worst case scenario can be unpleasant
- Disclosures in proposals of allegations of
substandard work, suspensions and debarments all
possible - Non-conforming audits can
impact grant recipients - Referrals to AICPA and State
Boards of Accountancy
(roughly 100 per year)
5First Lesson Client Acceptance and Continuance
Critical
- Avoid one-of engagementsor at least rigorously
network, including independent review. - Does the team have appropriate training and skill
sets? - Regrettably, even entities with the best
missions, if they are lacking in appropriate
financial management, may not be acceptable
clients - Eg. no good deed goes unpunished
6Second Lesson Getthe Reporting Right
- Best way to trigger a time consuming QCR review
is to submit a report that is obviously deficient - Picked up in clearinghouse edit process
- Desk reviews at the major agencies
- Properly prepared schedules and data collection
forms do matter prepared by client-punishment to
auditor
7Common Reporting Deficiencies
- Type A programs not reported as being audited in
one of the two prior yearsshould it have been? - Clearinghouse report edit, about 1/3 of time data
collection form is wrong - Report says audited, form filled out wrong
- Forgot to v low risk auditeelooks like shb 50
coverage, when 25 ok - 2/3 time appears something is wrong with the
report - Appears not audited in one of two prior years
- Letter goes out-appears may have violated
standards
8Common Reporting Deficiencies
- Type A programs not reported as being audited
in one of the two prior yearsshould it
have been? - In about half of the cases when a letter goes
out, the Firm asserts it really audited the
program, but didnt report that it audited the
program - Prove it, show workpapers
- Correct data collection form and report
and
resubmit - In the other half, was missed, generally excuse
is that major programs
were identified in planning,
but not challenged
when final schedule prepared - Yet no finding on ability of auditee to prepare
schedule - Next step can be referral, depending on the
agency, but in any case, time consuming rework
9Reporting Lesson Get the Schedule and Data
CollectionForm Right
- Looking at the Schedule, and the clients process
to prepare the Schedule, is a critical success
factor - Identify the programs right, and consistently,
with the correct CFDA so that the year to year
comparisons are done properly at the
Clearinghouse - Do final evaluations for type A and
coverage tests before submitting
10Each Firm Can Replicate the Data Collection
Review Process
- Go to Census website
- Search for entities with your firm as auditor
- Download Data Collection forms for 3 years and
lay side-by-side - Do the edits to identify potential problems
- Inquire of the teams
- Remediate issues
11One False Step
- Get the clusters right, and dont create
clusters which dont exist in the compliance
supplement - Foster care doesnt go in the SFA cluster
- Are all the research programs in the research
cluster - If the programs belong together, and one is
missed, if it is at all material to the total for
the cluster it should have been subject to audit - Instances in which 10-20 or more of a cluster
was not included in the sampling plan or reported
as part of the cluster
12Get the issues surfaced and reported
- Ensure data collection form is correct regarding
whether there are reportable conditions,
compliance findings - If the data collection form says no compliance or
internal control findings, but the reports have
them, or significant findings in the management
letter- - Government will not have distributed the reports
to the related federal agencies - Very likely to trigger a QCR, with a mark against
auditor to start with
13Clarity and consistency is important
- If a finding isnt clear enough to resolve it can
trigger a request to see the working papers to
try to figure out what we are saying - Double check management letter, sometimes they
refer to material weaknesses/reportable
conditions that didnt make it to the IC Report
or a Compliance finding - At the margin we can expect to be challenged on
why a finding is in the management letter but
isnt a material weakness or reportable
condition, or didnt lead to a questioned
costsee earlier distribution rule
14Ok, so you want to lookat the papers
- Stay off the radar screen with compliant reports
- Eventually, your work will be reviewed
- Partner and executive involvement is critical in
managing QCR process and projecting that the
team knows what it is doing-earn the benefit of
the doubt - Learn from the process
15Manage the Process
- Executives ensure papers are
complete, any clarifications should be dated
contemporaneously - Partners at entrance and exit conferences-availabl
e and engaged - Listen-dont just hear what you want to hear
- Consider a follow up note summarizing
16Peer reviews and QCRs are a Fact of Life
- When documenting your work, assume it will be
reviewed by a third party and critically assessed - To some extent, while an A 133 engagement is an
audit, the evaluation process for quality can be
viewed as akin to review of an agreed upon
procedures engagement- - Did we do everything in the compliance supplement
- Is it documented
- How has it been reported
17The Top Ten From HHS QCRs
- No good deed goes unpunished
- It was only a typo
- But I thought I could use my judgment to select
programs - Horseshoes and auditing (Close does not win the
cigar) - Oh, thats what you meant
18The Top Ten From HHS QCRs cont.
- The nuclear test (because it is so powerful)
- Accounting controls versus program controls, viva
la difference - Gone with the wind documentation
- After all tomorrow is another day
- Do not make a Federal case of an omission
19Common deficiencies across all agencies
- Documentation, documentation, documentation
- Cant tell which specific items or reports were
tested - Cant see how internal control over compliance
for each compliance area was evaluated and tested - Cant see a conscious decision to conclude (or
basis for conclusion) that a particular
compliance requirement is not significant for
purposes of further work - Cant tell which control being tested covers
which compliance requirementholes in the coverage
20Common deficiencies across all agencies
- Documentation, documentation,
documentation - Have to read too much in the a v -does it mean
item was tested for all of
the relevant attributes, ie. Limit on
yearly salary for a payroll item, te
certification? - Tests of transactions appear to cover some
attributes, but not clear how reporting, special
tests were covered - Rationale for sample size, sample approach
- Disposition of errors noted
- If found an error, why no finding?
- If reason is that there is some other control,
why did you test this one? - Was a statistical test done of the compensating
control?
21Common deficiencies across
all agencies
- Documentation, documentation, documentation
- Potential Reportable finding gets dropped at the
11th hour, but work papers dont make the case
for why that was appropriate - Lots of work, but no conclusions
- Non tests of transactions dont make a clear case
for how the detect control being tested covers
the compliance attribute - No clear link between financial audit internal
control work and A 133 work, yet want credit for
the testing over there
22Common deficiencies across all agencies
- Expenses consistently greater than revenues, with
negative fund balance, but no consideration in
workpapers or report of going concern - Large deferred revenue balances, gross
or net, may indicate cash management
issues - Internal Service Funds with profits not
passed back to federal share - Pension and other benefit/insurance funds with
over funding accessed to balance budget, but no
share to federal government
23Inspectors General are well positioned for QCRs
- Generally try to use the same people for similar
entities and programs, build expertise in a
program/quirks - Most are still using PCIE checklist, but
informally tailored for their programs - Push is for more to be done, but emphasis can
vary - Matching
- Cost allocation plans
- Diversion of funds
- Financial capability
24Agency Specific HHS
- Application of risk based approach
- Significant number of type A programs that did
not qualify as low risk were not audited - Cash management
- Controls over compliance
- Reporting inconsistencies
- Medicare and Medicaid grant programs-DSH, school
nurses charged against Medicaid - Ryan White HIV/AIDS program
- Cost allocation plans
25Agency Specific Education
- Inadequate documentation
- Compliance requirement not tested, and not clear
whyno documentation - Electronic work paper files lost
- Proprietary schools90/10 ratio fed versus
private methodology mistakes - References to work papers that do not exist or
dont contain the referenced work - No or inadequate testing of internal controls
- Errors in application of risk based approach
- Data collection form discrepancies
- Lack or required representations or written
assertions
- Incomplete engagement letters for engagements to
report on assertions - Missing Education programs in the Schedule of
Expenditures of Federal Awards-FFELP, Direct
Loan, Pell Grants, and questions as to whether
they were audited in the cluster if not included
in the schedule - Inadequate evaluation of materiality for each
compliance requirement - Audit findings that dont contain all elements of
a finding - Elements of finding dont make the prime facie
case that funds should be repaidand work papers
dont support the case
26Agency Specific HUD
- Wrong guidance material-old compliance
supplement, or HUD audit guide - Wrong guide-HUD audit guide used for A 133,
should have used A 133 guidance for NPOs - Inadequate planning for industry, contractual
obligations, special requirements - Disbursements of project funds not appropriately
assessed for compliance with HUD
agreements-diversion
- Reportable conditions identified in workpapers,
not reported - Insufficient documentation of understanding of
internal control at entity and/or service
organizations to plan audit - No preliminary materiality judgments
- Submission of report before receipt of critical
audit documentation - No analytical procedures documented in planning
phase
27Other Agencies and
Emerging issues
- Go to the AICPA Risk Alert
- DOT-revenue diversion at airports,
DOL-eligibility for training programs, cash mgmt,
sampling plans - Refreshers on Risk based approach, internal
control and other requirements - Future focus on Independencenot clear how to
mitigate an independence issue if the
documentation wasnt prepared contemporaneously
and judgment made/safeguards followed at the time
28Seek help and leverage the
resources. Plan for the review of
the papers.Ensure the team meets the
education requirements, but more importantly, has
the skill sets and experienceat client
continuance/acceptance.