Single Audit Quality: Actions Needed to Address Persistent Audit
Quality Problems (25-OCT-07, GAO-08-213T).
Federal government grants to state and local governments have
risen substantially, from $7 billion in 1960 to almost $450
billion budgeted in 2007. The single audit is an important
mechanism of accountability for the use of federal grants by
nonprofit organizations as well as state and local governments.
However, the quality of single audits conducted under the Single
Audit Act, as amended, has been a longstanding area of concern
since the passage of the act in 1984. The President's Council on
Integrity and Efficiency (PCIE) recently issued its Report on
National Single Audit Sampling Project, which raises concerns
about the quality of single audits and makes recommendations
aimed at improving the effectiveness and efficiency of those
audits. This testimony provides (1) GAO's perspective on the
history and importance of the Single Audit Act and the principles
behind the act, (2) a preliminary analysis of the recommendations
made by the PCIE for improving audit quality, and (3) additional
considerations for improving the quality of single audits.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-08-213T
ACCNO: A77689
TITLE: Single Audit Quality: Actions Needed to Address
Persistent Audit Quality Problems
DATE: 10/25/2007
SUBJECT: Accountability
Audit oversight
Audit reports
Auditing procedures
Auditing standards
Federal grants
Financial management
Reporting requirements
Standards
Financial statement audits
Internal controls
Fund audits
Federal funds
National Single Audit Sampling Project
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-08-213T
* [1]Evolution of the Single Audit Act and Its Underlying Princip
* [2]Results of PCIE Report Identify Serious Single Audit Quality
* [3]PCIE Recommendations to Improve Single Audit Quality Are Bas
* [4]Revise and Improve Standards, Criteria and Guidance
* [5]Minimum CPE Requirements for Conducting Single Audits
* [6]Enhance Disciplinary Processes
* [7]GAO Analysis of PCIE Recommendations
* [8]Additional Factors for Consideration When Determining Action
* [9]Conclusions
* [10]Contacts and Acknowledgments
* [11]GAO's Mission
* [12]Obtaining Copies of GAO Reports and Testimony
* [13]Order by Mail or Phone
* [14]To Report Fraud, Waste, and Abuse in Federal Programs
* [15]Congressional Relations
* [16]Public Affairs
United States Government Accountability Office
Testimony
GAO
Before the Senate Subcommittee on Federal Financial Management, Government
Information, Federal Services, and International Security, Committee on Homeland
Security and Governmental Affairs, U.S. Senate
For Release on Delivery SINGLE AUDIT QUALITY
Expected at 2:30 p.m. EDT
Thursday, October 25, 2007
Actions Needed to Address Persistent Audit
Quality Problems
Statement of Jeanette M. Franzel
Director,
Financial Management and Assurance
GAO-08-213T
SINGLE AUDIT QUALITY
Actions Needed to Address Persistent Audit Quality Problems
What GAO Found
In the early 1980s, Congress had concerns about a lack of adequate
oversight and accountability for federal assistance provided to state and
local governments. In response to concerns that large amounts of federal
financial assistance were not subject to audit and that agencies sometimes
overlapped on oversight activities, Congress passed the Single Audit Act
of 1984. The act adopted the single audit concept to help meet the needs
of federal agencies for grantee oversight as well as grantees' needs for
single, uniformly structured audits. GAO supported the passage of the
Single Audit Act, and continues to support the single audit concept and
principles behind the act as a key accountability mechanism for federal
grant awards. However, the quality of single audits has been a
longstanding area of concern since the passage of the act in 1984.
In its June 2007 Report on National Single Audit Sampling Project, the
PCIE found that, overall, approximately 49 percent of single audits fell
into the acceptable group, with the remaining 51 percent having
deficiencies severe enough to classify the audits as limited in
reliability or unacceptable. PCIE found a significant difference in
results by audit size. Specifically, 63.5 percent of the large audits
(with $50 million or more in federal award expenditures) were deemed
acceptable compared with only 48.2 percent of the smaller audits (with at
least $500,000 but less than $50 million in federal award expenditures).
The PCIE report presents compelling evidence that a serious problem with
single audit quality continues to exist. GAO is concerned that audits are
not being conducted in accordance with professional standards and
requirements. These audits may provide a false sense of assurance and
could mislead users of the single audit reports.
The PCIE report recommended a three-pronged approach to reduce the types
of deficiencies found and to improve the quality of single audits: (1)
revise and improve single audit standards, criteria, and guidance; (2)
establish minimum continuing professional education (CPE) as a
prerequisite for auditors to be eligible to be able to conduct and
continue to perform single audits; and (3) review and enhance the
disciplinary processes to address unacceptable audits and for not meeting
training and CPE requirements.
In this testimony, GAO supports PCIE's recommendations and points out
issues that need to be resolved regarding the proposed training and other
factors that merit consideration when determining actions to improve audit
quality. GAO believes that there may be opportunities for considering size
when implementing future actions to improve the effectiveness and quality
of single audits. In addition, a separate effort considering the overall
framework for single audits could answer such questions as whether
simplified alternatives can achieve cost-effective accountability in the
smallest audits; whether current federal oversight processes for single
audits are adequate; and what role the auditing profession can play in
increasing single audit quality.
United States Government Accountability Office
Mr. Chairman and Members of the Subcommittee:
I am pleased to be here today to discuss GAO's analysis of the results of
the Report on National Single Audit Sampling Project ^[17]1 recently
issued by the President's Council on Integrity and Efficiency (PCIE) under
the direction of the Office of Management and Budget (OMB). First, I would
like to commend the PCIE for conducting this comprehensive and important
study dealing with the quality of single audits. The single audit is a key
accountability mechanism over the use of federal grants and other awards.
In fiscal year 2007, $449 billion in federal grants was budgeted to state
and local governments. The PCIE report raises significant concerns about
the quality of single audits, and makes recommendations aimed at improving
the effectiveness and efficiency of those audits.
Today, I will provide (1) GAO's perspective on the history and importance
of the Single Audit Act and the principles behind the act, (2) our
preliminary analysis of the recommendations made by the PCIE for improving
audit quality, and (3) additional factors for consideration for improving
the quality of single audits. My statement today is based on our
continuing work as the standards setter for generally accepted government
auditing standards (GAGAS) and our related work in the area of single
audits, including ongoing interaction with key stakeholders in the single
audit process and members of the auditing profession providing single
audit services to recipients of federal awards. In addition, this
statement is based on our analysis of the PCIE report, and our discussions
with the PCIE project team, the American Institute of Certified Public
Accountants (AICPA), and OMB.
^1President's Council on Integrity and Efficiency (PCIE)/Executive Council
on Integrity and Efficiency (ECIE), Report on National Single Audit
Sampling Project (June 2007). The project was conducted under the auspices
of the Audit Committee of the PCIE, as a collaborative effort involving
PCIE member organizations, as well as a member of the ECIE and three State
Auditors. The project was performed to determine the quality of single
audits using statistical methods and to make recommendations to address
noted audit quality issues.
Evolution of the Single Audit Act and Its Underlying Principles
In the early 1980s, Congress had concerns about a lack of adequate
oversight and accountability for federal assistance ^[18]2 provided to
state and local governments. Before passage of the
Single Audit Act in 1984 (the
act), the federal government relied on audits of individual grants to help
gain assurance that state and local governments were properly spending
Principles federal assistance. Those audits focused on whether the
transactions of
specific grants complied with program requirements. The audits usually
did not address financial controls and were, therefore, unlikely to find
systemic problems with an entity's fund management. Further, individual
grant audits were conducted on a haphazard schedule, which resulted in
large portions of federal funds being unaudited each year. In addition,
the
auditors conducting the individual grant audits did not coordinate their
work with the auditors of other programs. As a result, some entities were
subject to numerous grant audits each year, while others were not audited
for long periods.
In response to concerns that large amounts of federal financial assistance
were not subject to audit and that agencies sometimes overlapped on
oversight activities, Congress passed the Single Audit Act of 1984. ^[19]3
The act stipulated that state and local governments that received at least
$100,000 in federal financial assistance in a fiscal year have a single
audit conducted for that year. The concept of a single audit was created
to replace multiple grant audits with one audit of an entity as a whole.
State and local governments which received between $25,000 and $100,000 in
federal financial assistance had the option of complying with audit
requirements of the act or the audit requirements of the federal
program(s) that provided the assistance. The objectives of the Single
Audit Act, as amended, are to
o promote sound financial management, including effective internal
control, with respect to federal awards administered by nonfederal
entities;
o establish uniform requirements for audits of federal awards
administered by nonfederal entities;
o promote the efficient and effective use of audit resources;
o reduce burdens on state and local governments, Indian tribes, and
nonprofit organizations; and
o ensure that federal departments and agencies, to the maximum extent
practicable, rely upon and use audit work done pursuant to the act.
^2Federal assistance, also known as federal awards, includes grants, loans,
loan guarantees, property, cooperative agreements, interest subsidies,
insurance, food commodities, direct appropriations, and federal cost
reimbursement contracts.
^3Pub. L. No. 98-502, 98 Stat. 2327 (Oct. 19, 1984) (codified, as amended,
at 31 U.S.C. SS 75017507).
The Single Audit Act adopted the single audit concept to help meet the
needs of federal agencies for grantee oversight as well as grantees' needs
for single, uniformly structured audits. Rather than being a detailed
review of individual grants or programs, the single audit is an
organizationwide financial statement audit that includes the audit of the
Schedule of Expenditures of Federal Awards (SEFA) ^[20]4 and also focuses
on internal control and the recipient's compliance with laws and
regulations governing the federal financial assistance received. The act
also required that grantees address material noncompliance and internal
control weaknesses in a corrective action plan, which is to be submitted
to appropriate federal officials. The act further required that single
audits be performed in accordance with GAGAS issued by GAO. These
standards provide a framework for conducting high-quality financial audits
^[21]5 with competence, integrity, objectivity, and independence.
The Single Audit Act Amendments of 1996 ^[22]6 refined the Single Audit
Act of 1984 and established uniform requirements for all federal grant
recipients. The refinements cover a range of fundamental areas affecting
the single audit process and single audit reporting, including provisions
to
o extend the law to cover all recipients of federal financial
assistance, including, in particular, nonprofit organizations,
hospitals, and universities;
o ensure a more cost-beneficial threshold for requiring single audits;
o more broadly focus audit work on the programs that present the
greatest financial risk to the federal government;
o provide for timely reporting of audit results;
o provide for summary reporting of audit results;
o promote better analyses of audit results through establishment of a
federal clearinghouse and an automated database; and
o authorize pilot projects to further streamline the audit process and
make it more useful.
^4Grant recipients must prepare a SEFA for the period covered by their
audited financial statements, which identifies all federal awards received
and expended, and the federal programs under which they were received.
Federal program and award identification shall include, as applicable, the
Catalog of Federal Domestic Assistance (CFDA) title and number (assigned
to a federal program), award number and year, name of the federal agency,
and name of the pass-through entity.
^5GAGAS also provide standards for attestation engagements and performance
audits.
^6Pub. L. No. 104-156, 110 Stat. 1396 (July 5, 1996).
The 1996 amendments required the Director of OMB to designate a Federal
Audit Clearinghouse (FAC) as the single audit repository, ^[23]7 required
the recipient entity to submit financial reports and related audit reports
to the clearinghouse no later than 9 months after the recipient's
year-end, and increased the audit threshold to $300,000. The criteria for
determining which entities are required to have a single audit are based
on the total amount of federal awards ^[24]8 expended by the entity. The
initial dollar thresholds were designed to provide adequate audit coverage
of federal funds without placing an undue administrative burden on
entities receiving smaller amounts of federal assistance. When the act was
passed, the dollar threshold criteria for the audit requirement were
targeted toward achieving audit coverage for 95 percent of direct federal
assistance to local governments. As part of OMB's biennial threshold
review required by the 1996 amendments, OMB increased the dollar threshold
for requirement of a single audit to $500,000 in 2003 for fiscal years
ending after December 31, 2003.
Federal oversight responsibility for implementation of the Single Audit
Act is currently shared among various entities--OMB, federal agencies, and
their respective Offices of Inspector General (OIG). The Single Audit Act
assigned OMB the responsibility of prescribing policies, procedures, and
guidelines to implement the uniform audit requirements and required each
federal agency to amend its regulations to conform to the requirements of
the act and OMB's policies, procedures, and guidelines. OMB issued
Circular No. A-133, Audits of States, Local Governments, and Non-Profit
Organizations, which sets implementing guidelines for the audit
requirements and defines roles and responsibilities related to the
implementation of the Single Audit Act. ^[25]9 The federal agency that
awards a grant to a recipient is responsible for ensuring recipient
compliance with federal laws, regulations, and the provisions of the grant
agreements. The awarding agency is also responsible for overseeing whether
the single
audits are completed in a timely manner in accordance with OMB Circular
No. A-133 and for providing annual updates of the Compliance Supplement
^[26]10 to OMB. Some federal agencies rely on the OIG to perform quality
control reviews (QCR) to assess whether single audit work performed
complies with OMB Circular No. A-133 and auditing standards.
^7The Federal Audit Clearinghouse Single Audit Database is maintained by the
Bureau of Census in the Department of Commerce. It contains summary
information on the auditor, the recipient and its federal programs, and
the audit results.
^8The 1996 amendments changed the phrase "federal financial assistance" to
"federal awards."
^9See 68 Fed. Reg. 38401 (June 27, 2003).
The grant recipient (auditee) is responsible for ensuring that a single
audit is performed and submitted when due, and for following up and taking
corrective action on any audit findings. The auditor of the grant
recipient is required to perform the audit in accordance with GAGAS. A
single audit consists of (1) an audit and opinions on the fair
presentation of the financial statements and the SEFA; (2) gaining an
understanding of internal control over federal programs and testing
internal control over major programs; and (3) an audit and an opinion on
compliance with legal, regulatory, and contractual requirements for major
programs. The audit also includes the auditor's schedule of findings and
questioned costs, and the auditee's corrective action plans and a summary
of prior audit findings that includes planned and completed corrective
actions. Under GAGAS, auditors are required to report on significant
deficiencies in internal control and on compliance associated with the
audit of the financial statements.
Recipients expending more than $50 million in federal funding ($25 million
prior to December 31, 2003) are required to have a cognizant federal
agency for audit in accordance with OMB Circular No. A-133. The cognizant
agency for audit is the federal awarding agency that provides the
predominant amount of direct funding to a recipient unless OMB otherwise
makes a specific cognizant agency assignment. The cognizant agency for
audit provides technical audit advice, considers requests for extensions
to the submission due date for the recipient's reports, obtains or
conducts QCRs, coordinates management decisions for audit findings, and
conducts other activities required by OMB Circular No. A-133. According to
OMB officials, the FAC single audit database generates a listing of those
agencies that should be designated cognizant agencies for audit based on
information on recipients expending more than $50 million.
^10The Compliance Supplement is based on the requirements of the 1996
Amendments and 1997 revisions to OMB Circular No. A-133, which provide for
the issuance of a compliance supplement to assist auditors in performing
the required audits. It provides a source of information for auditors to
understand the federal program's objectives, procedures, and compliance
requirements relevant to the audit as well as audit objectives and
suggested audit procedures for determining compliance with these
requirements.
The officials also stated that OMB is responsible for notifying both the
recipient and cognizant agency for audit of the assignment. Federal award
recipients that do not have a cognizant agency for audit are assigned an
oversight agency for audit, which provides technical advice and may assume
some or all of the responsibilities normally performed by a cognizant
agency for audit.
Federal grant awards to state and local governments have increased
significantly since the Single Audit Act was passed in 1984. Because
single audits represent the federal government's primary accountability
tool over billions of dollars each year in federal funds provided to state
and local governments and nonprofit organizations, it is important that
these audits are carried out efficiently and effectively. As shown in
figure 1, the federal government's use of grants to state and local
governments has risen substantially, from $7 billion in 1960 to almost
$450 billion budgeted in 2007.
Figure 1: Increase in Federal Grant Awards to State and Local Governments
between 1960 and 2007
Notes: Data from the Budget for Fiscal Year 2008, Historical Tables. The
above figures do not include grants made directly by federal agencies to
nongovernmental organizations.
^aThe Single Audit Act was enacted in 1984.
GAO supported the passage of the Single Audit Act, and we continue to
support the single audit concept and principles behind the act as a key
accountability mechanism over federal grant awards. However, the quality
of single audits conducted under this legislation has been a longstanding
area of concern since the passage of the Single Audit Act in 1984. During
the 1980s, GAO issued reports ^[27]11 that identified concerns with single
audit quality, including issues with insufficient evidence related to
audit planning, internal control and compliance testing, and the auditors'
adherence to GAGAS. The federal Inspectors General as well have found
similar problems with single audit quality. The deficiencies we cited
during the 1980s were similar in nature to those identified in the recent
PCIE report.
Results of PCIE Report Identify Serious Single Audit Quality Issues
In June 2002, GAO and OMB testified at a House of Representatives hearing
about the importance of single audits and their quality. ^[28]12 In its
testimony, ^[29]13 OMB identified reviews of single audit quality
performed by several federal agencies that disclosed deficiencies.
However, OMB emphasized that an accurate statistically based measure of
audit quality was needed, and should include both a baseline of the
current status and the means to monitor quality in the future. We also
recognized in our testimony the need for a solution or approach to
evaluate the overall quality of single audits.
To gain a better understanding of the extent of single audit quality
deficiencies, OMB and several federal OIGs decided to work together to
develop a statistically based measure of audit quality, known as the
National Single Audit Sampling Project. The work was conducted by a
committee of representatives from the PCIE, the Executive Council on
Integrity and Efficiency (ECIE), and three State Auditors, with the work
effort coordinated by the U.S. Department of Education OIG. The Project
had two primary objectives:
o to determine the quality of single audits by performing QCRs of a
statistical sample of single audits, and
o to make recommendations to address any audit quality issues
noted.
The project conducted QCRs of a statistical sample of 208 audits
randomly selected from a universe of over 38,000 audits submitted
and accepted for the period April 1, 2003, through March 31,
2004. The sample was split into two strata:
o Stratum 1: entities with $50 million or more in federal award
expenditures, and
o Stratum 2: entities with less than $50 million in federal award
expenditures (with at least $500,000).
^11GAO, CPA Audit Quality: Inspectors General Find Significant Problems,
GAO/AFMD-86-20 (Dec. 5, 1985); CPA Audit Quality: Many Governmental Audits
Do Not Comply With Professional Standards, GAO/AFMD-86-33 (March 19,1986);
Single Audit Act: Single Audit Quality Has Improved but Some
Implementation Problems Remain, GAO/AFMD-89-72 (July 27,1989).
^12GAO, Single Audit: Single Audit Act Effectiveness Issues, GAO-02-877T
(June 26, 2002).
^13Office of Management and Budget, Statement of the Honorable Mark W.
Everson, Controller, Office of Federal Financial Management, Office of
Management and Budget before the House Subcommittee on Government
Efficiency, Financial Management, and Intergovernmental Relations (June
26, 2002).
The above split in the sample strata corresponds with the current
threshold for designating a cognizant agency, which is for entities that
expend more than $50 million in a year in federal awards. Table 1 shows
the universe and strata used in the analysis and the reviews completed in
the National Single Audit Sampling Project.
Table 1: Sample Universe for National Single Audit Sampling Project
Total federal awards for audits in universe Sample size Universe (dollars
in billions)
Stratum 1^a 96 852
Stratum 2^b 112 37,671
Total 208 38,523
Source: President's Council on Integrity and Efficiency and Executive
Council on Integrity and Efficiency.
Notes: Data from Report on National Single Audit Sampling Project (June
21, 2007). The $880.2 billion differs from the federal grant funding for
the audit period covered in the PCIE report due to the double counting
associated with pass-through entities that provide federal awards to a
subrecipient to carry out a federal program.
^aEntities with >=$50 million in federal award expenditures.
^bEntities with <$50 million in federal award expenditures (with at least
$500,000).
The project covered portions of the single audit relating to the planning,
conducting, and reporting of audit work related to (1) the review and
testing of internal control and (2) compliance testing pertaining to
compliance requirements for selected major federal programs. The scope of
the project included review of audit work related to the SEFA and the
content of all of the auditors' reports on the federal programs. The
project did not review the audit work and reporting related to the general
purpose financial statements.
The PCIE project team categorized the audits based on the results of the
QCRs into the following three groups:
o Acceptable--No deficiencies were noted or one or two insignificant
deficiencies were noted. This group also includes the subgroup,
Accepted with Deficiencies, which is defined as one or more
deficiencies with applicable auditing criteria noted that do not
require corrective action for the engagement, but should be corrected
on future engagements. Audits categorized into this subgroup have
limited effect on reported results and do not call into question the
auditor's report. Examples of deficiencies that fall into this
subgroup are (1) not including all required information in the audit
findings; (2) not documenting the auditor's understanding of internal
control, but testing was documented for most applicable compliance
requirements; and (3) not documenting internal control or compliance
testing for a few applicable compliance requirements.
* Limited Reliability--Contains significant deficiencies related to
applicable auditing criteria and requires corrective action to
afford reliance upon the audit. Deficiencies for audits
categorized into this group have a substantial effect on some of
the reported results and raise questions about whether the
auditors' reports are correct. Examples of deficiencies that fall
into this category are (1) documentation did not contain adequate
evidence of the auditors' understanding of internal control or
testing of internal control for many or all compliance
requirements; however, there was evidence that most compliance
testing was performed; (2) lack of evidence that work related to
the SEFA was adequately performed; and
* (3) lack of evidence that audit programs were used for auditing
internal control, compliance, and/or the SEFA.
o Unacceptable--Substandard audits with deficiencies so serious that the
auditors' opinion on at least one major program cannot be relied upon.
Examples of deficiencies that fall into this group are (1) no evidence
of internal control testing and compliance testing for all or most
compliance requirements for one or more major programs, (2) unreported
audit findings, and (3) at least one incorrectly identified major
program.
As shown in table 2, the PCIE study estimated that, overall, approximately
49 percent of the universe of single audits fell into the acceptable
group. This percentage also includes "accepted with deficiencies." The
remaining 51 percent had deficiencies that were severe enough to cause the
audits to be classified as having limited reliability or being
unacceptable. Specifically, for the 208 audits drawn from the universe,
the statistical sample showed the following about the single audits
reviewed in the PCIE study: ^[30]14
o 115 were acceptable and thus could be relied upon. This includes the
category of "accepted with deficiencies." Based on this result, the
PCIE study estimated that 48.6 percent of the entire universe of
single audits were acceptable.
o 30 had significant deficiencies and thus were of limited reliability.
Based on this result, the PCIE study estimated that 16.0 percent of
the entire universe of single audits was of limited reliability.
o 63 were unacceptable and could not be relied upon. ^[31]15 Based on
this result, the PCIE study estimated that 35.5 percent of the entire
universe of single audits was unacceptable.
Table 2: Audit Quality by Groupings with Statistical Estimates of Audit
Quality Based on Numbers of Audits
Limited Acceptable reliability Unacceptable In sample In universe
Stratum 1^a 61 12 23 96 63.5% 12.5% 24.0%
Stratum 2^b 54 18 40 112 37,671 48.2% 16.1% 35.7%
Total 115 30 63 208 38,523 48.6% 16.0% 35.5%
Source: President's Council on Integrity and Efficiency and Executive
Council on Integrity and Efficiency.
Notes: Data from Report on National Single Audit Sampling Project (June
21, 2007).
^aEntities with >=$50 million in federal award expenditures.
^bEntities with <$50 million in federal award expenditures (with at least
$500,000).
It is important to note the significant difference in results in the two
strata. Specifically, 63.5 percent of the audits of entities in stratum 1
(those expending $50 million or more in federals awards) were deemed
acceptable, while 48.2 percent of audits in stratum 2 (those expending at
least $500,000 but less than $50 million) were deemed acceptable.
^14The percentages indicated as estimates in this paragraph are point
estimates of the quality of single audits based on the stratified sample
results for the universe of all 38,523 single audits from which the
stratified sample was drawn. At the 90 percent confidence level, the
margins of error range between +-5.3 and +-7.8 percentage points. Also,
due to rounding, these percentages do not add to exactly 100 percent.
^15Of these 63 audits, 9 had material reporting errors that resulted in the
audits being considered unacceptable. The remaining 54 of the 63
unacceptable audits were substandard.
Because of these differences, it is also important to analyze the results
in terms of federal dollars. For the 208 audits drawn from the entire
universe, the statistical sample showed the following about the single
audits reviewed in the PCIE study:
o The 115 acceptable audits represented 92.9 percent of the value of
federal award amounts reported in all 208 audits the PCIE study
reviewed.
o The 30 audits of limited reliability represented 2.3 percent of the
value of federal award amounts reported in all 208 audits the PCIE
study reviewed.
o The 63 unacceptable audits represented 4.8 percent of the value of
federal award amounts reported in all 208 audits the PCIE study
reviewed.
The dollar distributions for the 208 audits reviewed in the study are
shown in table 3.
Table 3: Results--Distribution of Dollars of Federal Awards Reported in
the 208 Audits
Acceptable Limited reliability Unacceptable Total
Stratum 1^a $52.9 billion $1.3 billion $2.6 billion $56.8 billion 93.2%
2.2% 4.6% 100%
Stratum 2^b $232.0 million $39.7 million $140.5 million $412.2 million
56.3% 9.6% 34.1% 100%
Total $53.1 billion $1.3 billion $2.7 billion $57.2 million 92.9% 2.3%
4.8% 100%
Source: President's Council on Integrity and Efficiency and Executive
Council on Integrity and Efficiency. Notes: Data from Report on National
Single Audit Sampling Project (June 21, 2007).
^aEntities with >=$50 million in federal award expenditures.
^bEntities with <$50 million in federal award expenditures (with at least
$500,000).
The most prevalent deficiencies related to the auditors' lack of
documenting
o an understanding of internal control over compliance requirements,
o testing of internal control of at least some compliance requirements,
and
o compliance testing of at least some compliance requirements.
The PCIE report states that for those audits not in the acceptable group,
the project team believes that lack of due professional care was a factor
for most deficiencies to some degree. The term due professional care
refers to the responsibility of independent auditors to observe
professional standards of auditing. GAGAS further elaborate on this
concept in the standard on Professional Judgment. Under this standard,
auditors must use professional judgment in planning and performing audits
and in reporting the results, which includes exercising reasonable care
and professional skepticism. Reasonable care concerns acting diligently in
accordance with applicable professional standards and ethical principles.
Using professional judgment in all aspects of carrying out their
professional responsibilities--including following the independence
standards, maintaining objectivity and credibility, assigning competent
audit staff to the assignment, defining the scope of work, evaluating and
reporting the results of the work, and maintaining appropriate quality
control over the assignment process--is essential to performing a high
quality audit.
We previously noted similar audit quality problems in prior reports. In
December 1985, we reported ^[32]16 that problems found by OIGs in the
course of QCRs mostly related to lack of documentation showing whether and
to what extent auditors performed testing of compliance with laws and
regulations. In March 1986, we reported ^[33]17 that our own review of
single audits showed that auditors performing single audits frequently did
not satisfactorily comply with professional auditing standards. The
predominant issues that we found in our previous reviews were insufficient
audit work in testing compliance with governmental laws and regulations
and evaluating internal controls. We also observed, through discussions
with the auditors and reviews of their work, that many did not understand
the nature and importance of testing and reporting on compliance with laws
and regulations, or the importance of reporting on internal control and
the relationship between reporting and the extent to which auditors
evaluated controls. As a result, in 1986, we reported that the public
accounting profession needed to (1) improve its education efforts to
ensure that auditors performing single audits better understand the
auditing procedures required, and (2) strengthen its enforcement efforts
in the area of governmental auditing to help ensure that auditors perform
those audits in a quality manner.
^16GAO/AFMD-86-20.
^17GAO/AFMD-86-33.
Similar to our prior work, the PCIE report presents compelling evidence
that a serious problem with single audit quality continues to exist. The
PCIE study also reveals that the rate of acceptable audits for
organizations with $50 million or more in federal expenditures was
significantly higher than for audits for organizations with smaller
amounts of federal expenditures. The results also showed that overall, a
significant number of audits fell into the groups of limited reliability
with significant deficiencies and unacceptable.
In our view, the current status of single audit quality is unacceptable.
We are concerned that audits are not being conducted in accordance with
professional standards and requirements. These audits may provide a false
sense of assurance and could mislead users of audit reports regarding
issues of compliance and internal control over federal programs.
PCIE Recommendations to Improve Single Audit Quality Are Based on Three-Pronged
Approach
The PCIE report recommended a three-pronged approach to reduce the types
of deficiencies noted and improve the quality of single audits:
1. revise and improve single audit standards, criteria, and guidance;
2. establish minimum continuing professional education (CPE) as a
prerequisite for auditors to be eligible to conduct and continue to
perform single audits; and
3. review and enhance the disciplinary processes to address unacceptable
audits and for not meeting training and CPE requirements.
Revise and Improve Standards, Criteria and Guidance
More specifically, to improve standards, criteria, and
guidance, the PCIE report recommended revisions
to (1) OMB Circular No. A-133, (2) the AICPA Statement on
Auditing Standards (SAS) No. 74, Compliance
Auditing Considerations in Audits of Governmental Entities and
Recipients of Governmental Financial Assistance, and (3) the AICPA Audit
Guide, Current AICPA Audit Guide, collectively to
o emphasize correctly identifying major programs for which opinions are
compliance are rendered;
o make it clear when audit findings should be reported;
o include more detailed requirements and guidance for compliance
testing;
o emphasize the minimal amount of documentation needed to document the
auditor's understanding of, and testing of, internal control related
to compliance;
o provide specific examples of the kind of documentation needed for risk
assessment of individual federal programs;
o present illustrative examples of properly presented findings;
o specify content and examples of SEFA and any effect on financial
reporting;
o emphasize requirements for management representations related to
federal awards, similar to those for financial statement audits;
o provide additional guidance about documenting materiality; and
o require compliance testing to be performed using sampling in a manner
prescribed by the AICPA SAS No. 39, Audit Sampling, as amended, to
provide for some consistency in sample sizes.
Minimum CPE Requirements for Conducting Single Audits
The PCIE report recommendation called on OMB to amend its Circular No.
A-133 to require that (1) as a prerequisite to performing a single audit,
staff performing and supervising the single audit must have completed a
comprehensive training program of a minimum specified duration (e.g., at
least 16-24 hours); (2) every 2 years after completing the comprehensive
training, auditors performing single audits complete a minimum specified
amount of CPE; and (3) single audits may only be procured from auditors
who meet the above training requirements. The PCIE report also recommends
that OMB develop, or arrange for the development of, minimum content
requirements for the required training, in consultation with the National
State Auditors Association (NSAA), the AICPA and its Governmental Audit
Quality Center (GAQC), and the cognizant and oversight agencies for audit.
The report states that the minimum content should cover the essential
components of single audits and emphasize aspects of single audits for
which deficiencies were noted in this project. In addition, the report
recommends that OMB develop, or arrange for the development of, minimum
content requirements for the ongoing CPE and develop a process for
modifying future content.
The report further recommends that OMB encourage professional
organizations, including the AICPA, the NSAA, and qualified training
providers, to offer training that covers the required content. It also
recommends that OMB encourage these groups to deliver the training in ways
that enable auditors throughout the United States to take the training at
locations near or at their places of business, including via technologies
such as Webcasts, and that the training should be available at an
affordable cost. The PCIE project report emphasizes that the training
should be "hands on" and should cover areas where the project team
specifically found weaknesses in the work or documentation in its
statistical study of single audits. The report specifically stated that
the training should cover requirements for properly documenting audit work
in accordance with GAGAS and other topics related to the many deficiencies
disclosed by the project, including critical and unique parts of a single
audit, such as
o the auditors' determination of major programs for testing,
o review and testing of internal controls over compliance,
o compliance testing,
o auditing procedures applicable to the SEFA,
o how to use the OMB Compliance Supplement, and
o how to audit major programs not included in the Compliance Supplement.
The PCIE report concludes that such training would require a minimum of 16
to 24 hours, and that a few hours or an "overview" session will not
suffice. We believe that the proposed training requirements would likely
satisfy the criteria for meeting a portion of the CPE hours already
required by GAGAS.
Enhance Disciplinary Processes
This recommendation focuses on developing processes to address
unacceptable audits and auditors not meeting the required training
requirements. OMB Circular No. A-133 currently has sanctions that apply to
an auditee (i.e., the entity being audited) for not having a properly
conducted audit and requires cognizant agencies to refer auditors to
licensing agencies and professional bodies in the case of major
inadequacies and repetitive substandard work. The report noted that other
federal laws and regulations do currently provide for suspension and
debarment processes that can be applied to auditors of single audits. Some
cognizant and oversight agency participants in the project team indicated
that these processes are rarely initiated due to the perception that it is
a large and costly effort. As a result, the report specifically recommends
that OMB, with federal cognizant and oversight agencies, should (1) review
the process of suspension and debarment to identify whether (and if so,
how) it can be more efficiently and effectively applied to address
unacceptable audits, and based on that review, pursue appropriate changes
to the process; and (2) enter into a dialogue with the AICPA and State
Boards of Accountancy to identify ways the AICPA and State Boards can
further the quality of single audits and address the due professional care
issues noted in the PCIE report. The report further recommends that OMB,
with federal cognizant agencies, should also identify, review, and
evaluate the potential effectiveness of other ways (both existing and new)
to address unacceptable audits, including (but not limited to) (1)
revising Circular No. A-133 to include sanctions to be applied to auditors
for unacceptable work or for not meeting training and CPE requirements,
and (2) considering potential legislation that would provide to federal
cognizant and oversight agencies the authority to issue a fine as an
option to address unacceptable audit work.
GAO Analysis of PCIE Recommendations
While we support the recommendations made in the PCIE
report, it will be important to resolve a number of issues regarding the
proposed training
requirement. Some of the unresolved questions involve the following:
o What are the efficiency and cost-benefit considerations for providing
the required training to the universe of auditors performing the
approximately 38,500 single audits?
o How can current mechanisms already in place, such as the AICPA's
Government Audit Quality Center (GAQC), be leveraged for efficiency
and effectiveness purposes in implementing new training?
o Which levels of staff from each firm would be required to take
training?
o What mechanisms will be put in place to ensure compliance with the
training requirement?
o How will the training requirement impact the availability of
sufficient, qualified audit firms to perform single audits?
The effective implementation of the third prong, developing processes to
address unacceptable audits and for auditors who do not meet professional
requirements, is essential as the quality issues have been long-standing.
We support the PCIE recommended actions to make the process more effective
and efficient and to help ensure a consistent approach among federal
agencies and their respective OIGs overseeing the single audit process.
Additional Factors for Consideration When Determining Actions to Improve Audit
Quality
In addition to the findings and recommendations of the PCIE report, we
believe there are two other critical factors that need to be considered in
determining actions that should be taken to improving audit quality: (1)
the distribution of unacceptable audits and audits of limited reliability
across the different dollar amounts of federal expenditures by grantee, as
found in the PCIE study; and (2) the distribution of single audits by size
in the universe of single audits. These factors are critical in
effectively evaluating the potential dollar implications and efficiency
and effectiveness of proposed actions. The PCIE study found that rates of
unacceptable audits and audits of limited reliability were much higher for
audits of entities in stratum 2 (those expending less than $50 million in
federal awards) than those in stratum 1 (those expending $50 million or
more).
Table 1 presented earlier in this testimony shows the data from the sample
universe of single audits used by the PCIE. Analysis of the data shows
that
97.8 percent of the total number of audits (37,671 of the 38,523 total)
covered approximately 16 percent ($143.1 billion of the $880.2 billion) of
the total reported value of federal award expenditures, indicating
significant differences in distributions of audits by dollar amount of
federal expenditures. At the same time, the rates of unacceptable audits
and audits of limited reliability were relatively higher in these smaller
audits.
We believe that there may be opportunities for considering size
characteristics when implementing future actions to improve the
effectiveness and quality of single audits. For instance, there may be
merit to conducting a more refined analysis of the distribution of audits
to determine whether less-complex approaches could be used for achieving
accountability through the single audit process for a category of the
smallest single audits. Such an approach may provide sufficient
accountability for these smaller programs.
An example of a less-complex approach consists of requirements for a
financial audit in accordance with GAGAS, that includes the higher level
reports on internal control and compliance along with an opinion on the
SEFA and additional, limited or specified testing of compliance.
Currently, the compliance testing in a single audit is driven by
compliance requirements under OMB Circular No. A-133 as well as
program-specific requirements detailed in the compliance supplement. A
less-complicated approach could be used for a category of the smallest
audits to replace the current approach to compliance testing, while still
providing a level of assurance on the total amount of federal grant awards
provided to the recipient.
Another consideration for future actions is strengthening the oversight of
the cognizant agency for audit with respect to auditees expending $50
million or more in federal awards. As shown in the data from the sample
universe of single audits used by the PCIE, 852 audits (or 2.2 percent) of
the total 38,523 audits covered $737.2 billion (or 84 percent) of the
reported federal award expenditures. This distribution suggests that
targeted and effective efforts on the part of cognizant agencies aimed at
improving audit quality for those auditees that expend greater than $50
million could achieve a significant effect in terms of dollars of federal
expenditures.
Conclusions
We continue to support the single audit concept and principles behind the
act as a key accountability mechanism over federal awards. It is essential
that the audits are done properly in accordance with GAGAS and OMB
requirements. The PCIE report presents compelling evidence that a serious
shortfall in the quality of single audits continues to exist. Many of
these quality issues are similar in nature to those reported by GAO and
the Inspectors General since the 1980s. We believe that actions must be
taken to improve audit quality and the overall accountability provided
through single audits for federal awards. Without such action, we believe
that substandard audits may provide a false sense of assurance and could
mislead users of audit reports. While we support the recommendations made
in the PCIE report, we believe that a number of issues regarding the
proposed training requirements need to be resolved.
The PCIE report results also showed a higher rate of acceptable audits for
organizations with larger amounts of federal expenditures and showed that
the vast majority of federal dollars are being covered by a small
percentage of total audits. We believe that there may be opportunities for
considering size characteristics when implementing future actions to
improve the effectiveness and quality of single audits as an
accountability mechanism. Considering the recommendations of the PCIE
within this larger context will also be important to achieve the proper
balance between risk and cost-effective accountability.
In addition to the considerations surrounding the specific recommendations
for improving audit quality, a separate effort taking into account the
overall framework for single audits may be warranted. This effort could
include answering questions such as the following:
o What types of simplified alternatives exist for meeting the
accountability objectives of the Single Audit Act for the smallest
audits and what would the appropriate cutoff be for a less-complex
audit requirement?
o Is the current federal oversight structure for single audits adequate
and consistent across federal agencies?
o What alternative federal oversight structures could improve overall
accountability and oversight in the single audit process?
o Are federal oversight processes adequate and are sufficient resources
being dedicated to oversight of single audits?
o What role can the auditing profession play in increasing single audit
quality?
o Do the specific requirements in OMB Circular No. A-133 and the Single
Audit Act need updating?
Mr. Chairman, we would be pleased to work with the subcommittee as it
considers additional steps to improve the single audit process and federal
oversight and accountability over federal grant funds. Mr. Chairman and
members of this subcommittee, this concludes my statement. I would be
happy to answer any questions that you or members may have at this time.
Contacts and Acknowledgments
For information about this statement, please contact Jeanette Franzel,
Director, Financial Management and Assurance, at (202) 512-9471 or
[34][email protected]. Individuals who made key contributions to this
testimony include Marcia Buchanan (Assistant Director), Robert Dacey, Abe
Dymond, Heather Keister, Jason Kirwan, David Merrill, and Sabrina
Springfield (Assistant Director).
(194713)
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
GAO's Mission
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [35]www.gao.gov) . Each weekday, GAO posts GAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[36]www.gao.gov and select "E-mail Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
DC 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [37]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [38][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [39][email protected], (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Relations
Washington, DC 20548
Public Affairs
Chuck Young, Managing Director, [40][email protected], (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
PRINTED ON
RECYCLED PAPER
References
Visible links
34. mailto:[email protected]
35. http://www.gao.gov/
36. http://www.gao.gov/
37. http://www.gao.gov/fraudnet/fraudnet.htm
38. mailto:[email protected]
39. mailto:[email protected]
40. mailto:[email protected]
*** End of document. ***