5
GSA (7/16)
Index [WPRef]
GSA-AP-6: Audit Program for Federal Award Programs—
Compliance Requirements
(For Audits of Federal Awards Made on or after December 26, 2014, and
Incremental Funding with Changed Terms and Conditions)
Federal Program(s):
Introduction
This audit program should be used for audits of federal awards made on or after December 26, 2014, and for funding increments (additional funding on existing awards) with modified terms and conditions that are awarded on or after that date. This audit program is based on Part 3.2 of 2 CFR part 200, Appendix XI, Compliance Supplement (the 2016 Compliance Supplement) (Gov. Doc. No. 9 contains a link to the Compliance Supplement). This audit program should not be used for audits of awards made before December 26, 2014, or for funding increments that did not have modified terms and conditions. SA-AP-5 , which is based on Part 3.1 of the 2016 Compliance Supplement, should be used for those awards. This program is also available at Gov. Doc. No. 9b in PPC’s Government Documents Library.
Uniform Guidance and 2016 Compliance Supplement. OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) is located in 2 CFR part 200. Its audit requirements are located in 2 CFR part 200, subpart F (2 CFR sections 200.500–.521). The Compliance Supplement is located in 2 CFR part 200, appendix XI. The most current version of 2 CFR part 200 is in the Electronic Code of Federal Regulations (eCFR) at www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title02/2cfr200_main_02.tpl. Section 11 provides an in-depth discussion of the Uniform Guidance.
The auditor may need to test awards that are subject to two different sets of administrative requirements and cost principles. Award recipients have to implement new administrative requirements and cost principles for all new federal awards made on or after December 26, 2014, and for funding increments (additional funding on existing awards) with modified terms and conditions that are awarded on or after that date. Previous awards, including funding increments without modified terms and conditions are subject to the previous administrative requirements and cost principles.
The 2016 Compliance Supplement, which is effective for audits of fiscal years beginning after June 30, 2015, provides guidance on awards that are subject to the administrative requirements and cost principles in the Uniform Guidance and those that are subject to the previous administrative requirements and cost principles.
Part 7 of the 2016 Compliance Supplement states, “the auditor must determine whether the Federal award (or, as applicable, incremental funding provided under the Federal award) includes terms and conditions based on 2 CFR part 200, or the A-102 common rule or OMB Circular A-110, and the OMB cost principles circulars.” Part 3 further explains that during the period covered by the 2016 Compliance Supplement most recipients will have some federal awards that are subject to the administrative requirements and cost principles in the previous OMB circulars and some that are subject to those in the Uniform Guidance. Part 3 of the Compliance Supplement is divided into two separate sections that apply depending on which requirements are applicable to the award:
· Part 3.1 applies to awards made before December 26, 2014, including funding increments without modified terms and conditions awarded on or after that date.
· Part 3.2 applies to new awards made on or after December 26, 2014, and funding increments with modified terms and conditions awarded on or after that date.
In addition, Part 4 of the 2016 Compliance Supplement provides dual references to the administrative requirements and cost principles in the previous OMB circulars and those that are in the Uniform Guidance.
Important Information about the American Recovery and Reinvestment Act of 2009. Although expenditures of American Recovery and Reinvestment Act of 2009 (Recovery Act) programs are winding down, the Recovery Act may still affect some single audits. Important considerations related to the 2016 Compliance Supplement include the following:
· Appendix VII of the 2016 Compliance Supplement provides important information about the removal of Recovery Act programs from the Compliance Supplement. It notes that many Recovery Act programs have been deleted from Parts 4 and 5 of the Compliance Supplement based on their completion or limited amount of funds still subject to audit. However, if an entity has federal awards expended from these programs, they would be treated consistent with any other programs not included in the 2016 Compliance Supplement or not part of a cluster of programs. For example, if programs were deleted from a cluster, (1) the program would not be considered as part of a cluster for periods covered by the 2016 Compliance Supplement, as the 2016 Compliance Supplement does not include the program in a cluster; and (2) if the program was part of a cluster which was audited as a major program in a prior year, the normal 2 CFR part 200, subpart F, major program selection criteria and risk-based approach would apply and the program would be considered as audited in that prior year for purposes of major program determination, including consideration of any audit findings. See Appendix VII and the discussion about identifying major programs in section 04 .
· Appendix VII of the 2016 Compliance Supplement identifies four Recovery Act-funded programs that are not covered by the single audit requirements and are not to be included in the determination of major programs.
· Appendix VII of the 2016 Compliance Supplement reminds auditors that auditing findings must explicitly identify Recovery Act programs.
Using This Audit Program
This audit program is based on Part 3.2 of the 2016 Compliance Supplement. The procedures in Part 3.2 of the Compliance Supplement and this audit program are labeled as suggested audit procedures and should be tailored to the needs of the auditor and the circumstances. However, the authors suggest that, for procedures not performed, an explanation be provided. This will be helpful in the event of a federal or pass-through entity quality control review. The program is divided into parts representing the 12 types of compliance requirements listed in Part 3.2 of the 2016 Compliance Supplement. A summary of each of the compliance requirements follows. For additional information see the reference included at each compliance type.
One program may be used for all or selected major programs or a separate program may be used for each major program. The auditor should be familiar with Chapters and of PPC’s Guide to Single Audits, Chapter 13 of PPC’s Guide to Audits of Local Governments (ink ), or Chapter 14 of PPC’s Guide to Audits of Nonprofit Organizations (ink ) before using this program.
Documenting Applicable Compliance Requirements
The auditor should document in the workpapers the types of compliance requirements that the matrix in Part 2 of the Compliance Supplement indicates are applicable to the major program. This may be accomplished by including a copy of the relevant page of the matrix (from Part 2 or the applicable row of the matrix presented in Parts 4 and 5 for each program/cluster) in the workpapers, developing a matrix that reflects only the auditee’s major programs, or preparing a memorandum. In addition, the auditor should document his or her consideration supporting the decision as to which compliance requirements could have a direct and material effect on the major program and therefore should be tested. Part 3.2, L—Reporting of the Compliance Supplement, provides guidance that explains how the designations Not Applicable and Applicable specifically relate to the Reporting type compliance requirement. Auditors should consider that guidance when determining and documenting applicable compliance requirements for Reporting.
Internal Control
Consistent with Part 3.2 of the Compliance Supplement and the requirements of 2 CFR part 200, subpart F, the accompanying audit programs include generic audit objectives and suggested audit procedures to test internal control. However, the auditor must determine the specific procedures to test internal control on a case by case basis considering factors such as the nonfederal entity’s internal control, the compliance requirements, the audit objectives for compliance, the auditor’s assessment of control risk, and the audit requirement to test internal control as prescribed in 2 CFR part 200, subpart F.
SMART Practice Aids®—Single Audit Suite
PPC’s SMART Practice Aids®—Single Audit Suite allows you to plan and execute your entire single audit engagement from beginning to end—including preparation and electronic signoff of your practice aids, federal award audit programs, and compliance audit programs. It turns hundreds of tedious pages of the Compliance Supplement into a concise easy-to-use audit program tailored to your specific federal award programs. It also automates the processes of determining major programs; low-risk auditee status and appropriate compliance requirements, objectives, and audit procedures; and preparing the compliance audit program and schedule of expenditures of federal awards. PPC’s SMART Practice Aids®—Single Audit Suite can be obtained by calling Thomson Reuters at (800) 431-9025.
“Safe Harbor” Status of the Compliance Supplement
Part 1 of the Compliance Supplement notes that use of the Supplement is “mandatory,” and that auditors must adhere to the Supplement to satisfy 2 CFR part 200, subpart F, requirements. Part 1 also addresses the “safe harbor” status of the Compliance Supplement. Specifically, it states that due to the diversity of programs and administering entities, the suggested audit procedures are general in nature. Because the Compliance Supplement only provides “suggested” audit procedures, it cannot be used as a safe harbor for determining the specific audit procedures to apply in a particular situation. Thus, auditor judgment is necessary in determining whether such procedures are sufficient to achieve the stated audit objectives, or whether alternative audit procedures are necessary. While OMB states that the Compliance Supplement is not a “safe harbor” for identifying the audit procedures to apply in a particular single audit engagement, it clarifies that the Compliance Supplement can be considered a “safe harbor” for identification of compliance requirements to be tested for programs included in the Compliance Supplement if the auditor both:
· Performs reasonable procedures to ensure that the requirements in the Compliance Supplement are current and determine whether there are any additional provisions of federal awards that should be covered by the audit.
· Updates or augments the requirements contained in the Compliance Supplement as appropriate.
Sample Size
For certain of its suggested audit procedures, the Compliance Supplement says to “select a sample.” However, minimum “sample” sizes and acceptable selection methods are not specified. The Uniform Guidance permits these matters to be determined based on the auditor’s professional judgment. The authors believe that a “sample” as used here does not necessarily mean use of sampling. In many instances because of other procedures performed, low inherent and control risk of noncompliance, and/or small population sizes, sampling may not be necessary. The authors have developed the worksheet, “Planning Worksheet to Determine Extent of Substantive Procedures,” (SA-CX-8.1 , ALG-CX-8.1 in PPC’s Guide to Audits of Local Governments (ink ), and NPO-CX-8.1 in PPC’s Guide to Audits of Nonprofit Organizations (ink )) to aid the auditor in determining whether sampling is necessary. Planning the extent of substantive tests of compliance is discussed in Chapter 5 (section 503) of PPC’s Guide to Single Audits (ink ), Chapter 13 in PPC’s Guide to Audits of Local Governments (ink ), and Chapter 14 of PPC’s Guide to Audits of Nonprofit Organizations (ink ).
The AICPA provides guidance on sampling in an audit of compliance that provides suggested minimum sample sizes as well as methods for determining sample size, including different tables and methods for tests of controls than for tests of compliance. This guidance is provided in Chapter 11, “Audit Sampling Considerations of Uniform Guidance Compliance Audits,” of the GAS/SA Audit Guide link) . This sampling guidance is reflected in Chapter and the sampling-related practice aids in this Guide.
Practical Consideration:· The representation letters illustrated in the PPC Guides include these representations.
M.SUBRECIPIENT MONITORING (See Gov. Doc. No. 9, Part 3.2, Section M.) This Section is N/A—
Compliance Requirements
A subrecipient is a nonfederal entity that expends federal awards received from a pass-through entity to carry out a federal program. (Part 3, Section M, of the Compliance Supplement notes that transfers of federal awards to another component of the same auditee under 2 CFR part 200, subpart F, do not constitute a subrecipient or contractor relationship.) Subrecipients are discussed in Chapter of this Guide, in Chapter 13 of PPC’s Guide to Audits of Local Governments (ink ), and in Chapter 14 of PPC’s Guide to Audits of Nonprofit Organizations (ink ).
A pass-through entity (PTE) must—
· Identify the Award and Applicable Requirements—Clearly identify to the subrecipient (1) the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.331(a)(1); (2) all requirements imposed by the PTE on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award [2 CFR section 200.331(a)(2)]; (3) any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award (e.g., financial, performance, and special reports) [2 CFR section 200.331(a)(3)]; (4) an approved federally recognized indirect cost rate negotiated between the subrecipient and the federal government or, if no such rate exists, either a rate negotiated between the PTE and the subrecipient, or a de minimis indirect cost rate [2 CFR section 200.331(a)(4)]; (5) a requirement that the subrecipient permit the PTE and auditors to have access to the subrecipient’s records and financial statements as necessary for the PTE to meet the requirements of this part [2 CFR section 200.331(a)(5)]; and (6) appropriate terms and conditions concerning closeout of the subaward [2 CFR section 200.331(a)(6)]. [Although the Compliance Supplement lists only Items (1)–(3) as information that must be provided, 2 CFR section 200.331 also identifies Items (4)–(6) as required information.]
· Evaluate Risk—Evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward [2 CFR section 200.331(b)]. This evaluation of risk may include consideration of such factors as the following: