The document summarizes SAS 117 on compliance audits. Key points include:
- SAS 117 establishes requirements and guidance for compliance audits when governmental agencies establish compliance requirements.
- It addresses the auditor's responsibilities in planning and performing the audit to obtain reasonable assurance about whether noncompliance occurred.
- Management is responsible for compliance with requirements and internal controls, while the auditor is responsible for obtaining sufficient evidence to form an opinion on compliance.
Interactive Powerpoint_How to Master effective communication
SAS 117 Presentation
1. SAS 117 Compliance Audits
A&A UPDATES
H. Kyle Anderson, CGMA, CMA, CPA
Bill Ellis, CPA
John Kunst, CPA
2. A & A Update and Review, Inc
6514 Dobbins Bridge Road
Anderson, SC 29626
(864) 933-3815 Fax: (888) 411-7668
Website: www.aandaupdate.com
E-mail: kyle@aandaupdate.com
Skype: hkacpa
3. SAS 117 Compliance Audits
Compliance Audits
Supersedes SAS No. 74
Effective for periods ending on or
after June 15, 2010
A&A UPDATES H. Kyle Anderson, CMA, CPA
4. Objectives
What are the audit requirements when Governmental agencies
establish compliance requirements.
Authoritative guidance:
Governmental Auditing Standards (GAGAS)
Circular A-133, Audits of States, Local Governments & Non-
Profit Entities
Generally Accepted Auditing Standards (GAAS)
Auditor’s professional responsibilities
Required procedures
Reporting requirements
A&A UPDATES H. Kyle Anderson, CMA, CPA
5. Objectives
What are Management’s Responsibilities for:
Compliance requirements
Internal controls
Identifying & disclosing noncompliance
Providing written representations to
auditors
A&A UPDATES H. Kyle Anderson, CMA, CPA
6. Objectives
Review of Resources and updates available for:
Governmental Auditing Standards (GAGAS)
Circular A-133, Audits of States, Local
Governments & Non-Profit Entities
Generally Accepted Auditing Standards
(GAAS)
A&A UPDATES H. Kyle Anderson, CMA, CPA
7. Update from Clarity Project released October 2011
SAS 117 was issued using Clarity project
standards and is currently effective.
SAS 122, Statements on Auditing Standard:
Clarification and Recodification,
SAS 123, Omnibus Statement on Auditing
Standards – 2011, Released October 2011
amends SAS 118.
The effective date for SAS 123 is for
audits of financial statements for periods
ending after 12/15/2012.
A&A UPDATES H. Kyle Anderson, CMA, CPA
8. Update from Clarity Project released October 2011
SAS No. 117, Compliance Audits
Issued December 2009
Effective June 15, 2010.
Early Application permitted.
Currently AU 801 / New AU-C 935.
A&A UPDATES H. Kyle Anderson, CMA, CPA
9. Reference Material to download for webinar
Today, we will cover material available on the AICPA website at:
http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx
Please download AU 801 prior to the start of the webinar.
The material covered will be referenced to the current AU
section and the new Clarity Project section AU-C.
Office of Management and Budget at:
http://www.whitehouse.gov/omb/circulars_default/
Please download OMB Circular A-133, Compliance Supplement
2011 (see bottom of page for complete download)
Government accountability Office at: http://www.gao.gov/yellowbook
Please download Government Auditing Standards, December
2011 Revision (GAO-12-331G)
Summary of Major changes
Listing of Technical Changes
A&A UPDATES H. Kyle Anderson, CMA, CPA
10. SAS 117
Compliance Audits
Introduction and Applicability
Auditor’s engaged or required by law to perform compliance
audits in accordance with:
GAAS Generally Accepted Auditing Standards
GAGAS Governmental Auditing Standards
Governmental requires an auditor to express an opinion
While all AU sections are applicable to financial statement
audits, not all AU sections are applicable to Compliance
Audits
Effective Date
Effective for fiscal periods ending on or before June 15, 2010 with
early application permitted.
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.01 - .09 / AU-C 935.01 - .09
11. SAS 117
Compliance Audits
Management’s Responsibilities
Management should:
Identify and comply with compliance requirements
Establish and maintain internal controls
Evaluate and monitor compliance requirements
Take corrective actions for non-compliance
Auditor’s Objectives
Obtain sufficient evidence to form an opinion on compliance
with applicable compliance requirements
Identify required supplementary audit, reporting and
performance procedures
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.01 - .09 / AU-C 935.01 - .09
12. SAS 117
Definitions
Applicable compliance requirements. Requirements
subject to a compliance audit.
Compliance audit. Program-specific or organization-wide
audit of compliance with compliance requirements.
Compliance Requirements. Applicable laws, regulation,
rules, contracts or grant agreements required for
government programs.
Deficiency in internal control over compliance. Internal
control design, operation or control deficiency that does not
prevent, detect or correct noncompliance on a timely basis.
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.11 / AU-C 935.11
13. SAS 117
Definitions
Government Auditing Standards. Issued by Comptroller General of
United States, U.S. Government Accountability Office. Known as
Generally Accepted Government Auditing Standards (GAGAS) or the
Yellow Book.
Material noncompliance. A failure to follow compliance requirements
that results in material impact, individual or in the aggregate to the
government program.
Material weakness in internal control over compliance. A deficiency
where there is a reasonable possibility that material will not be
prevented, detected and corrected on a timely basis. Reasonably
possible: The chance is more than remote but less than likely.
Remote: The chance is slight. Probable: The event or events are likely
to occur.
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.11 / AU-C 935.11
14. SAS 117
Definitions
Program-specific audit. A compliance audit performed in
conjunction with an audit of the entity’s or program’s financial
statements.
Risk of material noncompliance. Two components of
noncompliance existing prior to the audit:
Inherent risk of noncompliance. Susceptibility of
noncompliance before considering related controls
Control risk of noncompliance. Risk noncompliance will not
be prevented, detected, or corrected on a timely basis by
internal controls
A significant deficiency in internal control over compliance is
less severe but still warrants attention.
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.11 / AU-C 935.11
15. SAS 117
Auditor’s use of Professional Judgment
Auditors should exercise professional judgment
adapting AU sections for compliance audits:
Specific excluded sections are listed in AU
801.A41 / AU-C 935.A41
OMB and GAGAS contain additional guidance
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.12 / AU-C 935.12
16. SAS 117
Establishing Materiality Levels
Materiality levels are based on Governmental Audit requirements.
Auditor should establish materiality levels to :
Determine risk assessment procedures
Assess risk of noncompliance
Determine further audit procedures
Evaluate compliance with requirements
Report noncompliance and other matters
Management is responsible for identifying and complying with
compliance requirements.
AU 801.13 / AU-C 935.13
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A6-A8 / AU-C 935.A6-A8
17. SAS 117
Identifying Government Programs and Applicable
Compliance Requirements
Management is responsible for identifying and
complying with compliance requirements.
Auditor is responsible for determining programs and
compliance requirements to test
Part 3, Circular A-133 Compliance Dated 12/2011
identifies 14 compliance requirements that should be
considered in every Cir. A-133 Compliance audit:
A—Activities allowed or not allowed
B—Allowable costs/cost principles
C—Cash management
D—Davis-Bacon Act
E—Eligibility
AU 801.14 / AU-C 935.14
AU 801.A10-A10 / AU-C 935.A10- A10
A&A UPDATES H. Kyle Anderson, CMA, CPA
Circular A-133 Compliance Supplement, Part 3
18. SAS 117
Identifying Government Programs and Applicable
Compliance Requirements
Cir. A-133 14 compliance requirements continued:
F—Equipment and real property management
G—Matching, level of effort, earmarking
H—Period of availability of federal funds
I—Procurement and suspension and debarment
J—Program income
K—Real property acquisition and relocation
assistance
L—Reporting
M—Sub recipient monitoring
N—Special tests and provisions AU 801.14 / AU-C 935.14
AU 801.A10 - A11 / AU-C 935.A10 -A11
A&A UPDATES H. Kyle Anderson, CMA, CPA
Circular A-133 Compliance Supplement, Part 3
19. SAS 117
Identifying Government Programs and Applicable
Compliance Requirements
Additional procedures to assess requirements
where guidance is not available:
Read laws, regulations, rules, contracts or grant
agreements
Inquiry within entity
Inquiry outside the entity
Minutes of governing boards
Prior auditors
AU 801.15-.17 / AU-C 935.15-.17
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A12 - A18 / AU-C 935.A.12 –A18
20. SAS 117
Performing Risk Assessment Procedures
The Auditor should:
Gain understanding of internal controls
Assess risk
Determine
Nature,
Timing, and
Extent of audit procedures
Inquire of prior findings, recommendations or
reports and management’s response
The auditor should assess risk of pervasive fraud or
error in assessing risk of material noncompliance
AU 801.15-.17 / AU-C 935.15-.17
AU 801.A12 - A18 / AU-C 935.A.12 –A18
A&A UPDATES H. Kyle Anderson, CMA, CPA
21. SAS 117
Risk Assessment factors
Compliance Requirements
Newness, length of applicability and/or
complexity
Judgment required for compliance
Nature
Entity’s services provided
Internal controls
Auditor’s knowledge
Control environment and activities
Design and implementation
Monitoring
AU 801.15-.17 / AU-C 935.15-.17
AU 801.A12 - A18 / AU-C 935.A.12 –A18
A&A UPDATES H. Kyle Anderson, CMA, CPA
22. SAS 117
Risk Assessment factors
Prior years findings
Oversight by grantor or pass-through entities
Management’s response
Risk related to noncompliance
Potential impact of noncompliance
Impact in financial statement audits
Entity’s financial condition
Entity’s recordkeeping
Risk evaluation can be individual areas or in
combination with other areas.
AU 801.15-.17 / AU-C 935.15-.17
AU 801.A12 - A18 / AU-C 935.A.12 –A18
A&A UPDATES H. Kyle Anderson, CMA, CPA
23. SAS 117
Further Audit Procedures in Response to Assessed
Risk
Pervasive Risk of Noncompliance
Tests of details
Tests of transactions
Tests of controls if:
Risk assessment includes expectation
of effectiveness of controls
Substantive procedures insufficient
Governmental requirement
AU 801.18-.22 / AU-C 935.18-.22
AU 801.A19 – A27 / AU-C 935.A.19 –A27
A&A UPDATES H. Kyle Anderson, CMA, CPA
24. SAS 117
Further Audit Procedures in Response to Assessed
Risk
Relevant Guidance:
AU 318, Performing Audit Procedures in Response to Assessed
Risks and Evaluating the Audit Evidence Obtained in:
Response to risk of noncompliance
AU 350 Audit Sampling, AICPA Audit Guide Government
Auditing Standards, and OMB Circular A-133 for:
Planning, designing and evaluating audit samples
Identifying major programs
Additional audit requirements supplementary to:
GAAS
GAGAS
AU 801.18-.22 / AU-C 935.18-.22
AU 801.A19 – A27 / AU-C 935.A.19 –A27
A&A UPDATES H. Kyle Anderson, CMA, CPA
25. SAS 117
Further Audit Procedures in Response to Assessed
Risk
Compliance testing can utilize tests of details and transactions for:
Grants disbursements & expenditures
Eligibility files
Cost allocation plans
Reports filed with grantor agencies
Substantive Analytical procedures can be used in combination with
tests of transactions and other audit procedures.
AU 801.18-.22 / AU-C 935.18-.22
AU 801.A19 – A27 / AU-C 935.A.19 –A27
A&A UPDATES H. Kyle Anderson, CMA, CPA
26. SAS 117
Written Management Representations:
Written management representations should
acknowledge responsibility for:
Compliance requirements
Compliance related internal controls
Identifying programs and activities subject to
requirements
Providing all contracts and grant agreements and
compliance documents for auditor
Disclosing all noncompliance issues, including
grantors and pass-through entities
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.23 - .24 / AU-C 935.23 - .24
27. SAS 117
Written Management Representations:
Written management representations should
acknowledge responsibility for:
Belief of compliance with requirements
Interpretations of compliance requirements
Disclosure of corrective actions from prior
engagements of compliance activities.
Disclosure of all known noncompliance issues
subsequent to the audit report
Responsibility for corrective actions for
noncompliance
Additional guidance can be found at AU 333,
Management Representations.
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.23 - .24 / AU-C 935.23 - .24
28. SAS 117
Subsequent Events:
Subsequent events procedures should be performed up to the
date of the report
Subsequent event inquiry of managements should include:
Internal Auditor’s reports
Other auditors’, grantors and pass-through entities
noncompliance issues
Other professional engagements noncompliance issues
Auditors have No responsibility to perform audit procedure during
subsequent events other than discussion with management or those in
charge of governance.
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.25 - .27 / AU-C 935.25 - .27
29. SAS 117
Sufficiency and Appropriateness of Audit Evidence
and Forming an Opinion
Sufficiency and appropriateness is determined at the
governmental level and should include:
Likely questioned costs
Material noncompliance issues
Frequency of noncompliance
Nature
Adequacy of monitoring system
Likelihood of noncompliance of a material likely
questioned cost
AU 801.28 - .29 / AU-C 935.28 - .29
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A31 – A32 / AU-C 935.A31 – A32
30. SAS 117
Reporting: Additional GAGAS Standards
GAGAS contains eight additional reporting standards different from
GAAS as follows:
1. Reports should state the audit was performed in accordance
with Generally Accepted Governmental Audit Standards
2. Auditors must report on internal control over financial reporting
and compliance with laws, regulations, and provisions of
contracts or grants when providing an opinion on financial
statements.
3. In financial audits, auditors must report significant deficiencies and
material weaknesses in internal controls, fraud and illegal acts,
violations of provisions of contracts or grant agreements having
a material impact on financial statements
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.30 - .38 / AU-C 935.30 - .38
31. SAS 117
Reporting: Additional GAGAS Standards
Additional GAGAS reporting standards different from GAAS:
4. An auditor may emphasize the following matters under GAGAS:
1) Significant concerns or uncertainties about fiscal
sustainability that may have a material financial impact
2) Unusual or catastrophic events that will likely have a
significant future financial impact
3) Significant uncertainties regarding projections or estimates
in the financial statements
4) Other matters deemed significant to users and oversight
bodies
5. Auditors are required to advise management to make appropriate
disclosures and perform additional procedures for new
information that materially impacts previously issued financial
statements
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.30 - .38 / AU-C 935.30 - .38
32. SAS 117
Reporting: Additional GAGAS Standards
Additional GAGAS reporting standards different from GAAS:
6. Auditor must obtain a response from responsible officials
regarding disclosures of deficiencies in internal control, fraud,
illegal acts or contract and grant agreement violations
7. Information omitted from public disclosure must be noted with
the reasons for omission in the auditor’s report
8. Report distribution is required to those charged with governance,
officials, oversight bodies and organizations requiring or ordering
the audit. Public accounting firms must clarify specific
arrangements for distribution.
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.30 - .38 / AU-C 935.30 - .38
33. SAS 117
Reporting Examples: coverage in webinar
Please go to Exhibits in AU 801.A42 / AU-C 935.A42
We will cover the Combined Report on Compliance and
Internal Control Over Compliance because it contains all
the provisions of section .30 for Compliance Only
requirements as well as additional Internal Control Over
Compliance requirements.
I have separated those reporting requirements in the next
slides for your reference.
AU 801.30 / AU-C 935.30
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A42 / AU-C 935.A42
34. SAS 117
Reporting Requirements: Compliance only report
Auditors report should include:
Title with the word independent
Government programs covered by the compliance audit
Applicable compliance requirements
Period covered by the report
Management’s responsibility for compliance
requirements
Auditor's responsibility for opinion on the entity's
compliance with the compliance requirements
Audit conducted in accordance with GAAS and GAGAS
Audit examined evidence on a test basis and other
procedures the auditor considered necessary
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.30 / AU-C 935.30
35. SAS 117
Reporting Requirements: Compliance only report
Auditors report should include:
Auditor believes the audit provided a reasonable
basis for opinion
Compliance audits do not provide a legal
determination of the entity's compliance
Auditor's opinion whether the entity materially
complied with the compliance requirements
Description of noncompliance or a reference to a
description of such noncompliance if:
Results in opinion modification
Required to be reported by the
governmental audit requirements and does not
result in opinion modification
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.30 / AU-C 935.30
36. SAS 117
Reporting Requirements: Compliance only report
Auditors report should include:
If Compliance evaluation criteria are established by
contractual agreement or regulatory provisions solely for
the parties to the agreement or regulatory agency or
available only to specified parties.
Statement report intended solely for the information
and use of specified parties, identification of specified
parties, and report not intended to be used by anyone
else
Auditor’s firm signature
Auditor's report date
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.30 / AU-C 935.30
37. SAS 117
Reporting Requirements: Combined Report on
Compliance and Internal Control Over Compliance
Additional requirements for combined reports:
Management’s responsibility for internal control over
compliance with applicable laws, regulations, rules, contracts
or grant agreements.
Auditor’s consideration of entity’s internal control in
planning and performance of the audit to express an opinion
on compliance but not to express an opinion on the
effectiveness of internal control over compliance.
Auditor is not expressing an opinion on internal control
over compliance.
Auditor's consideration of the entity's internal control not
designed to identify all deficiencies that might constitute
significant or material weaknesses.
AU 801.31 / AU-C 935.31
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A42 / AU-C 935.A42
38. SAS 117
Reporting Requirements: Combined Report on
Compliance and Internal Control Over Compliance
Additional requirements for combined reports:
Definition of deficiency and material weakness in internal
control over compliance.
A description or reference to schedule of any identified
material weaknesses in internal control over compliance.
A description or reference to schedule of any significant
deficiencies in internal control over compliance.
Statement that no material weaknesses in internal control
were identified if none found.
Statement report intended solely for the information and
use of specified parties, identification of specified parties,
and report not intended to be used by anyone else
.
AU 801.31 / AU-C 935.31
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A42 / AU-C 935.A42
39. SAS 117
Reporting Requirements: Separate Report on Internal
Control Over Compliance
Requirements in addition to AU 801.31 / AU-C 935.31 for Separate
Report:
Title with the word independent
Governmental program and period audited
Signature
Date
Material noncompliance issues or scope limitations require
report modifications
AU 508 Reports on Audited Financial Statements / AU-C 705,
Modifications to the Opinion in the Independent Auditor’s Report
Scope limitations require
Qualification or disclaimer of opinion
.
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.32 - .38 / AU-C 935.32 - .38
40. SAS 117
Reporting Requirements: Separate Report on Internal
Control Over Compliance
Requirements in addition to AU 801.31 / AU-C 935.31 for Separate
Report:
Significant or material weaknesses in internal controls over compliance
require written notification by auditor regardless of governmental
requirements
GAGAS requires response from responsible officials
AU 801.32 - .38 / AU-C 935.32 - .38
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A35 / AU-C 935.A35
41. SAS 117
Documentation Requirements
Internal Control Over Compliance documents include:
Risk assessment procedures
Response to assessed risks
Testing procedures
Results
Materiality levels
How the auditor complied with governmental
requirements supplemental to
GAAS
GAGAS
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.39 - .42 / AU-C 935.39 - .42
42. SAS 117
Reissuance of Compliance Reports
An explanatory paragraph should include:
Reasons for reissuance
Changes
Additional procedures, if any
Updated report date
Examples where report might be reissued
Quality review found applicable compliance
requirement not tested
Subsequent discovery that a another program was
required to be tested
AU 801.432 / AU-C 935.43
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A39 / AU-C 935.A39
43. SAS 117
Adapting and Applying the AU Sections to a Compliance
Audit
Auditors should use professional judgment in determining
necessary and relevant audit procedures:
Appendix A41 lists the AU sections and paragraphs that are
not applicable to compliance audits
A&A UPDATES H. Kyle Anderson, CMA, CPA
AU 801.A41 / AU-C 935.A41
44. SAS 117
2011 Government Auditing Standards Summary of
Major Changes
Conceptual framework for independence added for auditors to
assess independence
Specific references to personal, external, and organizational
impairments and overarching independence principles
removed and replaced with conceptual framework
New documentation requirements for auditor independence
added
Nonaudit services that always impair independence but may
be permitted under appropriate conditions revised
Auditors performing nonaudit services for entities they audit must
assess & document management’s possession of suitable skill,
knowledge, and experience to oversee services
2011 Government Auditing Standards
A&A UPDATES H. Kyle Anderson, CMA, CPA
Summary of Major Changes
45. SAS 117
2011 Government Auditing Standards Summary of
Major Changes
Examinations, reviews and agreed-upon procedure engagements
now separately discussed.
SAS and SSAE requirements repeated in GAGAS removed
Fraud reporting only required if significant within the context of
the audit objectives for performance audits.
2011 Government Auditing Standards
A&A UPDATES H. Kyle Anderson, CMA, CPA
Summary of Major Changes
46. Reference Materials for webinar
Today, we will cover material available on the AICPA website at:
http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SAS.aspx
AU Section 801 / AU-C 935
The material covered was referenced to the current AU section
and the new Clarity Project section AU-C.
Office of Management and Budget at:
http://www.whitehouse.gov/omb/circulars_default/
OMB Circular A-133, Compliance Supplement 2011 (see bottom of
page for complete download)
Government accountability Office at: http://www.gao.gov/yellowbook
Government Auditing Standards, December 2011 Revision (GAO-
12-331G)
Summary of Major changes
Listing of Technical Changes
A&A UPDATES H. Kyle Anderson, CMA, CPA