1. Presented by: Jean Young, Partner, CPA and Amanda L. Ward, Associate, CPAJean.Young@plantemoran.com Amanda.Ward@plantemoran.com FEDERAL AUDIT REQUIREMENTS AND FRAUD PREVENTION 1
2. AGENDA By the end of the session, we will: Provide an overview of changes to the single audit requirements and the impact of ARRA Provide an update on new auditing standards and accounting pronouncements Provide guidance on how to protect against fraud and other internal control related matters 2
7. DATA COLLECTION REVISIONS Revised on-line submission procedures Ensure proper identification of agencies to receive reports Expenditures need to agree with the SEFA, with clusters properly identified Findings must be properly identified and agree with the single audit report 5
8. CONSOLIDATE HEALTH CENTERS – 93.224 The objectives is to provide populations that would ordinarily not have access to health care: Primary and preventive health services Referrals to other service Case management and other services 6
65. ARRA WEBSITE RESOURCES State Website – www.michigan.gov/recovery GAO Website - www.gao.gov/recovery Federal Website - www.recovery.gov OMB-www.whitehouse.gov/omb/circulars_a133_compliance_09toc 18
66.
67.
68. DEFINITION – CONTROL DEFICIENCY A control deficiency exists when the design or operation of a controls does not allow management or employees , in the normal course of performing their assigned functions, to prevent or detect on a timely basis noncompliance with a type of compliance requirement of a federal program. 20
69. DEFINITION – SIGNIFICANT DEFICIENCY A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to administer a federal program such that there is more than a remote likelihood that noncompliance with a type of compliance requirement of a federal program, that is more than inconsequential, will not be prevented or detected. 21
70. EXAMPLES OF SIGNIFICANT DEFICIENCIES IN INTERNAL CONTROL OVER COMPLIANCE Policies and procedures which are incomplete, inadequate, or outdated for activities subject to a type of compliance requirement Inadequate segregation of duties over a type of compliance requirement Controls over complex types of compliance requirements IT controls relating to activity subject to the type of compliance 22
71. DEFINITION – MATERIAL WEAKNESS A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that material noncompliance with a type of compliance requirement of a federal program will not be prevented or detected. 23
72. EXAMPLES OF SIGNIFICANT DEFICIENCY, may be a MATERIAL WEAKNESS Lack of operating policies and procedures for a material noncompliance category Ineffective oversight by those charged with governance over compliance with those program requirements Identification by the auditor of material noncompliance for the period under audit that was not initially identified by the entity’s internal control Identification of fraud in the major program of any magnitude. 24
73.
74. REQUIRED FINDING REPORTING A significant deficiency/material weakness/noncompliance on the financial statements is required to be disclosed as a finding in the A-133 report A significant deficiency/material weakness/noncompliance in major federal program is required to be disclosed as a finding in the A-133 report Fraud/questioned costs must be disclosed as a finding if the amount is over $10,000 26
75.
76. Changes are primarily limited to the definitions of deficiency in internal control, significant deficiency, and material weakness
77. Material weakness – is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s F/S will not be prevented, or detected and corrected on a timely basis. In this SAS, a reasonable possibility exists when the likelihood of the event is either reasonably possible or probable as those terms are used in FAS 5, Accounting for Contingencies.
78. Significant deficiency – is a deficiency, or combination of deficiencies, in internal control that is less than a material weakness, yet important enough to merit attention by those charged with governance.
83. Accounting and Auditing Update SFAS 157, Fair Value Measurements FSP FAS 117-a, Endowments of NPOs: Net Asset Classification of Funds Subject to an Enacted Version of the UPMIFA, and Enhanced Disclosures SFAS 161, Disclosures about Derivative Instruments and Hedging Activities SFAS 164, Not-for-Profit Entities: Mergers and Acquisitions SFAS 165, Subsequent Events 29
91. Level 2 – Inputs other than quoted prices included in Level 1 that are observable for the asset or liability through corroboration with observable market data
92. Example – Municipal bonds that are rated by a bonding agency; auction rated securities; receive-fixed, pay-variable interest rate swap based on LIBOR swap rate; 3 year option on exchange traded shares31
93.
94.
95. Applies to donor-restricted endowment funds (funds that cannot be wholly expended on a current basis under terms of gift instrument)
120. Measure goodwill as the amount by which the value of the consideration transferred exceeds the net of the amounts assigned to identifiable assets acquired and liabilities assumed
121. Measure the contribution inherent in the transaction as the amount by which the values assigned to the identifiable assets acquired exceeds the consideration transferred and the liabilities assumed37
122.
123. Amend the effective date and transition provisions of Statement 142, making them effective for a NFP organization
124. Statement 142 requires an organization to make certain assessments about the nature of intangible assets acquired in a merger or acquisition as of the acquisition date, such as whether an intangible asset has an indefinite life. Goodwill, therefore, would be tested for impairment periodically, rather than amortized.
125. Effective for mergers occurring on or after December 15, 2009, and for acquisitions occurring in fiscal years beginning on or after December 15, 200938
138. INTERNAL CONTROL - DEFINITION Internal control is a process - effected by an entity’s board, council, management, and other personnel - designed to provide reasonable assurance regarding the achievement of the internal control objectives. 44
139. INTERNAL CONTROL OBJECTIVES Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and regulations Reduce risk that errors would not be detected in a timely period 45
146. Internal Controls over cash Collection of cash receipts Cash disbursements Bank reconciliations 48
147. Collection of cash receipts Prompt deposits Segregation of duties Controlled by a register Use of lock box system Bonding the cash custodian Restrictive endorsements Limited remote site collections of cash 49
148. Cash disbursements Segregation of duties Checks never signed in blank Control over blank checks Controls over mechanical check signing processes Petty cash controls Purchase requisitions Pre-numbered purchase orders Recording of payable and approval for payment Budget system 50
149. Bank Reconciliations Receipt of unopened bank statements Performed timely Reconciliation between the bank statement and the general ledger Reviewed by independent party 51
150. Internal controls over investments Prompt deposits Substantiation of all purchases Maintenance of a detailed listing of all investments and reconciliation to the general ledger Established investment policies Independent review of the investment portfolio 52
Federal funding in excess of $500K or more. Financial assistance includes loans, insurance, loan guarantees, and other non-cash assistance (property, commodities, etc.) but does not include direct assistance to individualsExpended, generally means, performing the activity of the grantEntities with funding less than $500K have no single audit or program audit requirement. Funding of subrecipients uses the same rules as the federal requirementsSingle audit are usually annually, but two-year audits are allowable when there is no annual financial audit and with grantor/cognizant agent permission (generally rare)
New data collection form and electronic filing is….Intended to be used for audit period ending in 2008, 2009, and 2010Includes internal control terminology updates for SAS 112 Reporting package can only be submitted electronically via internet data entry system, no more paper submissions will be accepted.Reporting package submission must be in one pdf
Referrals to other services, such as hospital and substance abuse services Case management and other services are designed to assist health center patients in establishing eligibility and gaining access to Federal, State and local programs that provide additional medical, social, or educational support or enabling services such as transportation, translation and outreach services, and patient education services.
Activities allowed or unallowed… there are three types of grantsOperational grants for other than managed care and practice management network plansPlanning grant for health centersPlanning grants for managed care or practice management networks or plansAllowable costs/cost principles..Program income, including but not limited to, fees, premiums, and 3rd party reimbursements may be used for allowable activities and for such other purposes as not specifically prohibited if such uses furthers the objectives of the project.Eligibility for individualsUnder health care for the homeless, if a grantee has provided services to a previously homeless individual and the individual is no longer homeless as a result of becoming a resident in permanent housing, the grantee may continue to provide services for NOT more than 12 months.Program IncomeHealth centers must have a schedule of fees or payments for the provision of their health services consistent with locally prevailing rates and charges and designed to cover their reasonable costs of operation. Centers are also required to have a corresponding schedule of discounts applied and adjusted on the basis of the patient’s ability to pay; determined on the basis of the official poverty guidelines as revised annually by HHSCenters are required to collect appropriate reimbursement for costs in providing health servicesProgram income, including but not limited to, fees, premiums, and 3rd party reimbursements may be used for allowable activities Financial reportingSF-269 financial status reportSF-270 – request for advance or reimbursement ONLY if specified in the terms and conditions of the awardSF-272 Federal cash transaction reportsSpecial reportingUniform Data System is comprised of 2 separate set of reports … the Universal Report and Grant Reports. Grantees that receive a single grant under the consolidated health centers program or receive CHC and or MHC only are required to complete the Universal Report only.Grantees that receive multiple awards must complete a Universal Report for the combined grants and individual grant reports for the their HCH and PHPC funding if applicable.Unless the requirement is waived, grantees are required to have a governing board that is composed of individuals, a majority of whom are being served by the center, and who as a group, represent the individuals being served by the center.The board shall meet at least once a month and approve the annual budgetsSelects services to be provided by the center and schedules the hours during which services will be providedApproves the selection of the director for the centerAnd except for the case of a public center, establishes general policies for the center
Please keep in mind that the topics related to ARRA are based on current guidance. The final role of each state and federal agency and the grant compliance requirements are still in process as we meet today. Based on the changes in those aspects of this initiative, the implications on the single audit and grants management may change.Specific fundingobjectives of the grants revolve around:Job creation and retentionRelief to the working and lower class populationEnergy conservationPromotion of renewable energy sourcesHealth care & educationLocal unit infrastructure, including roads and bridgesOf the $787 Billion in grants, $280 billion will be administered through states and local municipalities.Funds must be obligated and spent by 9-30-2012 – As of June 5, 2009 $141 billion has been made available in stimulus grants and $46.4 billion has been paid out. Per the Act, recipients shall use grant funds in a manner “that maximizes job creation and economic benefit”
For example: Genesee County - $30 million in grants in local units with an additional $42 million in monies to local and intermediate school districts and $48 in MDOT and transit grants in the county. Wayne County - $128 million in grants with an additional $298 million schools and $165 million in MDOT roadinfrastructure and transit grants That is a total of $591 million to Wayne County alone and that amount is still only .07% of the total $787 billion dollars in funding.Coordination of all these grants, all these recipients, all these projects and all the required reporting indicates a significant administrative burden and responsibility on all the participants in this process.
In summary, we are bolding going where federal grants have never gone before, we have never seen a grant program with this level of state and federal agency involvement and oversight, this level of transparency and reporting (including deliverables never measured before – such as employment impact) this level of public and political scrutiny as (like it or not) the ability of this program to meet its objectives will be the first major success or potential of the Obama administration. It is a big deal for the Whitehouse and as a result, a big deal for the federal agencies involved. And that importance will also fall onto the local governments administering these grants at the local level.All Federal departments and agencies receiving Recovery Act stimulus funding must submit weekly Financial and Activity Reports detailing distribution of Recovery funds, major actions taken so far, and actions planned for the near term. The Governor and local officials of each state must certify that infrastructure projects have been reviewed and are an appropriate use of tax dollars. Public Access to grants and contract information, including RFP’s for competitive grant programsSignificant federal scrutiny via Quality Control Reviews (QCRs) of single audits performed on entities receiving Recovery Act money (primarily in 2010 – 2011 timeframe) – results to be placed on Recovery.gov. Plan to use current single audit testing and reporting process to play a large role in monitoring the grant.
OMB issued interim guidance to the federal agencies in April of 2009. While the guidance if for federal agencies, it does include information on the compliance requirements that might be useful for recipients and their auditors. I did not include in your handouts as it is 172 pages long. can give you a link for the guidance but since it is 172 pages, I did not include in my sources. OMB issued a new Compliance Supplement was issued 3-2009, but did not include specific guidance for testing the specific compliance requirements of the ARRA grants. Appendix Seven of the 2009 compliance supplement DOES provide some guidance on testing grants funded under the ARRA. A copy has been provided in your handouts as the end of this section. Would suggest that you read the materials as it will outline federal agency requirements, discuss the impact on clusters, and what some of your responsibilities as a sub recipient will be. It also discusses the presentation of the ARRA grants on the Data Collection Form Schedule of Federal Awards. Appendix VII is only the first step and we expect OMB to develop additional guidance to this supplement as time progress. Such additions will include effective dates
Timely reporting – reports due with ten days of the end of the quarter – meaning information must flow back up the grant chain (local recipient, local municipality, state, federal) in order to report results on a quarterly basis to the federal government so that the public can be.
No change here as we have always had these compliance requirements. Requirements specific to award document are going to be important because, as noted before, the 2009 compliance supplement does not include any specific guidance on ARRA grants. KEEP IN MIND THAT AGENCIES MAY WAIVE CERTAIN COMPLIANCE REQUIREMENTS ON EXISTING SPECIFIC PROGRAM COMPLIANCE IN ORDER TO SPEND MONEY QUICKLY OR TO DIRECT EXISTING ALLOCATIONS TO PROJECTS THAT PROMOTE JOB CREATION AND ECONOMIC DEVELOPMENT (IE CDBG). NEED TO KEEP IN TOUCH WITH YOUR FEDERAL AGENCIES TO DETERMINE WHAT REQUIREMENTS THEY MAY BE WAIVING.
Most of the impact on A-133 reporting and testing will happened in the 2010 and 2011 years as little monies have been distributed as of June 30, 2009. But Sept and Dec 2009 year ends may see some specific ARRA single audit implications due to the desire to implement these projects, spend the monies, and impact the economy as soon as possible.
Note, most of the federal agencies (HUD, HHS) have their own specific page for ARRA activities and information. Look for the recover act icon (circle with green plant, red gears, and stars from the flag)To get to the ARRA section of the MDOT page, you need to click on the symbol for the michigan.gov
ecovery in the lower right hand corner of the MDOT home page.The OMB link is directly to the compliance supplement where you can scroll down to get to Appendix VII (where information is placed to date on ARRA). GFOA NEWSLETTER HAS A MONTHLY UPDATE ON THE STIMULUS PROGRAMHUD website has archived web casts regarding specific aspects of HUD’s programs under the ARRA State website should be most helpful as several communities will be getting their grants as a first tier recipient from the State of Michigan. Screen shots follow:State site:Grant opportunitiesFAQMichigan programs Interactive county map
SAS 115 …..GAO issued interim guidance making it permissible for auditors to implement SAS 115 on their FS audit performed under government auditing standardsHowever OMB has not provided guidance to date regarding use of the new guidance ad definitions in SAS 115 for reporting on internal control over compliance in single audits.
Lack of an internal control to identify a noncompliance issue TIMELY related to a federal grant compliance categoryLOWEST LEVEL of deficiencyNOT required to be disclosedREQUIRED to be communicated (NOT in writing, but can be…) and documented how it was communicated
A control deficiency that is consequentialRequired to be disclosed in writing
Lack of significant policy – e.g. a grant with significant construction and the organization doesn’t have a procurement policyNo separate expense approval over grant expenditures by someone involved in the grantLack of controls over complicated level of effort calculationsIssues with IT system that impacts a significant compliance category, such as, accumulation of information for reporting where anyone could go into the IT system and adjust the report rules and there is no verification of changes
A significant deficiency that could be material, even if know amount is not materialRequired to be disclosed in writing
Lack of policy – e.g. a grant with material or all construction and the organization does not have a procurement policyLack of adequate review of federal financial reports prior to submission to the grantorThis is a strong indicator of a material weakness even if management subsequently corrects the noncomplianceFor which such functions are important to the monitoring or risk assessment component of internal control for a type of compliance requirement
Beginning with the 2009 plan year end (years beginning on or after January 1, 2009), organizations subject to the Employee Retirement Income Security Act of 1974 (ERISA) will generally be required to have their 403(b) plan’s financial statements audited, if they have more than 100 eligible participants as of the beginning of the plan year. These audited financial statements will be a required attachment to the plan’s Form 5500.Although the first audit is not required until the 2009 plan year, Form 5500 requires the statement of net assets be fully comparative. Thus the 2008 financial information will need to be included in the plan’s 2009 audited financial statements.