This is the accessible text file for GAO report number GAO-08-213T entitled 'Single Audit Quality: Actions Needed to Address Persistent Audit Quality Problems' which was released on October 26, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs, U.S. Senate: United States Government Accountability Office: GAO: For Release on Delivery Expected at 2:30 p.m. EDT: Thursday, October 25, 2007: Single Audit Quality: Actions Needed to Address Persistent Audit Quality Problems: Statement of Jeanette M. Franzel Director, Financial Management and Assurance: GAO-08-213T: GAO Highlights: Highlights of GAO-08-213T, a testimony before the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: Federal government grants to state and local governments have risen substantially, from $7 billion in 1960 to almost $450 billion budgeted in 2007. The single audit is an important mechanism of accountability for the use of federal grants by nonprofit organizations as well as state and local governments. However, the quality of single audits conducted under the Single Audit Act, as amended, has been a longstanding area of concern since the passage of the act in 1984. The President’s Council on Integrity and Efficiency (PCIE) recently issued its Report on National Single Audit Sampling Project, which raises concerns about the quality of single audits and makes recommendations aimed at improving the effectiveness and efficiency of those audits. This testimony provides (1) GAO’s perspective on the history and importance of the Single Audit Act and the principles behind the act, (2) a preliminary analysis of the recommendations made by the PCIE for improving audit quality, and (3) additional considerations for improving the quality of single audits. What GAO Found: In the early 1980s, Congress had concerns about a lack of adequate oversight and accountability for federal assistance provided to state and local governments. In response to concerns that large amounts of federal financial assistance were not subject to audit and that agencies sometimes overlapped on oversight activities, Congress passed the Single Audit Act of 1984. The act adopted the single audit concept to help meet the needs of federal agencies for grantee oversight as well as grantees’ needs for single, uniformly structured audits. GAO supported the passage of the Single Audit Act, and continues to support the single audit concept and principles behind the act as a key accountability mechanism for federal grant awards. However, the quality of single audits has been a longstanding area of concern since the passage of the act in 1984. In its June 2007 Report on National Single Audit Sampling Project, the PCIE found that, overall, approximately 49 percent of single audits fell into the acceptable group, with the remaining 51 percent having deficiencies severe enough to classify the audits as limited in reliability or unacceptable. PCIE found a significant difference in results by audit size. Specifically, 63.5 percent of the large audits (with $50 million or more in federal award expenditures) were deemed acceptable compared with only 48.2 percent of the smaller audits (with at least $500,000 but less than $50 million in federal award expenditures). The PCIE report presents compelling evidence that a serious problem with single audit quality continues to exist. GAO is concerned that audits are not being conducted in accordance with professional standards and requirements. These audits may provide a false sense of assurance and could mislead users of the single audit reports. The PCIE report recommended a three-pronged approach to reduce the types of deficiencies found and to improve the quality of single audits: (1) revise and improve single audit standards, criteria, and guidance; (2) establish minimum continuing professional education (CPE) as a prerequisite for auditors to be eligible to be able to conduct and continue to perform single audits; and (3) review and enhance the disciplinary processes to address unacceptable audits and for not meeting training and CPE requirements. In this testimony, GAO supports PCIE’s recommendations and points out issues that need to be resolved regarding the proposed training and other factors that merit consideration when determining actions to improve audit quality. GAO believes that there may be opportunities for considering size when implementing future actions to improve the effectiveness and quality of single audits. In addition, a separate effort considering the overall framework for single audits could answer such questions as whether simplified alternatives can achieve cost- effective accountability in the smallest audits; whether current federal oversight processes for single audits are adequate; and what role the auditing profession can play in increasing single audit quality. What GAO Recommends: GAO supports PCIE’s recommendations and points out factors for consideration in determining actions, including (1) audit quality problems by size of audit and (2) the distribution of audits by size. GAO also suggests a separate effort to evaluate the framework for single audits. To view the full product, including the scope and methodology, click on GAO-08-213T. For more information, contact Jeanette Franzel at (202) 512-9471 or franzelj@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss GAO's analysis of the results of the Report on National Single Audit Sampling Project[Footnote 1] recently issued by the President's Council on Integrity and Efficiency (PCIE) under the direction of the Office of Management and Budget (OMB). First, I would like to commend the PCIE for conducting this comprehensive and important study dealing with the quality of single audits. The single audit is a key accountability mechanism over the use of federal grants and other awards. In fiscal year 2007, $449 billion in federal grants was budgeted to state and local governments. The PCIE report raises significant concerns about the quality of single audits, and makes recommendations aimed at improving the effectiveness and efficiency of those audits. Today, I will provide (1) GAO's perspective on the history and importance of the Single Audit Act and the principles behind the act, (2) our preliminary analysis of the recommendations made by the PCIE for improving audit quality, and (3) additional factors for consideration for improving the quality of single audits. My statement today is based on our continuing work as the standards setter for generally accepted government auditing standards (GAGAS) and our related work in the area of single audits, including ongoing interaction with key stakeholders in the single audit process and members of the auditing profession providing single audit services to recipients of federal awards. In addition, this statement is based on our analysis of the PCIE report, and our discussions with the PCIE project team, the American Institute of Certified Public Accountants (AICPA), and OMB. Evolution of the Single Audit Act and Its Underlying Principles: In the early 1980s, Congress had concerns about a lack of adequate oversight and accountability for federal assistance[Footnote 2] provided to state and local governments. Before passage of the Single Audit Act in 1984 (the act), the federal government relied on audits of individual grants to help gain assurance that state and local governments were properly spending federal assistance. Those audits focused on whether the transactions of specific grants complied with program requirements. The audits usually did not address financial controls and were, therefore, unlikely to find systemic problems with an entity's fund management. Further, individual grant audits were conducted on a haphazard schedule, which resulted in large portions of federal funds being unaudited each year. In addition, the auditors conducting the individual grant audits did not coordinate their work with the auditors of other programs. As a result, some entities were subject to numerous grant audits each year, while others were not audited for long periods. In response to concerns that large amounts of federal financial assistance were not subject to audit and that agencies sometimes overlapped on oversight activities, Congress passed the Single Audit Act of 1984.[Footnote 3] The act stipulated that state and local governments that received at least $100,000 in federal financial assistance in a fiscal year have a single audit conducted for that year. The concept of a single audit was created to replace multiple grant audits with one audit of an entity as a whole. State and local governments which received between $25,000 and $100,000 in federal financial assistance had the option of complying with audit requirements of the act or the audit requirements of the federal program(s) that provided the assistance. The objectives of the Single Audit Act, as amended, are to: * promote sound financial management, including effective internal control, with respect to federal awards administered by nonfederal entities; * establish uniform requirements for audits of federal awards administered by nonfederal entities; * promote the efficient and effective use of audit resources; * reduce burdens on state and local governments, Indian tribes, and nonprofit organizations; and: * ensure that federal departments and agencies, to the maximum extent practicable, rely upon and use audit work done pursuant to the act. The Single Audit Act adopted the single audit concept to help meet the needs of federal agencies for grantee oversight as well as grantees' needs for single, uniformly structured audits. Rather than being a detailed review of individual grants or programs, the single audit is an organizationwide financial statement audit that includes the audit of the Schedule of Expenditures of Federal Awards (SEFA)[Footnote 4] and also focuses on internal control and the recipient's compliance with laws and regulations governing the federal financial assistance received. The act also required that grantees address material noncompliance and internal control weaknesses in a corrective action plan, which is to be submitted to appropriate federal officials. The act further required that single audits be performed in accordance with GAGAS issued by GAO. These standards provide a framework for conducting high-quality financial audits[Footnote 5] with competence, integrity, objectivity, and independence. The Single Audit Act Amendments of 1996[Footnote 6] refined the Single Audit Act of 1984 and established uniform requirements for all federal grant recipients. The refinements cover a range of fundamental areas affecting the single audit process and single audit reporting, including provisions to: * extend the law to cover all recipients of federal financial assistance, including, in particular, nonprofit organizations, hospitals, and universities; * ensure a more cost-beneficial threshold for requiring single audits; * more broadly focus audit work on the programs that present the greatest financial risk to the federal government; * provide for timely reporting of audit results; * provide for summary reporting of audit results; * promote better analyses of audit results through establishment of a federal clearinghouse and an automated database; and: * authorize pilot projects to further streamline the audit process and make it more useful. The 1996 amendments required the Director of OMB to designate a Federal Audit Clearinghouse (FAC) as the single audit repository,[Footnote 7] required the recipient entity to submit financial reports and related audit reports to the clearinghouse no later than 9 months after the recipient's year-end, and increased the audit threshold to $300,000. The criteria for determining which entities are required to have a single audit are based on the total amount of federal awards[Footnote 8] expended by the entity. The initial dollar thresholds were designed to provide adequate audit coverage of federal funds without placing an undue administrative burden on entities receiving smaller amounts of federal assistance. When the act was passed, the dollar threshold criteria for the audit requirement were targeted toward achieving audit coverage for 95 percent of direct federal assistance to local governments. As part of OMB's biennial threshold review required by the 1996 amendments, OMB increased the dollar threshold for requirement of a single audit to $500,000 in 2003 for fiscal years ending after December 31, 2003. Federal oversight responsibility for implementation of the Single Audit Act is currently shared among various entities--OMB, federal agencies, and their respective Offices of Inspector General (OIG). The Single Audit Act assigned OMB the responsibility of prescribing policies, procedures, and guidelines to implement the uniform audit requirements and required each federal agency to amend its regulations to conform to the requirements of the act and OMB's policies, procedures, and guidelines. OMB issued Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations, which sets implementing guidelines for the audit requirements and defines roles and responsibilities related to the implementation of the Single Audit Act.[Footnote 9] The federal agency that awards a grant to a recipient is responsible for ensuring recipient compliance with federal laws, regulations, and the provisions of the grant agreements. The awarding agency is also responsible for overseeing whether the single audits are completed in a timely manner in accordance with OMB Circular No. A-133 and for providing annual updates of the Compliance Supplement[Footnote 10] to OMB. Some federal agencies rely on the OIG to perform quality control reviews (QCR) to assess whether single audit work performed complies with OMB Circular No. A-133 and auditing standards. The grant recipient (auditee) is responsible for ensuring that a single audit is performed and submitted when due, and for following up and taking corrective action on any audit findings. The auditor of the grant recipient is required to perform the audit in accordance with GAGAS. A single audit consists of (1) an audit and opinions on the fair presentation of the financial statements and the SEFA; (2) gaining an understanding of internal control over federal programs and testing internal control over major programs; and (3) an audit and an opinion on compliance with legal, regulatory, and contractual requirements for major programs. The audit also includes the auditor's schedule of findings and questioned costs, and the auditee's corrective action plans and a summary of prior audit findings that includes planned and completed corrective actions. Under GAGAS, auditors are required to report on significant deficiencies in internal control and on compliance associated with the audit of the financial statements. Recipients expending more than $50 million in federal funding ($25 million prior to December 31, 2003) are required to have a cognizant federal agency for audit in accordance with OMB Circular No. A-133. The cognizant agency for audit is the federal awarding agency that provides the predominant amount of direct funding to a recipient unless OMB otherwise makes a specific cognizant agency assignment. The cognizant agency for audit provides technical audit advice, considers requests for extensions to the submission due date for the recipient's reports, obtains or conducts QCRs, coordinates management decisions for audit findings, and conducts other activities required by OMB Circular No. A- 133. According to OMB officials, the FAC single audit database generates a listing of those agencies that should be designated cognizant agencies for audit based on information on recipients expending more than $50 million. The officials also stated that OMB is responsible for notifying both the recipient and cognizant agency for audit of the assignment. Federal award recipients that do not have a cognizant agency for audit are assigned an oversight agency for audit, which provides technical advice and may assume some or all of the responsibilities normally performed by a cognizant agency for audit. Federal grant awards to state and local governments have increased significantly since the Single Audit Act was passed in 1984. Because single audits represent the federal government's primary accountability tool over billions of dollars each year in federal funds provided to state and local governments and nonprofit organizations, it is important that these audits are carried out efficiently and effectively. As shown in figure 1, the federal government's use of grants to state and local governments has risen substantially, from $7 billion in 1960 to almost $450 billion budgeted in 2007. Figure 1: Increase in Federal Grant Awards to State and Local Governments between 1960 and 2007: This figure is a bar chart showing the increase in federal grant awards to state and local governments between 1960 and 2007. [See PDF for image] Source: OMB. Notes: Data from the Budget for Fiscal Year 2008, Historical Tables. The above figures do not include grants made directly by federal agencies to nongovernmental organizations. [A] The Single Audit Act was enacted in 1984. [End of figure] GAO supported the passage of the Single Audit Act, and we continue to support the single audit concept and principles behind the act as a key accountability mechanism over federal grant awards. However, the quality of single audits conducted under this legislation has been a longstanding area of concern since the passage of the Single Audit Act in 1984. During the 1980s, GAO issued reports[Footnote 11] that identified concerns with single audit quality, including issues with insufficient evidence related to audit planning, internal control and compliance testing, and the auditors' adherence to GAGAS. The federal Inspectors General as well have found similar problems with single audit quality. The deficiencies we cited during the 1980s were similar in nature to those identified in the recent PCIE report. Results of PCIE Report Identify Serious Single Audit Quality Issues: In June 2002, GAO and OMB testified at a House of Representatives hearing about the importance of single audits and their quality.[Footnote 12] In its testimony,[Footnote 13] OMB identified reviews of single audit quality performed by several federal agencies that disclosed deficiencies. However, OMB emphasized that an accurate statistically based measure of audit quality was needed, and should include both a baseline of the current status and the means to monitor quality in the future. We also recognized in our testimony the need for a solution or approach to evaluate the overall quality of single audits. To gain a better understanding of the extent of single audit quality deficiencies, OMB and several federal OIGs decided to work together to develop a statistically based measure of audit quality, known as the National Single Audit Sampling Project. The work was conducted by a committee of representatives from the PCIE, the Executive Council on Integrity and Efficiency (ECIE), and three State Auditors, with the work effort coordinated by the U.S. Department of Education OIG. The Project had two primary objectives: * to determine the quality of single audits by performing QCRs of a statistical sample of single audits, and: * to make recommendations to address any audit quality issues noted. The project conducted QCRs of a statistical sample of 208 audits randomly selected from a universe of over 38,000 audits submitted and accepted for the period April 1, 2003, through March 31, 2004. The sample was split into two strata: * Stratum 1: entities with $50 million or more in federal award expenditures, and: * Stratum 2: entities with less than $50 million in federal award expenditures (with at least $500,000). The above split in the sample strata corresponds with the current threshold for designating a cognizant agency, which is for entities that expend more than $50 million in a year in federal awards. Table 1 shows the universe and strata used in the analysis and the reviews completed in the National Single Audit Sampling Project. Table 1: Sample Universe for National Single Audit Sampling Project: Stratum 1[A]; Sample size: 96; Universe: 852; Total federal awards for audits in universe (dollars in billions): 737.2. Stratum 2[B]; Sample size: 112; Universe: 37,671; Total federal awards for audits in universe (dollars in billions): 143.1. Total; Sample size: 208; Universe: 38,523; Total federal awards for audits in universe (dollars in billions): 880.2. Source: President's Council on Integrity and Efficiency and Executive Council on Integrity and Efficiency. Notes: Data from Report on National Single Audit Sampling Project (June 21, 2007). The $880.2 billion differs from the federal grant funding for the audit period covered in the PCIE report due to the double counting associated with pass-through entities that provide federal awards to a subrecipient to carry out a federal program. [A] Entities with $50 million in federal award expenditures. [B] Entities with <$50 million in federal award expenditures (with at least $500,000). [End of table] The project covered portions of the single audit relating to the planning, conducting, and reporting of audit work related to (1) the review and testing of internal control and (2) compliance testing pertaining to compliance requirements for selected major federal programs. The scope of the project included review of audit work related to the SEFA and the content of all of the auditors' reports on the federal programs. The project did not review the audit work and reporting related to the general purpose financial statements. The PCIE project team categorized the audits based on the results of the QCRs into the following three groups: * Acceptable--No deficiencies were noted or one or two insignificant deficiencies were noted. This group also includes the subgroup, Accepted with Deficiencies, which is defined as one or more deficiencies with applicable auditing criteria noted that do not require corrective action for the engagement, but should be corrected on future engagements. Audits categorized into this subgroup have limited effect on reported results and do not call into question the auditor's report. Examples of deficiencies that fall into this subgroup are (1) not including all required information in the audit findings; (2) not documenting the auditor's understanding of internal control, but testing was documented for most applicable compliance requirements; and (3) not documenting internal control or compliance testing for a few applicable compliance requirements. * Limited Reliability--Contains significant deficiencies related to applicable auditing criteria and requires corrective action to afford reliance upon the audit. Deficiencies for audits categorized into this group have a substantial effect on some of the reported results and raise questions about whether the auditors' reports are correct. Examples of deficiencies that fall into this category are (1) documentation did not contain adequate evidence of the auditors' understanding of internal control or testing of internal control for many or all compliance requirements; however, there was evidence that most compliance testing was performed; (2) lack of evidence that work related to the SEFA was adequately performed; and (3) lack of evidence that audit programs were used for auditing internal control, compliance, and/or the SEFA. * Unacceptable--Substandard audits with deficiencies so serious that the auditors' opinion on at least one major program cannot be relied upon. Examples of deficiencies that fall into this group are (1) no evidence of internal control testing and compliance testing for all or most compliance requirements for one or more major programs, (2) unreported audit findings, and (3) at least one incorrectly identified major program. As shown in table 2, the PCIE study estimated that, overall, approximately 49 percent of the universe of single audits fell into the acceptable group. This percentage also includes "accepted with deficiencies." The remaining 51 percent had deficiencies that were severe enough to cause the audits to be classified as having limited reliability or being unacceptable. Specifically, for the 208 audits drawn from the universe, the statistical sample showed the following about the single audits reviewed in the PCIE study:[Footnote 14] * 115 were acceptable and thus could be relied upon. This includes the category of "accepted with deficiencies." Based on this result, the PCIE study estimated that 48.6 percent of the entire universe of single audits were acceptable. * 30 had significant deficiencies and thus were of limited reliability. Based on this result, the PCIE study estimated that 16.0 percent of the entire universe of single audits was of limited reliability. * 63 were unacceptable and could not be relied upon.[Footnote 15] Based on this result, the PCIE study estimated that 35.5 percent of the entire universe of single audits was unacceptable. Table 2: Audit Quality by Groupings with Statistical Estimates of Audit Quality Based on Numbers of Audits: Stratum 1[A]; Acceptable: 61 63.5%; Limited reliability: 12 12.5%; Unacceptable: 23 24.0%; In sample: 96; In universe: 852. Stratum 2[B]; Acceptable: 54 48.2%; Limited reliability: 18 16.1%; Unacceptable: 40 35.7%; In sample: 112; In universe: 37,671. Total; Acceptable: 115 48.6%; Limited reliability: 30 16.0%; Unacceptable: 63 35.5%; In sample: 208; In universe: 38,523. Source: President's Council on Integrity and Efficiency and Executive Council on Integrity and Efficiency. Notes: Data from Report on National Single Audit Sampling Project (June 21, 2007). [A] Entities with $50 million in federal award expenditures. [B] Entities with <$50 million in federal award expenditures (with at least $500,000). [End of table] It is important to note the significant difference in results in the two strata. Specifically, 63.5 percent of the audits of entities in stratum 1 (those expending $50 million or more in federals awards) were deemed acceptable, while 48.2 percent of audits in stratum 2 (those expending at least $500,000 but less than $50 million) were deemed acceptable. Because of these differences, it is also important to analyze the results in terms of federal dollars. For the 208 audits drawn from the entire universe, the statistical sample showed the following about the single audits reviewed in the PCIE study: * The 115 acceptable audits represented 92.9 percent of the value of federal award amounts reported in all 208 audits the PCIE study reviewed. * The 30 audits of limited reliability represented 2.3 percent of the value of federal award amounts reported in all 208 audits the PCIE study reviewed. * The 63 unacceptable audits represented 4.8 percent of the value of federal award amounts reported in all 208 audits the PCIE study reviewed. The dollar distributions for the 208 audits reviewed in the study are shown in table 3. Table 3: Results--Distribution of Dollars of Federal Awards Reported in the 208 Audits: Stratum 1[A]; Acceptable: $52.9 billion 93.2%; Limited reliability: $1.3 billion 2.2%; Unacceptable: $2.6 billion 4.6%; Total: $56.8 billion 100%. Stratum 2[B]; Acceptable: $232.0 million 56.3%; Limited reliability: $39.7 million 9.6%; Unacceptable: $140.5 million 34.1%; Total: $412.2 million 100%. Total; Acceptable: $53.1 billion 92.9%; Limited reliability: $1.3 billion 2.3%; Unacceptable: $2.7 billion 4.8%; Total: $57.2 million 100%. Source: President's Council on Integrity and Efficiency and Executive Council on Integrity and Efficiency. Notes: Data from Report on National Single Audit Sampling Project (June 21, 2007). [A] Entities with $50 million in federal award expenditures. [B] Entities with <$50 million in federal award expenditures (with at least $500,000). [End of table] The most prevalent deficiencies related to the auditors' lack of documenting: * an understanding of internal control over compliance requirements, * testing of internal control of at least some compliance requirements, and: * compliance testing of at least some compliance requirements. The PCIE report states that for those audits not in the acceptable group, the project team believes that lack of due professional care was a factor for most deficiencies to some degree. The term due professional care refers to the responsibility of independent auditors to observe professional standards of auditing. GAGAS further elaborate on this concept in the standard on Professional Judgment. Under this standard, auditors must use professional judgment in planning and performing audits and in reporting the results, which includes exercising reasonable care and professional skepticism. Reasonable care concerns acting diligently in accordance with applicable professional standards and ethical principles. Using professional judgment in all aspects of carrying out their professional responsibilities--including following the independence standards, maintaining objectivity and credibility, assigning competent audit staff to the assignment, defining the scope of work, evaluating and reporting the results of the work, and maintaining appropriate quality control over the assignment process--is essential to performing a high quality audit. We previously noted similar audit quality problems in prior reports. In December 1985, we reported[Footnote 16] that problems found by OIGs in the course of QCRs mostly related to lack of documentation showing whether and to what extent auditors performed testing of compliance with laws and regulations. In March 1986, we reported[Footnote 17] that our own review of single audits showed that auditors performing single audits frequently did not satisfactorily comply with professional auditing standards. The predominant issues that we found in our previous reviews were insufficient audit work in testing compliance with governmental laws and regulations and evaluating internal controls. We also observed, through discussions with the auditors and reviews of their work, that many did not understand the nature and importance of testing and reporting on compliance with laws and regulations, or the importance of reporting on internal control and the relationship between reporting and the extent to which auditors evaluated controls. As a result, in 1986, we reported that the public accounting profession needed to (1) improve its education efforts to ensure that auditors performing single audits better understand the auditing procedures required, and (2) strengthen its enforcement efforts in the area of governmental auditing to help ensure that auditors perform those audits in a quality manner. Similar to our prior work, the PCIE report presents compelling evidence that a serious problem with single audit quality continues to exist. The PCIE study also reveals that the rate of acceptable audits for organizations with $50 million or more in federal expenditures was significantly higher than for audits for organizations with smaller amounts of federal expenditures. The results also showed that overall, a significant number of audits fell into the groups of limited reliability with significant deficiencies and unacceptable. In our view, the current status of single audit quality is unacceptable. We are concerned that audits are not being conducted in accordance with professional standards and requirements. These audits may provide a false sense of assurance and could mislead users of audit reports regarding issues of compliance and internal control over federal programs. PCIE Recommendations to Improve Single Audit Quality Are Based on Three- Pronged Approach: The PCIE report recommended a three-pronged approach to reduce the types of deficiencies noted and improve the quality of single audits: 1. revise and improve single audit standards, criteria, and guidance; 2. establish minimum continuing professional education (CPE) as a prerequisite for auditors to be eligible to conduct and continue to perform single audits; and: 3. review and enhance the disciplinary processes to address unacceptable audits and for not meeting training and CPE requirements. Revise and Improve Standards, Criteria and Guidance: More specifically, to improve standards, criteria, and guidance, the PCIE report recommended revisions to (1) OMB Circular No. A-133, (2) the AICPA Statement on Auditing Standards (SAS) No. 74, Compliance Auditing Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance, and (3) the AICPA Audit Guide, Current AICPA Audit Guide, collectively to: * emphasize correctly identifying major programs for which opinions are compliance are rendered; * make it clear when audit findings should be reported; * include more detailed requirements and guidance for compliance testing; * emphasize the minimal amount of documentation needed to document the auditor's understanding of, and testing of, internal control related to compliance; * provide specific examples of the kind of documentation needed for risk assessment of individual federal programs; * present illustrative examples of properly presented findings; * specify content and examples of SEFA and any effect on financial reporting; * emphasize requirements for management representations related to federal awards, similar to those for financial statement audits; * provide additional guidance about documenting materiality; and: * require compliance testing to be performed using sampling in a manner prescribed by the AICPA SAS No. 39, Audit Sampling, as amended, to provide for some consistency in sample sizes. Minimum CPE Requirements for Conducting Single Audits: The PCIE report recommendation called on OMB to amend its Circular No. A-133 to require that (1) as a prerequisite to performing a single audit, staff performing and supervising the single audit must have completed a comprehensive training program of a minimum specified duration (e.g., at least 16-24 hours); (2) every 2 years after completing the comprehensive training, auditors performing single audits complete a minimum specified amount of CPE; and (3) single audits may only be procured from auditors who meet the above training requirements. The PCIE report also recommends that OMB develop, or arrange for the development of, minimum content requirements for the required training, in consultation with the National State Auditors Association (NSAA), the AICPA and its Governmental Audit Quality Center (GAQC), and the cognizant and oversight agencies for audit. The report states that the minimum content should cover the essential components of single audits and emphasize aspects of single audits for which deficiencies were noted in this project. In addition, the report recommends that OMB develop, or arrange for the development of, minimum content requirements for the ongoing CPE and develop a process for modifying future content. The report further recommends that OMB encourage professional organizations, including the AICPA, the NSAA, and qualified training providers, to offer training that covers the required content. It also recommends that OMB encourage these groups to deliver the training in ways that enable auditors throughout the United States to take the training at locations near or at their places of business, including via technologies such as Webcasts, and that the training should be available at an affordable cost. The PCIE project report emphasizes that the training should be "hands on" and should cover areas where the project team specifically found weaknesses in the work or documentation in its statistical study of single audits. The report specifically stated that the training should cover requirements for properly documenting audit work in accordance with GAGAS and other topics related to the many deficiencies disclosed by the project, including critical and unique parts of a single audit, such as: * the auditors' determination of major programs for testing, * review and testing of internal controls over compliance, * compliance testing, * auditing procedures applicable to the SEFA, * how to use the OMB Compliance Supplement, and: * how to audit major programs not included in the Compliance Supplement. The PCIE report concludes that such training would require a minimum of 16 to 24 hours, and that a few hours or an "overview" session will not suffice. We believe that the proposed training requirements would likely satisfy the criteria for meeting a portion of the CPE hours already required by GAGAS. Enhance Disciplinary Processes: This recommendation focuses on developing processes to address unacceptable audits and auditors not meeting the required training requirements. OMB Circular No. A-133 currently has sanctions that apply to an auditee (i.e., the entity being audited) for not having a properly conducted audit and requires cognizant agencies to refer auditors to licensing agencies and professional bodies in the case of major inadequacies and repetitive substandard work. The report noted that other federal laws and regulations do currently provide for suspension and debarment processes that can be applied to auditors of single audits. Some cognizant and oversight agency participants in the project team indicated that these processes are rarely initiated due to the perception that it is a large and costly effort. As a result, the report specifically recommends that OMB, with federal cognizant and oversight agencies, should (1) review the process of suspension and debarment to identify whether (and if so, how) it can be more efficiently and effectively applied to address unacceptable audits, and based on that review, pursue appropriate changes to the process; and (2) enter into a dialogue with the AICPA and State Boards of Accountancy to identify ways the AICPA and State Boards can further the quality of single audits and address the due professional care issues noted in the PCIE report. The report further recommends that OMB, with federal cognizant agencies, should also identify, review, and evaluate the potential effectiveness of other ways (both existing and new) to address unacceptable audits, including (but not limited to) (1) revising Circular No. A-133 to include sanctions to be applied to auditors for unacceptable work or for not meeting training and CPE requirements, and (2) considering potential legislation that would provide to federal cognizant and oversight agencies the authority to issue a fine as an option to address unacceptable audit work. GAO Analysis of PCIE Recommendations: While we support the recommendations made in the PCIE report, it will be important to resolve a number of issues regarding the proposed training requirement. Some of the unresolved questions involve the following: * What are the efficiency and cost-benefit considerations for providing the required training to the universe of auditors performing the approximately 38,500 single audits? * How can current mechanisms already in place, such as the AICPA's Government Audit Quality Center (GAQC), be leveraged for efficiency and effectiveness purposes in implementing new training? * Which levels of staff from each firm would be required to take training? * What mechanisms will be put in place to ensure compliance with the training requirement? * How will the training requirement impact the availability of sufficient, qualified audit firms to perform single audits? The effective implementation of the third prong, developing processes to address unacceptable audits and for auditors who do not meet professional requirements, is essential as the quality issues have been long-standing. We support the PCIE recommended actions to make the process more effective and efficient and to help ensure a consistent approach among federal agencies and their respective OIGs overseeing the single audit process. Additional Factors for Consideration When Determining Actions to Improve Audit Quality: In addition to the findings and recommendations of the PCIE report, we believe there are two other critical factors that need to be considered in determining actions that should be taken to improving audit quality: (1) the distribution of unacceptable audits and audits of limited reliability across the different dollar amounts of federal expenditures by grantee, as found in the PCIE study; and (2) the distribution of single audits by size in the universe of single audits. These factors are critical in effectively evaluating the potential dollar implications and efficiency and effectiveness of proposed actions. The PCIE study found that rates of unacceptable audits and audits of limited reliability were much higher for audits of entities in stratum 2 (those expending less than $50 million in federal awards) than those in stratum 1 (those expending $50 million or more). Table 1 presented earlier in this testimony shows the data from the sample universe of single audits used by the PCIE. Analysis of the data shows that 97.8 percent of the total number of audits (37,671 of the 38,523 total) covered approximately 16 percent ($143.1 billion of the $880.2 billion) of the total reported value of federal award expenditures, indicating significant differences in distributions of audits by dollar amount of federal expenditures. At the same time, the rates of unacceptable audits and audits of limited reliability were relatively higher in these smaller audits. We believe that there may be opportunities for considering size characteristics when implementing future actions to improve the effectiveness and quality of single audits. For instance, there may be merit to conducting a more refined analysis of the distribution of audits to determine whether less-complex approaches could be used for achieving accountability through the single audit process for a category of the smallest single audits. Such an approach may provide sufficient accountability for these smaller programs. An example of a less-complex approach consists of requirements for a financial audit in accordance with GAGAS, that includes the higher level reports on internal control and compliance along with an opinion on the SEFA and additional, limited or specified testing of compliance. Currently, the compliance testing in a single audit is driven by compliance requirements under OMB Circular No. A-133 as well as program- specific requirements detailed in the compliance supplement. A less- complicated approach could be used for a category of the smallest audits to replace the current approach to compliance testing, while still providing a level of assurance on the total amount of federal grant awards provided to the recipient. Another consideration for future actions is strengthening the oversight of the cognizant agency for audit with respect to auditees expending $50 million or more in federal awards. As shown in the data from the sample universe of single audits used by the PCIE, 852 audits (or 2.2 percent) of the total 38,523 audits covered $737.2 billion (or 84 percent) of the reported federal award expenditures. This distribution suggests that targeted and effective efforts on the part of cognizant agencies aimed at improving audit quality for those auditees that expend greater than $50 million could achieve a significant effect in terms of dollars of federal expenditures. Conclusions: We continue to support the single audit concept and principles behind the act as a key accountability mechanism over federal awards. It is essential that the audits are done properly in accordance with GAGAS and OMB requirements. The PCIE report presents compelling evidence that a serious shortfall in the quality of single audits continues to exist. Many of these quality issues are similar in nature to those reported by GAO and the Inspectors General since the 1980s. We believe that actions must be taken to improve audit quality and the overall accountability provided through single audits for federal awards. Without such action, we believe that substandard audits may provide a false sense of assurance and could mislead users of audit reports. While we support the recommendations made in the PCIE report, we believe that a number of issues regarding the proposed training requirements need to be resolved. The PCIE report results also showed a higher rate of acceptable audits for organizations with larger amounts of federal expenditures and showed that the vast majority of federal dollars are being covered by a small percentage of total audits. We believe that there may be opportunities for considering size characteristics when implementing future actions to improve the effectiveness and quality of single audits as an accountability mechanism. Considering the recommendations of the PCIE within this larger context will also be important to achieve the proper balance between risk and cost-effective accountability. In addition to the considerations surrounding the specific recommendations for improving audit quality, a separate effort taking into account the overall framework for single audits may be warranted. This effort could include answering questions such as the following: * What types of simplified alternatives exist for meeting the accountability objectives of the Single Audit Act for the smallest audits and what would the appropriate cutoff be for a less-complex audit requirement? * Is the current federal oversight structure for single audits adequate and consistent across federal agencies? * What alternative federal oversight structures could improve overall accountability and oversight in the single audit process? * Are federal oversight processes adequate and are sufficient resources being dedicated to oversight of single audits? * What role can the auditing profession play in increasing single audit quality? * Do the specific requirements in OMB Circular No. A-133 and the Single Audit Act need updating? Mr. Chairman, we would be pleased to work with the subcommittee as it considers additional steps to improve the single audit process and federal oversight and accountability over federal grant funds. Mr. Chairman and members of this subcommittee, this concludes my statement. I would be happy to answer any questions that you or members may have at this time. Contacts and Acknowledgments: For information about this statement, please contact Jeanette Franzel, Director, Financial Management and Assurance, at (202) 512-9471 or franzelj@gao.gov. Individuals who made key contributions to this testimony include Marcia Buchanan (Assistant Director), Robert Dacey, Abe Dymond, Heather Keister, Jason Kirwan, David Merrill, and Sabrina Springfield (Assistant Director). [End of section] Footnotes: [1] President's Council on Integrity and Efficiency (PCIE)/Executive Council on Integrity and Efficiency (ECIE), Report on National Single Audit Sampling Project (June 2007). The project was conducted under the auspices of the Audit Committee of the PCIE, as a collaborative effort involving PCIE member organizations, as well as a member of the ECIE and three State Auditors. The project was performed to determine the quality of single audits using statistical methods and to make recommendations to address noted audit quality issues. [2] Federal assistance, also known as federal awards, includes grants, loans, loan guarantees, property, cooperative agreements, interest subsidies, insurance, food commodities, direct appropriations, and federal cost reimbursement contracts. [3] Pub. L. No. 98-502, 98 Stat. 2327 (Oct. 19, 1984) (codified, as amended, at 31 U.S.C. §§ 7501-7507). [4] Grant recipients must prepare a SEFA for the period covered by their audited financial statements, which identifies all federal awards received and expended, and the federal programs under which they were received. Federal program and award identification shall include, as applicable, the Catalog of Federal Domestic Assistance (CFDA) title and number (assigned to a federal program), award number and year, name of the federal agency, and name of the pass-through entity. [5] GAGAS also provide standards for attestation engagements and performance audits. [6] Pub. L. No. 104-156, 110 Stat. 1396 (July 5, 1996). [7] The Federal Audit Clearinghouse Single Audit Database is maintained by the Bureau of Census in the Department of Commerce. It contains summary information on the auditor, the recipient and its federal programs, and the audit results. [8] The 1996 amendments changed the phrase "federal financial assistance" to "federal awards." [9] See 68 Fed. Reg. 38401 (June 27, 2003). [10] The Compliance Supplement is based on the requirements of the 1996 Amendments and 1997 revisions to OMB Circular No. A-133, which provide for the issuance of a compliance supplement to assist auditors in performing the required audits. It provides a source of information for auditors to understand the federal program's objectives, procedures, and compliance requirements relevant to the audit as well as audit objectives and suggested audit procedures for determining compliance with these requirements. [11] GAO, CPA Audit Quality: Inspectors General Find Significant Problems, GAO/AFMD-86-20 (Dec. 5, 1985); CPA Audit Quality: Many Governmental Audits Do Not Comply With Professional Standards, GAO/ AFMD-86-33 (March 19,1986); Single Audit Act: Single Audit Quality Has Improved but Some Implementation Problems Remain, GAO/AFMD-89-72 (July 27,1989). [12] GAO, Single Audit: Single Audit Act Effectiveness Issues, GAO-02- 877T (June 26, 2002). [13] Office of Management and Budget, Statement of the Honorable Mark W. Everson, Controller, Office of Federal Financial Management, Office of Management and Budget before the House Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations (June 26, 2002). [14] The percentages indicated as estimates in this paragraph are point estimates of the quality of single audits based on the stratified sample results for the universe of all 38,523 single audits from which the stratified sample was drawn. At the 90 percent confidence level, the margins of error range between ±5.3 and ±7.8 percentage points. Also, due to rounding, these percentages do not add to exactly 100 percent. [15] Of these 63 audits, 9 had material reporting errors that resulted in the audits being considered unacceptable. The remaining 54 of the 63 unacceptable audits were substandard. [16] GAO/AFMD-86-20. [17] GAO/AFMD-86-33. GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, DC 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, jarmong@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548: