This is the accessible text file for GAO report number GAO-08-318R entitled 'Responses to Posthearing Questions Related to Improving Single Audit Quality' which was released on December 10, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. December 7, 2007: The Honorable Tom Carper: Chairman: Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security: Committee on Homeland Security and Governmental Affairs: United States Senate: Subject: Responses to Posthearing Questions Related to Improving Single Audit Quality: Dear Mr. Chairman: On October 25, 2007, GAO testified[Footnote 1] before your subcommittee at a hearing entitled, "Single Audits: Are They Helping to Safeguard Federal Funds?" At the hearing, we provided (1) GAO's perspective on the history and importance of the Single Audit Act, as amended (Single Audit Act), and the principles behind the act, (2) our preliminary analysis of the recommendations made by the President's Council on Integrity and Efficiency (PCIE) for improving audit quality, and (3) additional factors to consider for improving the quality of single audits. This letter responds to your November 5, 2007, request for responses to follow-up questions for the record related to our October 25, 2007, testimony. Your questions, along with our responses, follow. Question 1. Ms. Franzel mentioned in her statement that a separate effort considering the overall framework for single audits is warranted, including analyzing whether the current federal oversight structure for single audits is adequate. Please elaborate on the type of analysis suggested to be done. Given the increase in federal grant awards in recent years and the many different federal entities involved in overseeing the single audit process, two aspects of the single audit framework warrant further analysis to determine whether changes are needed to improve single audit quality and overall accountability for the use of federal grant funds: (1) the roles and responsibilities of the various parties in the federal oversight structure for single audits, and (2) the current risk- based approach to conducting single audits. Roles and Responsibilities within the Federal Oversight Structure: Federal oversight responsibility for implementation of the Single Audit Act is currently shared among various entities--the Office of Management and Budget (OMB), federal agencies, and their respective Offices of Inspector General (OIG). The Single Audit Act assigned to OMB the responsibility of prescribing guidance to implement the uniform audit requirements and required each federal agency to amend its regulations to conform to the requirements of the act and OMB's guidance. OMB issued Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations, which sets implementing guidelines for the audit requirements and defines roles and responsibilities related to the implementation of the Single Audit Act. The federal agency that awards a grant to a recipient is responsible for ensuring recipient compliance with federal laws, regulations, and the provisions of the grant agreements. The awarding agency is also responsible for overseeing whether the single audits are completed in a timely manner in accordance with OMB Circular No. A-133 and for providing annual updates of the Compliance Supplement[Footnote 2] to OMB. Some federal agencies rely on the OIG to perform quality control reviews (QCR) to assess whether single audit work performed complies with OMB Circular No. A-133 and auditing standards. Many grantees receive federal funding from several federal agencies and programs. Therefore, a specific federal agency is generally given oversight responsibilities for a particular grantee, either as a cognizant or oversight agency for audit. Recipients expending more than $50 million in federal funding are required to have a cognizant agency for audit. Recipients that do not have a cognizant agency are assigned a specific oversight agency to provide technical audit advice. If necessary, this agency may perform the full duties of a cognizant agency. An analysis of the roles and responsibilities within the federal oversight structure for single audits to identify possible improvements should consider the following questions: Is single audit oversight consistent and effective across federal agencies (Are there any particularly effective models that are currently employed by specific agencies)? What alternative federal oversight structures could improve overall accountability and oversight of the single audit process? Are sufficient federal resources being dedicated to oversight of single audits, in relation to the current dollar amounts of grants and the nature of current grant programs? Should the oversight role of the cognizant agency for audit of larger grantees--those expending $50 million or more in federal awards--be strengthened? Is the current overall federal oversight structure adequate to achieve useful and effective accountability over federal grant funds? If not, where are improvements needed? Current Risk-Based Approach to Single Audits: The current risk-based approach to conducting single audits considers both dollar amounts and other aspects of risk to identify which "major" programs to include in the scope of compliance testing in a single audit. The Single Audit Act of 1984 focused attention on dollar coverage of federal financial assistance to achieve approximately 95 percent audit coverage. The 1996 amendments to the act expanded the criteria to include risk-based criteria for the compliance testing component of the audit in addition to dollar amounts. This gave auditors greater freedom in targeting risky programs by, for example, allowing them to eliminate low-risk large dollar programs from testing and include high-risk small dollar programs in their place. OMB Circular No. A-133's current methodology for selecting major programs for compliance testing is based on a combination of dollar amounts, past audit findings, length of time since the program was last audited, and total coverage of federal dollars. This methodology, however, continues to rely heavily on the relative size of the grant expenditures for programs within a grantee to determine which programs are audited for compliance. An analysis of the current risk-based approach to conducting single audit compliance testing could be focused on determining whether there are other risk-based factors that may be cost-beneficial to consider in approaching single audits in today's environment. This analysis could also determine whether the current single audit approach adequately targets areas of risk and contributes to improvements where needed. Other types of risk-based factors that could be considered include organizational governance, internal control environment, risks associated with internal controls and financial systems, and risk of improper payments and noncompliance with federal programs. The single audit scope and specific audit procedures could then be adjusted by incorporating these types of factors. Question 2. OMB pointed out in its statement and during the hearing that it plans to consider how to leverage single audits to improve improper payment estimates. Is GAO concerned that the audit quality problems cited in the PCIE study might be either masking or leading to improper payments in some of these programs? Does GAO believe that OMB's plan has merit? The current design of the single audit is not intended to provide sufficient information for assessing and reporting on improper payments. There is currently no direct link between the assessment of susceptibility to improper payments and the level and scope of work performed in a single audit. For instance, the current risk-based approach for determining major programs to audit for compliance under the single audit focuses heavily on programs with the largest dollar amounts in a grantee's portfolio. Thus, programs identified as susceptible to improper payments at the federal level may not be audited for compliance under a single audit, depending on the portfolio of a grantee's federal grants. Consequently, the current design of the single audit process and the related results are generally insufficient to identify improper payments and systematically estimate the extent of improper payments for susceptible programs. Many grant programs could be susceptible to improper payments by their very nature. Improper payments are payments that should not have been made or that were made in an incorrect amount under applicable requirements. Improper payments also include payments to ineligible recipients, payments for ineligible service, duplicate payments, and payments for services not received. Federal agencies are required to follow four basic steps under the Improper Payments Information Act (IPIA)[Footnote 3] and related OMB guidance: (1) assess risk of improper payments in all programs, (2) estimate improper payments for programs susceptible to significant improper payments (defined by OMB as exceeding both 2.5 percent of program payments and $10 million annually), (3) annually report on estimates of improper payments, and: (4) for programs with over $10 million in improper payments, implement a plan to reduce improper payments and report on actions to reduce them. To the extent that single audits are not providing reliable information about internal control and compliance with program requirements, agencies may not be receiving the information needed to fulfill their responsibilities under IPIA. In its statement,[Footnote 4] OMB pointed out that it is exploring longer-term reforms to the single audit process that will help achieve successful results in the implementation of IPIA. OMB plans to evaluate how single audits can be expanded beyond federal program compliance to assess the risk of improper payments and the extent to which improper payments are systemic throughout a program. OMB's plan to evaluate how the single audit can be expanded for this purpose has merit, and we support this initiative. Question 3. During the hearing, Ms. Franzel mentioned several issues that need to be resolved before implementing the proposed training recommendations in the PCIE study. Who should resolve these issues and what is the need to deal with these issues considering the impact on the timing of correcting the current audit quality problems? Since OMB would ultimately be responsible for putting a training requirement in place, it should also be responsible for resolving any related implementation issues involved, with input from key stakeholders. However, there are several interrelated factors at play here that would impact the timing of implementing proposed training requirements. The universe of completed single audits in the Federal Audit Clearinghouse database for a given year is over 35,000. According to AICPA, approximately 7,000 firms perform governmental audits which include single audits. Those firms are located across the U.S., in large cities, small towns, and rural areas. Because of the large number of auditors to be trained and their dispersion across the county, there are clearly efficiency and cost-benefit aspects that need to be considered. In addition, effective and efficient training delivery mechanisms would need to be identified and put in place. Resolving these substantial implementation issues could take some time. Further, cost-benefit considerations may be significantly affected if the current single audit approach and universe of audits were to change significantly in the near-term. If an effort is undertaken in the near- term to revisit the approach to single audits, it may be advantageous to wait until any new approaches resulting from this effort are established to implement training requirements. Question 4. What type of accountability mechanisms and oversight would be helpful to oversee the various parties' implementation of the PCIE recommendations? Is there anything the Congress can do to address these problems? Because of OMB's statutory responsibilities related to single audits, we believe that OMB should be the party responsible for tracking the status of implementing the PCIE recommendations. However, OMB could delegate that responsibility to another federal agency or to the PCIE. As mentioned in our testimony, we believe that a number of issues need to be resolved before specific actions are taken to implement some of the recommendations. Also, as discussed in our response to question 1, a separate effort taking into account the overall framework for single audits may be warranted. In our testimony, we also highlighted two other critical factors that need to be considered when determining actions to improve audit quality: (1) audit quality problems associated with the size of audit, and (2) the distribution of size in the universe of single audits. GAO could monitor the results of any changes in this area as part of our expanded review of the single audit process. The hearing also brought to light other key issues that affect the usefulness of single audits and the effectiveness of federal oversight over grant funds that require immediate attention. We would be pleased to continue to keep the Congress informed on the extent of any progress made in evaluating issues surrounding single audits, implementing the PCIE recommendations, and improving the accountability and oversight structure for federal grant funds. In addition, GAO currently has a request from this subcommittee to identify further actions to improve federal oversight and accountability for grant funds. We will continue to keep the subcommittee informed about our progress and any suggested actions for improving the single audit process developed as a result of this work. Question 5. In your role as the standards-setting organization for Government Auditing Standards, what part does GAO plan to play in helping to improve single audit quality? The Single Audit Act requires that audits be done in accordance with generally accepted government auditing standards (GAGAS). In our role as standards setter, we will continue our regular activities to promote high-quality auditing under GAGAS. GAO recently issued a modernized version of GAGAS.[Footnote 5] Also, GAO's Comptroller General chairs the National Intergovernmental Audit Forum that monitors the standards setting bodies, and advances the audit standards within the government and the audit profession. Through these processes, we have had, and continue to have, extensive interaction with the audit community, including state and local government auditors, and CPA firms of all sizes across the country. GAO provides technical assistance to auditors from public accounting firms and government audit organizations to assist them in conducting quality audits. Each year, GAO receives thousands of telephone and e- mail inquiries, and we generally respond to most inquiries within 24 hours. This interaction also alerts GAO to emerging issues and problem areas for auditors. In addition, GAO maintains a Yellow Book web page which provides various technical resources for auditors conducting government audits. We are sending a copy of our responses to the posthearing questions to Senators Coburn and McCaskill who also attended the hearing. Should you have any questions on matters discussed in this response or need additional information, please contact me at (202) 512-9471 or at franzelj@gao.gov or Sabrina Springfield at (202) 512-9328 or at springfields@gao.gov. Contact points for our Office of Congressional Relations and Public Affairs may be found on the last page of this report. Major contributors to this report include Emily Clancy and David Merrill. Sincerely yours, Signed by: Jeanette Franzel: Director: Financial Management and Assurance: [End of section] Footnotes: [1] GAO, Single Audit Quality: Actions Needed to Address Persistent Audit Quality Problems, GAO-08-213T (October 25, 2007). [2] The Compliance Supplement is based on the requirements of the 1997 revisions to OMB Circular No. A-133, which provide for the issuance of a compliance supplement to assist auditors in performing the required audits. It provides a source of information for auditors to understand the federal program's objectives, procedures, and compliance requirements relevant to the audit as well as audit objectives and suggested audit procedures for determining compliance with these requirements. [3] Pub L. No. 107-300, 116 Stat. 2350 (November 26, 2002). [4] Office of Management and Budget, Statement of the Honorable Daniel I. Werfel, Acting Controller, Office of Federal Financial Management, Office of Management and Budget before the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security (October 25, 2007). [5] GAO, Government Auditing Standards: July 2007 Revision, GAO-07-731G (July 2007). GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, DC 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, jarmong@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548: