Compliance Audits Flashcards
Objective
(1) obtain sufficient appropriate audit evidence to form an opinion and report whether the entity complied in all material respects with applicable compliance requirements (at the level specified in the governmental audit requirement), and (2) identify audit and reporting requirements specified in the governmental audit requirements that are supplementary to GAAS and Government Auditing Standards and perform procedures to address those requirements.
Applicable for
compliance audit in accordance with (1) generally accepted auditing standards (GAAS), (2) Government Auditing Standards (also called “Generally Accepted Government Auditing Standards” (GAGAS) from GAO’s “Yellow Book” issued under the authority of the Comptroller General of the United States), and (3) a governmental audit requirement requiring an expression of opinion on compliance with applicable compliance requirements.
Risk Assessment Procedures
- The auditor should perform risk assessment procedures to obtain an understanding of the applicable compliance requirements and internal controls over compliance - the nature and extent of the risk assessment procedures may vary with the circumstances (such as the complexity of the compliance requirements and the depth of the auditor’s knowledge of internal control over compliance).
- The auditor should assess the risks of material noncompliance (whether due to fraud or error) for each applicable compliance requirement and consider whether any of those are pervasive to compliance.
- The auditor should perform further audit procedures in response to the assessed risks, such as develop an overall response to any risks that are pervasive to the entity’s compliance; perform appropriate tests of details; and perform tests of controls when there is an expectation of operating effectiveness or when required to do so. (Note that an example of a pervasive risk of noncompliance would be financial difficulty that increases the risk that grant funds will be used for unauthorized purposes.)
Supplementary Audit Requirements
The auditor should identify supplementary audit requirements (beyond GAAS and GAGAS) specified in the governmental audit requirement.
- Some governmental audit requirements specifically identify the applicable compliance requirements, whereas others provide a framework for the auditor to determine the applicable compliance requirements.
- OMB Circular A-133, “Audits of States, Local Governments and Non-Profit Organizations,” provides a framework (“Compliance Supplement”) to determine the compliance requirements.
Reporting Issues
The opinion is usually directed at compliance at the program level (materiality is usually determined for the program as a whole)
The auditor may issue (1) a separate report on compliance only; (2) a combined report on compliance and on internal control over compliance; or (3) a separate report on internal control over compliance.