As most recipients of significant federal funding are aware, the Office of Management and Budget (OMB) issues a new edition of the Compliance Supplement around June of each year. However, 2019 was a unique year. After the AICPA and others detected several errors in the June 2019 edition, the OMB issued a second, “correction,” edition in August.
Not-for-profit organizations should take care that they (and their auditors) are using the updated edition. For audit reports that were issued on or before October 31, 2019, it was permissible to use the June 2019 edition. Reports that were (or will be) issued after October 31, 2019, must follow the August 2019 edition. If substantial audit work was completed prior to the release of the August edition, but the audit report was not yet finalized by October 31, 2019, it is important to review and compare the Supplements, specifically related to the organization’s major program(s), to determine whether additional testing procedures may be necessary to address any changes.
There have been significant changes since the 2018 Compliance Supplement, and not-for-profit organizations should be aware of what’s new.
Previously, there were 12 requirements subject to compliance for each program or cluster. With the issuance of the 2019 Compliance Supplement, the OMB has now required federal agencies to limit the number of compliance requirements to a maximum of six (with the exception of the R&D cluster, which is permitted to identify seven). Some agencies have elected to choose less than six. The Supplement made changes to 200-plus programs.
Typically, the matrix in Part 2 of the Compliance Supplement is the first place to look when considering the applicability of certain compliance requirements for any given program. However, be aware that the meaning of the “yes” and “no” designations have changed in the 2019 Supplement. Previously, a “yes” indicated the requirement applies to the program and a “no” indicated it does not apply. Now, the designations indicate whether the requirement is or is not subject to audit for that program. Note that this “yes” or “no” decision still precedes the auditor’s judgment as to whether a requirement is actually direct and material to the individual not-for-profit organization.
The six-requirement mandate also has additional effects as it relates to risk assessment. Due to changes in the Part 2 matrix, some requirements auditors have historically tested may no longer be required to be tested. Also, with the reduced requirement mandate from 12 to six, the auditors will be spending additional time in their assessment of the direct and material compliance requirements subject to audit and the overall audit approach in the single audit engagement. Also, auditors will need to pay additional attention to whether some compliance requirements that were changed to “N” in the matrix were transferred over to Special Tests and Provisions. And, even if in a prior year audit, if a material weakness was identified for a Type A program for a compliance area that is no longer subject to audit in the 2019 Supplement, this program would still have to be audited as major.
It is important to note there are also still a number of programs not included in the 2019 Compliance Supplement, and, for those programs, the six-requirement mandate does not apply. As a result an auditor may test more than six requirements for these programs.
The Uniform Guidance (UG) sections 200.317 – 200.326 had established new rules over procurement, with a grace period for the implementation of these new rules. The grace period has now ended, so many organizations are subject to audit testing over procurement under the new rules for the first time this year.
Matrices in program/clusters have been modified due to the six-requirement mandate and more programs than usual have significant changes; examples include USDA programs and Medicaid. Many programs also added new sections to Reporting to add performance reports and special reports.
Part 6 of the 2019 Compliance Supplement has been significantly updated to more closely align with how auditors consider the internal control environment. This includes providing illustrative examples of both “entity-wide” controls, i.e., control environment, risk assessment, information and communication, and monitoring), as well as specific control activities that apply to each compliance requirement. Part 6 of the Supplement can be a helpful tool for organizations to prepare for an upcoming audit, to review and consider whether they have established effective controls. As auditors will be testing internal controls that relate to major program compliance, a proactive review of Part 6 of the Supplement can help avoid potential findings of non-compliance. Also based on the illustrative examples and guidance provided in Part 6, auditors have responded by updating their tools and improving and expanding their documentation over an organization’s internal controls over compliance.
If you receive significant federal funding, you know that single audits are complex. Unfortunately, the significant changes in the 2019 Compliance Supplement have only added to the complexity. Adding to the mix, there has been a recent uptick in federal quality control reviews, and single audits continue to be a focus area of peer reviews. As single audit engagements continue to be part of a very regulated environment, organizations must be ready for new and additional requests as they relate to their single audit engagements each and every year.
Contact Kaitlin Mansfield at kmansfield@cohencpa.com, Tina Dzik at tdzik@cohencpa.com or a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.