Governmental Auditing
Government entities and organizations that receive federal funding are subject to additional auditing requirements beyond those applicable to private-sector entities. The Government Auditing Standards (commonly known as the Yellow Book or GAGAS), issued by the Government Accountability Office (GAO), establish the framework for audits of government organizations, programs, and funds. Additionally, the Single Audit Act and Uniform Guidance impose specific requirements on entities that expend significant amounts of federal awards. These topics are tested on the AUD section of the CPA exam.
GAGAS stands for Generally Accepted Government Auditing Standards. The Yellow Book is issued by the Comptroller General of the United States through the GAO, not by the AICPA or PCAOB.
Government Auditing Standards (Yellow Book)
The Yellow Book establishes standards for auditing government entities and organizations receiving government funds. It builds upon AICPA standards (GAAS) and adds additional requirements related to:
- Ethical principles and independence
- Professional competence (including continuing professional education requirements)
- Quality control and peer review
- Reporting on internal control and compliance
Key Yellow Book Principles
| Area | Yellow Book Requirement |
|---|---|
| Independence | More restrictive than AICPA standards—includes nonaudit services restrictions and specific threat/safeguard considerations |
| CPE | Auditors must complete at least 24 hours of CPE in government auditing every 2 years (80 hours total CPE) |
| Peer review | Audit organizations must have a peer review at least every 3 years |
| Reporting | Additional reports on internal control and compliance are required beyond the standard audit report |
Types of Government Audits
The Yellow Book identifies three types of engagements:
1. Financial Audits
- Include audits of financial statements in accordance with GAAS (or PCAOB standards for listed government entities)
- Follow all applicable AICPA or PCAOB standards, plus Yellow Book requirements
- Result in an opinion on the financial statements and additional reports on internal control and compliance
2. Attestation Engagements
- Include examinations, reviews, and agreed-upon procedures on subject matter other than financial statements
- Conducted in accordance with AICPA attestation standards plus Yellow Book requirements
- May cover topics such as internal controls, compliance, or performance measures
3. Performance Audits
- Evaluate the effectiveness, economy, and efficiency of government programs
- May also assess compliance with laws and regulations applicable to the program
- These are unique to governmental auditing—there is no private-sector equivalent
- Performance audit reports describe the objectives, scope, methodology, findings, and recommendations
The CPA exam primarily tests financial audits under GAGAS. Performance audits are less frequently tested but you should know the basic concept: they evaluate whether government programs achieve their objectives efficiently and effectively.
Additional Reporting Requirements Under GAGAS
When conducting a financial audit under GAGAS, the auditor must issue additional reports beyond the standard audit opinion on the financial statements:
Report on Internal Control Over Financial Reporting
- Describes the scope of testing of internal control
- Reports any deficiencies in internal control identified during the audit
- Distinguishes between material weaknesses and significant deficiencies
- This report is required even if no deficiencies are found (the auditor reports that no deficiencies were identified)
Report on Compliance
- Reports on the auditor's tests of the entity's compliance with laws, regulations, contracts, and grant agreements that could have a direct and material effect on the financial statements
- Reports any instances of noncompliance identified
- Also required even if no noncompliance is found
Example: Gies Co. is a nonprofit that receives substantial state and federal funding. Its auditor conducts a GAGAS audit and issues three reports: (1) an opinion on the financial statements, (2) a report on internal control over financial reporting (identifying one significant deficiency in grant tracking), and (3) a report on compliance (noting no instances of noncompliance).
Under GAGAS, the internal control and compliance reports are required in addition to the standard financial statement opinion. These reports are issued even when no deficiencies or noncompliance are found—the auditor states that none were identified.
Single Audit Act and Uniform Guidance
The Single Audit Act (as amended) requires entities that expend $750,000 or more in federal awards during a fiscal year to have a single audit performed in accordance with the Uniform Guidance (2 CFR Part 200, Subpart F). The single audit combines the financial statement audit with an audit of the entity's federal award programs.
Purpose of the Single Audit
- Provide assurance that the entity is managing federal funds in compliance with applicable requirements
- Reduce the burden on entities by requiring one comprehensive audit rather than separate audits for each federal award
Key Threshold
| Expenditure Level | Audit Requirement |
|---|---|
| Less than $750,000 in federal awards | No single audit required |
| $750,000 or more in federal awards | Single audit required under Uniform Guidance |
Major Program Determination
A critical step in a single audit is determining which federal programs are major programs that must be tested for compliance. This determination follows a risk-based approach.
Type A vs. Type B Programs
| Category | Definition | Testing |
|---|---|---|
| Type A | Larger programs exceeding a specified dollar threshold (generally $750,000 or a percentage of total federal expenditures, whichever is larger). The threshold increases as total federal expenditures increase. | Generally considered higher risk and tested as major programs unless assessed as low risk |
| Type B | All other (smaller) federal programs below the Type A threshold | Generally not tested as major programs, but the auditor must assess risk and may designate a high-risk Type B program as a major program |
Risk Assessment for Major Programs
The auditor assesses whether each Type A program is low risk or high risk:
- Low-risk Type A programs may be excluded from major program testing (but at least some Type A programs must be tested)
- High-risk Type B programs must be designated as major programs and tested
- The auditor must test enough major programs to cover a specified percentage of total federal expenditures (at least 20% for low-risk auditees, 40% for high-risk auditees)
Example: MAS Inc. expends $5 million in federal awards across eight different programs. Three programs exceed the Type A threshold. The auditor assesses two of the three Type A programs as high risk and designates them as major programs. The auditor also identifies one Type B program with recent findings as high risk and includes it as a major program. Together, these three programs cover 45% of total federal expenditures.
For the CPA exam, remember the key percentages: the auditor must cover at least 20% of total federal expenditures for a low-risk auditee and 40% for others. The distinction between Type A and Type B is based on a dollar threshold, not program importance.
Federal Award Compliance Requirements
For each major program, the auditor tests compliance with requirements that could have a direct and material effect on the program. The types of compliance requirements include:
- Activities allowed or unallowed — Were funds used for their intended purposes?
- Cash management — Were drawdowns of federal funds properly timed?
- Eligibility — Were program participants properly eligible?
- Matching, level of effort, earmarking — Did the entity meet cost-sharing requirements?
- Procurement — Were procurement processes compliant with federal requirements?
- Reporting — Were required reports filed accurately and on time?
- Period of performance — Were costs incurred within the applicable period?
These requirements are described in the Compliance Supplement issued by the Office of Management and Budget (OMB), which provides guidance specific to each federal program.
The Reporting Package
The single audit results in a comprehensive reporting package that the entity must submit to the Federal Audit Clearinghouse. The package includes:
| Component | Description |
|---|---|
| Financial statements | The entity's audited financial statements |
| Schedule of expenditures of federal awards (SEFA) | Lists all federal awards expended during the period, by program and federal agency |
| Auditor's report on the financial statements | Standard audit opinion |
| Report on internal control over financial reporting and compliance (GAGAS) | Required Yellow Book report |
| Report on compliance for each major program | Opinion on whether the entity complied, in all material respects, with requirements applicable to each major program |
| Report on internal control over compliance | Describes the scope of testing and any deficiencies identified |
| Schedule of findings and questioned costs | Lists audit findings, including material weaknesses, significant deficiencies, and questioned costs by program |
| Summary schedule of prior audit findings | Tracks the status of findings from the prior year |
| Corrective action plan | Management's plan to address current-year findings |
| Data collection form | Standard form summarizing the audit results for submission to the Federal Audit Clearinghouse |
Example: Kingfisher Industries, a nonprofit that expended $2.3 million in federal awards, submits its single audit reporting package. The package includes the audited financial statements, the SEFA, four auditor reports (financial statement opinion, GAGAS internal control and compliance, major program compliance, and internal control over compliance), the schedule of findings and questioned costs, and the corrective action plan.
The reporting package must be submitted to the Federal Audit Clearinghouse within 30 days after receiving the auditor's report or 9 months after the end of the audit period, whichever is earlier. Late submission can affect the entity's eligibility for future federal funding.
Summary
| Topic | Key Point |
|---|---|
| Yellow Book | Government Auditing Standards issued by the GAO |
| Types of audits | Financial audits, attestation engagements, performance audits |
| Additional GAGAS reports | Internal control and compliance reports (required even if no findings) |
| Single audit threshold | $750,000 or more in federal award expenditures |
| Type A vs. Type B | Dollar threshold determines classification; risk assessment determines testing |
| Coverage | 20% (low-risk auditee) or 40% of total federal expenditures |
| Reporting package | Financial statements, SEFA, multiple auditor reports, findings, corrective action plan |
| Submission | Federal Audit Clearinghouse within 30 days / 9 months |