19 · pdf file19 chapter 2 compliance and internal auditing major topics discussed in this...

Click here to load reader

Post on 25-Mar-2018




2 download

Embed Size (px)


  • ChapterChapter1919


    Compliance and Internal Auditing

    Major topics discussed in this chapter are:

    Compliance auditing: Distinguishing among financial statement, compliance, and internal

    auditing. Auditing compliance with laws and regulations under generally

    accepted auditing standards. Auditing under the GAOs government auditing standards. Auditing under the Single Audit Act and OMB Circular A-133, Audits

    of State, Local Governments, and Non-profit Organizations. Internal auditing: The role of independence in internal auditing. The nature and types of internal operational audits. How internal auditors perform operational audits. The relationship between internal and independent financial statement


    Financial statement, compliance, and internal audits are distinctly different and,for that matter, each provides unique professional responsibilities, opportunities,and challenges to its practitioners. Figure 19-1 distinguishes these three types ofaudits and indicates the professional standards governing each. This chapter, de-voted exclusively to compliance auditing and internal auditing, serves as a basisfor comparing financial statement auditing with two other dominant audit activ-ities practiced in the United States. Governmental compliance auditing is dis-cussed first, followed thereafter by internal auditing.

    Compliance Auditing

    Annually, the U.S. government grants over $100 billion in federal financial assis-tance to the states and to over 80,000 local governmental units for transportation,welfare, education, health services, and job-training programs, among others.However, responding to a 1984 letter from a subcommittee of the U.S. House ofRepresentatives Committee on Government Operations, the U.S. General Ac-counting Office (GAO) conducted two studies on the quality of governmental au-

  • Chapter 19 Compliance and Internal Auditing 3

    dits. In much-publicized reports,1 the GAO revealed that certified public account-ants repeatedly failed to comply with applicable laws and regulations, failed toconsider internal control, and failed to follow generally accepted auditing stan-dards. In response, an AICPA Task Force2 recommended that the Auditing Stan-dards Board provide guidance to practitioners about testing and reporting on thelaws and regulations that govern a governmental entity. In 1991, the board issueda statement on auditing standards, which, owing to changes in federal law, wassuperseded in 1995 by todays SAS No. 74, Compliance Auditing Applicable toGovernmental Entities and to Other Recipients of Governmental Financial Assis-tance. SAS No. 74 documents an auditors responsibilities for complying with:

    Laws and regulations under generally accepted auditing standards. The GAOs government auditing standards. The Single Audit Act.

    Other types of compliance audits are performed in the United States. For exam-ple, public accounting firms offer audits of a companys compliance with mini-mum wage laws, employee benefits programs, and commercial bank lendingagreements. And, state governmental auditors perform a number of special en-gagements assigned by elected state legislatures. For example, a Georgia stateaudit or Georgias Hazardous Waste Trust Fund detected a $214 million shortfall,3

    and a Tennessee state audit of TennCare, Tennessees state-sponsored health in-surance program for the otherwise uninsured, found that the agency spent $6 million to cover 14,000 residents who had died.4 However, the discussion here fo-cuses on governmental compliance audits because they are so topical, having cap-tured the attention of Congress, the financial press, the GAO, and the Auditing

    Type of Audits Standards

    Financial statement Financial statement Audit AICPA: Generally auditing audit accepted auditing


    Compliance auditing Financial audit, GAO: Governmentattestation engagement, auditing standardsPerformance audit

    Internal auditing Operational audit IIA: Standards for theprofessional practice of internal auditing

    FIGURE 19-1: Distinguishing Financial Statement, Compliance, and Internal Auditing

    1 U.S. General Accounting Office, CPA Audit Quality: Inspectors General Find Significant Problems. Washing-ton, D.C.: U.S. GAO, 1985; U.S. General Accounting Office, CPA Audit Quality: Many Governmental AuditsDo Not Comply with Professional Standards. Washington, D.C.: U.S. GAO, 1986.

    2 AICPA, Report of the Task Force on the Quality of Audits of Governmental Units. New York: AICPA, 1987.3 W. Pinkston, Waste-Site Cleanup Fund Falls Short of Georgias Needs, The Wall Street Journal (South-

    east Journal) (March 29, 1999), p. S1.4 K. Greene, Groups Suggest Treatment for Languishing TennCare, The Wall Street Journal (Southeast

    Journal) (October 6, 1999), p. S1.

  • Standards Board. The next three sections of the chapter discuss each of an audi-tors threefold responsibilities under SAS No. 74.

    Responsibilities Under Generally Accepted Auditing Standards

    Governmental entities are subject to a variety of laws and regulations not gener-ally applicable to private-sector, profit-making entities. For example, local lawsmay restrict the authority of a municipality to assess taxes or issue debt, state lawmay require that proceeds received from a tax assessment be accounted for in aspecial revenue fund, and federal law may restrict the disbursement of social serv-ice payments to eligible applicants. Violations of any of these, among other lawsand regulations, could have a direct and material effect on a reporting entitys fi-nancial statements. For example, if a state receives a federal allocation for statewelfare payments, disbursements to ineligible recipients may require that thestates department of health and human services disclose a contingent liability forpotential fines and penalties payable to the federal government.

    Under SAS No. 74, an auditors responsibility for detecting violations of lawsand regulations is identical to the auditors responsibility for client errors, forfraud, and for illegal acts, all of which are discussed in Chapters 5 and 7. That is,the auditor should assess the risk that violations of laws and regulations maycause the financial statements to contain a direct and material misstatement andshould consider the assessment in designing the audit procedures to be per-formed. In practice, this responsibility imposes two specific requirements on theauditor: to understand the effects of laws and regulations on a governmental en-titys financial statements and to assess risk, both of which are discussed next.

    The Effects of Laws and Regulations and the Assessment of Risk

    In planning a compliance audit, an auditor assesses whether management hasidentified laws and regulations that have a direct and material effect on the finan-cial statements. The auditor also performs the procedures in Figure 19-2 to assesswhether management overlooked relevant laws or regulations and to develop anunderstanding of potential effects on the financial statements.

    Having identified relevant laws and regulations, the auditor next assesses therisk of material misstatement arising from violations, based on two issues: First,the auditor considers the nature, cause, and amount of known and likely misstate-ments detected in prior audits. Second, the auditor considers the competence ofclient personnel responsible for complying with applicable laws and regulations,and the organizational structure of management. For example, an auditor is likelyto assess risk at the maximum for a governmental entity that is decentralized anddoes not monitor employees adequately.

    Internal Control

    As explained in Chapter 8, the second standard of field work requires that an au-ditor obtain an understanding of an entitys internal controls sufficient to plan theaudit and to assess control risk. Obtaining an understanding in a compliance auditalso requires that the auditor obtain knowledge about the designand perform-anceof internal control policies and procedures relevant to assertions affected

    4 Part 5 Other Assurance and Attestation Services, Compliance and Internal Auditing

  • by compliance with laws and regulations. For example, in obtaining an under-standing of the components of internal controlthe control environment, risk as-sessment, control activities, information and communication, and monitoring(Chapter 8)the auditor may learn that the control environment is affected signif-icantly by managements lack of awareness about applicable laws and regula-tions. Deficiencies like these should affect the auditors assessment of control riskand should be reported to the governmental entitys oversight authority (for ex-ample, the city council) under SAS No. 60, Communication of Internal ControlRelated Matters Noted in an Audit (Chapter 8).

    Government Auditing Standards

    Headed by the Comptroller General of the United States, the U.S. GAO is a non-political federal agency responsible for conducting audits on behalf of Congress.The GAO publishes Government Auditing Standards5 (often called the YellowBook), an authoritative document that defines generally accepted governmentauditing standards (sometimes referred to by the acronym GAGAS). GAGAS(or as some auditors say for short, GAS) includes all ten of the AICPAs gener-ally accepted auditing standards (Chapter 2) plus additional standards related, forexample, to independence, quality control, audit documentation, and legal andregulatory requirements. The Yellow Book, revised and reissued in 2003, identifiesthree types of generally accepted governmental engagements:

    Financial audits, Attestation engagements, and Performance audits.

    Like financial statement audits for nongovernmental entities, governmental fi-nancial audits for govern