Uniform Guidance/Single Audit Compliance Yellow Book

Yellow Book and Single Audit Updates

Diane E. Edelstein, CPA

With billions of dollars in COVID funding provided to non-profits, local governments, and for-profit organizations, more organizations than ever are required to comply with Yellow Book. What is a Yellow Book audit?  The Yellow Book is a nickname for Government Auditing Standards that auditors are required to follow. These standards were finalized in 2018 and can be viewed online here. A proposed revision to the Yellow Book (published in January 2023) can be viewed here. This revision proposes changes in standards for quality management and communication components for organizations performing Yellow Books Audits.

For non-federal entities (governments, Indian tribes, not-for-profit organizations, and higher education) receiving more than $750,000 in federal funding, these entities are required to have a Single Audit. Many non-profits and governments (that never previously had a Single Audit done) now meet the threshold of $750,000 due to COVID relief funding. Having to comply with a first time Single Audit requirement poses additional challenges for many organizations. Additionally, for-profit entities are now required to have Yellow Book (and in some cases compliance audits that are similar to Single Audits) done due to their receiving COVID funds.

Audit Findings and COVID Funding Challenges

An audit finding is a comment on either the design and/or the effectiveness of the system of internal control over compliance; and/or noncompliance with provisions of laws, regulations, contract or grant agreements. An audit finding may involve financial reporting, compliance, and/or the design or effectiveness of internal controls. Specifically, auditors are required to report as findings significant deficiencies or material weaknesses in internal control, non-compliance with provisions of laws, regulations, contracts, or grant agreements that have a material effect on the financial statements, or fraud that is material, either quantitatively or qualitatively.

Findings written by the auditors must include:

  • criteria (i.e. the requirement that must be followed
  • condition (what issue did the auditor find)
  • cause
  • effect, or potential effect
  • and recommendation to correct the issue

With the influx of COVID funding and the myriad of organizations receiving such funds, some entities may not have previous experience handling federal grant money, and some departments may struggle with the scale of funding. Additionally, organizations were under pressure to spend the money in a matter of months and arguably with vague guidance to rely upon. Listed below are some examples of potential findings an organization may be cited for with respect to their COVID funding:

  • Inadequate monitoring of organizations paid to administer COVID funding relief programs such as the Emergency Rental Assistance Program (organizations may not be used to monitoring other non-profits to see how funds are being spent).
  • Lack of documentation in how sub-recipients have spent their money
  • Missed risk assessments on service providers, specifically a failure to check on whether contractors have not been previously disqualified from receiving federal funds
  • We recommend that you develop a strong system of internal controls to help mitigate the risk of audit findings. When you have your audit planning meeting that is the best time to speak up with questions you may have regarding new or complex financial and compliance areas and how to best put proper controls in place. Refer to our previous blog on internal controls for additional guidance.

What to Expect for 2023 Single Audits

For 2023 Single Audits, there are still COVID-19 programs that need to be audited. Many waivers are expiring/have expired and will increase requirements entities must follow. Adding to this challenge is the fact that the Infrastructure and Investment and Jobs Act (IIJA) funding is starting to flow, the new 2023 Compliance Supplement (see below) has been issued with more changes than usual, and there is an increased federal focus on oversight.

An Overview of the 2023 Compliance Supplement

The 2023 Compliance Supplement was issued May 22, 2023 and was effective for audits of fiscal years beginning after June 30, 2022.  There are many small changes throughout the 2023 Compliance Supplement, but listed below are the key updates from the Supplement you should be aware of:

  • There is additional guidance to implement the Build America, Buy America Act provisions of the IIJA. The proposed guidance seeks to implement consistent government-wide Buy America requirements for infrastructure projects and includes guidance to determine the cost of manufactured products and when a variety of types of construction materials can be treated as U.S.-made.
  • The Highway Planning and Construction Cluster has been decoupled. Formerly CFDA numbers 20.205/20.219/20.224/23.003 were identified as a cluster to be considered as one program for major program evaluation and testing under the Uniform Guidance. Now each program will stand on its own, to be evaluated and tested separately under the criteria of the Uniform Guidance.
  • The following programs have been identified as higher risk:
  1. Education Stabilization Fund 84.425
  2. Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution 93.498
  3. Medicaid Cluster 93.778/93.777/93.775
  4. Emergency Rental Assistance 21.023
  5. Homeowner Assistance Fund 21.026
  6. Coronavirus State and Local Fiscal Recovery Funds 21.029
  7. Coronavirus Capital Projects Fund 21.029
  8. Abandoned Mine Land Reclamation 15.252
  9. Disability Insurance/Supplemental Security Income 96.001/96.006
  • The following programs have been added to the Supplement:
  1. 15.252 – Abandoned Mine Land Reclamation (AMLR) Grants
  2. 20.327 – Railroad Crossing Elimination
  3. 20.532 – Passenger Ferry Grant Program, Electric or Low-Emitting Ferry Pilot Program, and Ferry Services for Rural Communities Program
  4. 20.533 – All Stations Accessibility Program
  5. 20.534 – Community Project Funding Congressionally Directed Spending
  6. 20.708 – Natural Gas Distribution Infrastructure Safety and Modernization Program
  7. 21.011 – Community Development Financial Institutions Capital Magnet Fund
  8. 21.012 – Natives Initiatives Program
  9. 21.024 – Community Development Financial Institutions Rapid Response Program
  10. 21.025 – Community Development Financial Institutions Small Dollar Loan Program
  11. 21.032 – Local Assistance and Tribal Consistency Fund
  • The provider of the Federal Audit Clearinghouse FAC will change from the Census Bureau to the General Service Administration (GSA) by October 1, 2023. Single Audits with a fiscal period ending in 2023 will be submitted to the new GSA FAC beginning on October 1, 2023. Any draft of a 2022 year end audit that is not fully submitted to the prior FAC by October 1, 2023 may need to be completely re-started at the new GSA FAC (details to come). Any 2023 year-end audits finished before the site is available will need to have their Data Collection Forms completed later, so leave yourself a remember to go back and finish the Data Collection Form.
  • Alternative Compliance Examination Engagement – Coronavirus State & Local Fiscal Recovery Fund (ALN #21.027): Many recipients of Coronavirus State & Local Fiscal Recovery Fund monies are now required to have a Single Audit for the first time. To address this additional compliance challenge, OMB has allowed for an alternative approach for eligible recipients of these funds with the goal being to reduce the burden of a full Single Audit on both recipients and practitioners. Certain criterium have to be met to qualify for this option. These criterium are identified in the agency program requirements within the Supplement, under the Other Information section, and in Part 8, Appendix VII – Other Audit Advisories.

OMB Request For Information (RFI) Notice for the Uniform Guidance

The Office of Management and Budget (OMB) is planning a complete update to the Uniform Guidance during 2023 with a full public exposure document expected later this summer. The goals of the forthcoming revision are to revise guidance to incorporate statutory requirements and administrative priorities, revise guidance to reduce agency and recipient burden, clarify guidance by addressing sections that recipients or agencies have interpreted in different ways, and clarify guidance by rewriting applicable sections in plain English, improving flow, and addressing inconsistent use of terms. The OMB issued a Request for Information regarding the Update in which the Government Audit Quality Center issued their response. Key suggestions in their response include the following recommendations:

  • Subpart E and Related Appendices: A thorough overhaul of the cost principles is needed to better align the requirements with how they are implemented.
  • 200.507 Program-Specific Audits: To alleviate the need for recipients with one program to prepare a SEFA, OMB should consider revising the type of engagement for program-specific audits to a compliance examination engagement.
  • 200.519 (c)(2), Criteria for Federal Program Risk. There was an increase in identified high-risk programs due to increased federal funds because of COVID-19. Therefore, OMB should establish specific criteria in the Uniform Guidance for agencies to use when determining a program is high-risk to improve consistency.
  • Uniform Guidance Frequently Asked Questions. To reduce the risk of the guidance in the 2 CFR Frequently Asked Questions being overlooked, OMB should consider incorporating it directly into the Uniform Guidance to make it more user-friendly by eliminating the need for auditors and recipients to go to a separate location for guidance.
  • 200.516 Audit Findings. To reduce the amount of judgment auditors use when deciding whether specific instances of noncompliance result in questioned costs, OMB should consider defining whether certain common noncompliance instances should result in questioned costs. For example, if there are instances of noncompliance related to subrecipient monitoring, are entire subrecipient payments questioned?
  • 200.511 Summary Schedule of Prior Audit Findings and Corrective Action Plan. Requiring both the SSPAF (Summary Schedule of Prior Audit Findings) and CAP (Corrective Action Plan) to be placed on recipient letterhead to reinforce the fact that they are recipient responsibilities.
  • 200.516(a)(1) Audit Findings. OMB should eliminate the requirement to report a federal award finding for significant instances of abuse.
  • 200.509 Auditor Selection. OMB should clarify that the UG procurement rules are only required to select auditors when audit costs are being charged to a federal program.
  • 200.317-200.327 Procurement Standards. OMB should clarify the methods of procurement and when they apply. Based on total purchase order amount or individual transactions? What if multiple time periods?
  • 200.504 Frequency of Audits. OMB should provide guidance for auditing stub periods that result from a change in year-end due to mergers, acquisitions, and creation of new entities.

If you have any questions on how these changes will impact your organization’s audit requirements, please contact a member of your audit team.

Other News

The Who, What, and Why of Internal Controls

Diane E. Edelstein, CPA

Internal controls are the mechanisms, rules, and procedures implemented by your organization to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. The requirements of the Uniform Guidance (which many non-profits and governments fall under) further define internal control as a process to provide reasonable assurance regarding an organization’s effectiveness and efficiency of operations, reliability of reporting for internal and external users, and compliance with applicable laws and regulations. The status of your internal controls provides an effective benchmark of your organization’s strengths and weaknesses. An effective internal control structure also provides a crucial safeguard against fraud.

What is Not an Internal Control

A trusted employee is not an internal control (You want trusted employees, but you also need checks and balances.  Remember – you are trying to prevent or detect errors and fraud.) Believing your organization would notice errors and fraud doesn’t work and is not an internal control. The annual audit is also not a part of your internal control; it serves to confirm that your financial statements are materially accurate. Listed below are some key things to keep in mind when assessing and improving your organization’s internal controls.

What Could Go Wrong

It is imperative that your organization’s internal controls be designed in such a way to not only hope they prevent and detect a ‘What Could Go Wrong’ scenario but actually prevent or detect and correct a ‘What Could Go Wrong’ scenario. So what are some things that could go wrong for your organization?

  • Can someone steal? (common stolen items are cash and computer equipment; a building can’t be stolen)
  • Can legitimate costs be charged to the wrong department? Are costs actually necessary? Are any legitimate costs missing from the accounts payable records?
  • Are any services being provided to ineligible people?
  • Are services not being performed correctly or not being delivered?
  • Is the financial record keeping of your organization inaccurate? Is it behind?

Segregation of Duties

The most effective way to mitigate a ‘What Would Go Wrong’ scenario from happening is implementing an effective segregation of duties process at your organization.  When it comes to handling revenues, specifically recording of revenues, receipt of funds, maintenance of accounts receivable, and bank reconciliations, you will want to separate the duties associated with handling of receipts, making deposits with recording revenue and maintaining accounts receivable records. With regards to expenditures such as purchase requests, purchase authorizations, recording of expenses, and bank reconciliations you will want to separate the duties associated with approving expenses with recording expenditures and maintaining the records. For typical payroll processes such as hiring and authorizing pay rates, authorization of time sheets, payroll processing, and bank reconciliation, you will want to separate the duties associated with human resources from time approval and the accounting function.

Implement an Actual Control Based System of Internal Compliance

While it’s useful to review and modify your organization’s processes as part of your internal control system, note that processes are merely procedures that originate, transfer, or change data and subsequently can also introduce errors. Controls conversely are procedures that are designed to prevent, detect and correct errors resulting from processing of accounting information. Controls cannot generate errors and are activities performed to prevent or detect errors or fraud.

Internal Controls Your Auditors Will Be Looking For

Listed below are some examples of internal controls your auditor will assess during the audit:

  • Are time sheets approved by a supervisor?
  • Does your software system reject duplicate invoice numbers and reject vendors not already in the system?
  • Are old vendors removed from your system and vendors still in the system compared to an approved vendor list?
  • Are invoices approved by a Manager?
  • Does the individual who signs checks at your organization compare invoices to checks and review approval documentation?
  • Are bank statements reconciled to the accounting records by someone independent of the processes for revenue and expenses?
  • Does a supervisor review completed documentation and support and sign off on eligibility?
  • Does an internal auditor randomly pull eligibility files to review for documentation?

With respect to the tools mentioned above, remember to document, document, document. If it is not documented, your auditor will consider it ‘not done’. If you think it, ink it.  If you have any questions regarding your organization’s internal controls reach out to your audit manager.