Many of us are either starting or are about to start the process of the Single Audit, also known as the A-133 Audit. This is now what I refer to as the UGF audit (for Uniform Guidance, Subpart F), since A-133 is no more. To refresh our memories, per the Uniform Guidance §200.110, Subpart F applies to audits of fiscal years beginning on or after December 26, 2014, so if your fiscal year runs on a July-June schedule then your first auditable year under Subpart F is July 1, 2015 – June 30, 2016. Unfortunately, as of right now we do not have a finalized Compliance Supplement to guide auditors and auditees through the 12 compliance areas (see Part 2 of the Compliance Supplement from 2015 for more information on these areas).
While some of us, myself included, have had an opportunity to review the 2016 draft Compliance Supplement, we all noticed that one of the most important parts of it is missing, or rather not yet drafted, which was Part 6 - Internal Control. This part details the “objectives of internal control, and certain characteristics of internal control that, when present and operating effectively, may ensure compliance with program requirements.” In the 2015 Compliance Supplement, this section merely contained a paragraph basically stating that this section would be updated in 2016 to reflect the recent updates in COSO’s “Internal Control Integrated Framework” and the Government Accountability Office’s “Standard’s for Internal Control in the Federal Government,” which is also referred to as the Greenbook. In 2015, auditors were instructed by this paragraph that they should refer to these documents for guidance on internal controls until Part 6 is updated, as the Part 6 from 2014 was out of date (however in my opinion still a good reference).
Make note that while in the Uniform Guidance §200.303(a), it states that institutions “should” comply with COSO and the Greenbook, the fact that the new Part 6 will be modeled after the guidance provided in these documents (per last year’s note for Part 6) leads one to interpret the “should” as a “must,” since auditors must use the Compliance Supplement. This has been a heavily discussed issue at various conferences since the Uniform Guidance was introduced, so this is only my humble interpretation.
So what can you expect in your 2016 Single Audits/UGF Audits? With internal controls being such a hot topic in the Uniform Guidance we can certainly expect some changes in how our auditors conduct the Audit. Our university recently had our kick-off meeting with our auditing firm and, as I expected, there are some new documentation requirements regarding internal controls. Several other institutions that I keep in touch with have also been asked by their auditing firms for similar new documentation, so in the spirit of sharing information amongst our SRA community, take this as a heads up if you have yet to start this process. Unlike previous years, during which many of us documented internal controls based on the compliance requirements outlined in the Compliance Supplement, under the new guidance we are now being asked to detail some of our entity level controls. These apply to the research enterprise as a whole and are thus not limited to the controls over the 12 compliance requirements.
So why are we being asked to provide documentation on entity level internal controls when it is not a specific requirement? Documenting internal controls at an entity (even a sub-entity such as your institution’s research enterprise) is in line with COSO and the Greenbook’s documentation requirements, which are discussed at the entity level in these books. Keep in mind that COSO and the Greenbook are not specific to UGF or the corresponding Compliance Supplement, and are considered for use by all entities, regardless of their line of business, as a best practice.
To help paint a picture of what entity level controls might look like, below are some examples by each of the 5 Internal Control Components. If you’re unfamiliar with this topic, I have provided a link to the Greenbook at the end of this article.
Control Environment – Responsibilities of key personnel are clearly defined, there is a sense of conducting operations ethically, staff has knowledge of compliance requirements, management has a commitment to competence by ensuring staff are properly trained, and staff have reasonable workloads.
Risk Assessment – Organizational structure provides identification of risks of noncompliance, managers and staff understand and have identified key compliance objectives, and personnel are provided appropriate guidance on compliance requirements.
Control Activities – Since this component is heavily focused on procedures, this is where most of your controls that have previously been documented for the 12 compliance requirements will likely fall. For entity level controls for this component, these may include segregation of duties (who authorizes, processes, records, and reports transactions) and having staff that are knowledgeable in carrying out procedures.
Information and Communication – Accounting system provides for separate identification of Federal and non-Federal transactions, recordkeeping system/procedures ensure records are properly retained, established internal and external communication channels, staff duties and responsibilities are effectively communicated, and channels of communication for people to report suspected improprieties established.
Monitoring – Internal quality control reviews performed, ongoing monitoring of reports, policies, and procedures, and following up on deficiencies.
These are just some of the entity level internal control items that our university has finished documenting for our auditors. The key to providing documentation for any internal control is through evidence that the controls are in place, which (you guessed it) we also had to describe in our narratives and explanations. Some of the explanations we provided included: Describing our university’s mandatory annual compliance and ethics training, stating that we hold weekly team meetings to discuss compliance matters, and stating that we provide training to our staff and send them to conferences. As we continue in our UGF Audit, we will likely be asked to provide documentation to back up our narratives and explanations.
What you should all take away from this article is that many of our predictions regarding the impact of internal controls in the Uniform Guidance are coming to fruition. Many of us have already started preparing for this day, and for those of you who have not, it is never too late to start evaluating the internal controls in your organization. For starters, all of your policies and procedures should be updated to remove the old A-21, A-87, A-122, A-110, and other OMB circular references and replace them with Uniform Guidance references. Even though you may have a few grants that still fall under these old regulations, updating these documents will demonstrate that you have reviewed your policies and procedures. In general, this is a good monitoring practice (the fifth component of internal controls) and should be done regularly and should include proper documentation of the updating process. Also, make a list of all of your policies, procedures, processes/tasks that aren’t incorporated into an official policy (such as reports that your office sends entity-wide), and forms, and evaluate if they are operationally effective and necessary by evaluating how they fit into your compliance infrastructure. You may find that you have some duplicative processes, or that you’re focusing too much time and energy on low-risk areas and not enough on some high-risk areas.
I hope everyone finds this article to be useful and informative. As mentioned previously, the link to the Greenbook is below. I have also provided a link to some free COSO Internal Control Evaluation Tools (an Excel file should download when you visit the link). Should you have further questions, feel free to send me an email at email@example.com.
A very special thanks to Dorian Capers at SRA and Susanne Van Weelden at Texas Tech University Health Sciences Center, El Paso, who coordinate articles for the Catalyst. I look forward to seeing everybody in San Antonio in October.