[Anonymous]

Hello everyone,

I am having difficulties understanding the differences (& additional requirements) for these different standards mentioned in the Becker textbook.

For GAAS, there are two types of compliance reports? Compliance Audits and Compliance w/ Aspects of Contractual Agreements or Regulator Requirements Related to Audited Financial Statements.

When would each of those be used (or be required to be used)?

From what I understand, compliance audits are required for government entities, while compliance related to audited F/S is an optional report that provides negative assurance for non-government entities?

Then for GAGAS, it mentions that they have additional requirements -> more specifically the report on internal control & compliance w/ provisions of law/regulations/contracts/grant agreements.

But for this report, they don’t offer an opinion right? They only describe the scope of the testing of internal controls and findings.

Finally, for Circular A-133 -> this is for government entities that expends $500k or more a year, and that is when they have to report on internal controls & compliance for EACH major program.

So is this basically just the same thing as the requirement for GAGAS, except expanded more specifically? (Also no opinion -> only findings and scope of testing).

I am not sure if I am understanding this correctly if anyone could help clarify, that would be great.

Thanks!

[jackaroe]

Good question! Here's the first part (from the Wiley book) of the answer to your question.

A. AU-C806 – Reporting on Compliance with Aspects of Contractual Agreements or Regulatory Requirements in Connection with Audited Financial Statements. mouthful. negative assurance w/r/t audited FS. For example, an auditor who performed the audit on the F/S may provide negative assurance (nothing came to our attention) to a bank on whether a client is in conformity with restrictions contained in a debt covenant provided the following:

1. the covenant relates to the F/S

2. the covenants have been subjected to audit procedures, and

3. audit report on the F/S resulted in other than an Adverse or Disclaimer of opinion.

The auditor's report on compliance MUST state that that F/S were audited – refer to the specific covenant – describe ‘significant' interpretations made by mgt.

B. Compliance Attestation Engagements (AT 601). Only Agreed-Upon-Procedures or Examinations can be performed. Compliance is concerned with more general laws, regulations, rules than one specific document like a debt covenant mentioned in ‘A.' However, the text then goes on to directly contradict this ‘general and plural' assumption (such a theme throughout this AUD portion) by mentioning that AUP can be performed on a portion of Internal Control that is designed to provide reasonable assurance of compliance with specified requirementS. One important item is that these compliance attestation engagements usually involve a written management assertion concerning compliance (either one contained in mgt.'s representation letter or a separate letter). Stick in your head to remember – no compliance ‘review' engagements.

From Roger – for the AUP on compliance re AU C806 – the report is limited distribution, has a disclaimer, and reports on the findings (no assurance or opinion). The report must also indicate that the procedures may not be sufficient for the purpose intended.

[jackaroe]

Good question! Here's the first part (from the Wiley book) of the answer to your question.

A. AU-C806 – Reporting on Compliance with Aspects of Contractual Agreements or Regulatory Requirements in Connection with Audited Financial Statements. mouthful. negative assurance w/r/t audited FS. For example, an auditor who performed the audit on the F/S may provide negative assurance (nothing came to our attention) to a bank on whether a client is in conformity with restrictions contained in a debt covenant provided the following:

1. the covenant relates to the F/S

2. the covenants have been subjected to audit procedures, and

3. audit report on the F/S resulted in other than an Adverse or Disclaimer of opinion.

The auditor's report on compliance MUST state that that F/S were audited – refer to the specific covenant – describe ‘significant' interpretations made by mgt.

B. Compliance Attestation Engagements (AT 601). Only Agreed-Upon-Procedures or Examinations can be performed. Compliance is concerned with more general laws, regulations, rules than one specific document like a debt covenant mentioned in ‘A.' However, the text then goes on to directly contradict this ‘general and plural' assumption (such a theme throughout this AUD portion) by mentioning that AUP can be performed on a portion of Internal Control that is designed to provide reasonable assurance of compliance with specified requirementS. One important item is that these compliance attestation engagements usually involve a written management assertion concerning compliance (either one contained in mgt.'s representation letter or a separate letter). Stick in your head to remember – no compliance ‘review' engagements.

From Roger – for the AUP on compliance re AU C806 – the report is limited distribution, has a disclaimer, and reports on the findings (no assurance or opinion). The report must also indicate that the procedures may not be sufficient for the purpose intended.

[jackaroe]

Here's a more direct answer to your question.

1. GAAS – performed for gov't entities that have no requirements to use either GAS or Single Audit. Concern with financial aid and the ‘direct effect' on the F/S. risk assessment necessary as is a supervisory review and more documentation to be found in working papers. If material noncompliance is found, then it's a departure from GAAP – qualified or adverse. No compliance report is issued. A report on IC is only issued when significant deficiencies have been identified.

2. GAGAS – AU-C935 – required for certain organizations that receive federal financial assistance and whether it is required to have a Single Audit. See standard for additional auditor responsibilities (which just states that the auditor is required to check on supplemental gov't audit requirements – real helpful). GAGAS does require reporting on F/S, IC and on compliance with laws and regulations – other government audits might not require a report on IC.

3. Single Audit Act of 1984 – passed by Congress and implemented by OMB through circular A-133 and its related Compliance Supplement (provides guidance to compliance auditors). SAA includes requirements that supplement the GAS audit procedures. The report contains an opinion on schedule of expenditures of federal awards. The understanding requirement for the auditor includes the IC and over federal programs sufficient to plan the audit to support a LOW assessed level of Control Risk and the materialilty threshold is set for each individual program.

Roger adds that

When the SAA applies, the auditor must conform to GAAS and GAS

An Opinion on the IC of each major program, an opinion on the compliance with laws and regulations for each major program and an opinion on the schedule of expenditures of the federal awards. These opinions may be qualified or adverse. All reports issued in connection with GAS and SAS are directed to specific agencies but available for public inspection.

[jackaroe]

Here's a more direct answer to your question.

1. GAAS – performed for gov't entities that have no requirements to use either GAS or Single Audit. Concern with financial aid and the ‘direct effect' on the F/S. risk assessment necessary as is a supervisory review and more documentation to be found in working papers. If material noncompliance is found, then it's a departure from GAAP – qualified or adverse. No compliance report is issued. A report on IC is only issued when significant deficiencies have been identified.

2. GAGAS – AU-C935 – required for certain organizations that receive federal financial assistance and whether it is required to have a Single Audit. See standard for additional auditor responsibilities (which just states that the auditor is required to check on supplemental gov't audit requirements – real helpful). GAGAS does require reporting on F/S, IC and on compliance with laws and regulations – other government audits might not require a report on IC.

3. Single Audit Act of 1984 – passed by Congress and implemented by OMB through circular A-133 and its related Compliance Supplement (provides guidance to compliance auditors). SAA includes requirements that supplement the GAS audit procedures. The report contains an opinion on schedule of expenditures of federal awards. The understanding requirement for the auditor includes the IC and over federal programs sufficient to plan the audit to support a LOW assessed level of Control Risk and the materialilty threshold is set for each individual program.

Roger adds that

When the SAA applies, the auditor must conform to GAAS and GAS

An Opinion on the IC of each major program, an opinion on the compliance with laws and regulations for each major program and an opinion on the schedule of expenditures of the federal awards. These opinions may be qualified or adverse. All reports issued in connection with GAS and SAS are directed to specific agencies but available for public inspection.

[Anonymous]

Thanks! I think the main confusion for me was the compliance audit vs. the financial audit under GAGAS (since the financial audit also mentions compliance).

[Anonymous]

Thanks! I think the main confusion for me was the compliance audit vs. the financial audit under GAGAS (since the financial audit also mentions compliance).

[saucesah]

I don't want to confuse you if you've already got it straight in your head… but just for further clarification purposes:

The reports can be thought of as levels…

Level 1) GAAS – This is generally accepted auditing standards. Pretty much any audit that is conducted is conducted under GAAS. Includes Auditor's Opinion. If there is a single audit or compliance reqs., add another level of reporting…

Level 2) GAGAS – This is the Government auditing standards which pretty much comes into play when 1) the entity being audited is a govt 2) the entity is required to have a Single Audit performed or 3) Compliance audit, all in addition to the basic financial audit. Includes negative assurance on internal control over FS reporting and Compliance and other matters (other matters = fraud or abuse). If subject to Single Audit… add another level of reporting.

Note here that if the auditors are required to report on compliance, in addition to the basic financial statement – then an opinion over compliance will be issued.

Level 3) A-133 – Report for each major program identified and tested under a Single Audit. This is IC over Compliance and Compliance for each major program tested. Negative assurance over IC over Compliance, however, OPINION on compliance for each major program tested (Note, this reporting is only specific over the major programs tested).

If you're still struggling over this matter (hopefully I didn't make it worse) – google GAAS and GAGAS. Any links to AICPA's website will direct you to links to report examples which normally have background information of ‘when to report' and ‘what to report' which is very helpful in seeing the difference. The other recommendation I have is to review a financial statement of a government (CAFR) which all is open to the public and can be found via on the web. Reviewing the reports (Auditor's report over FS, Report over IC over FS reporting and Compliance, Report on IC over Compliance and Compliance on each major program) will give you the whole picture.

Hope this helps… GL

Today, I became a cool kid.

AUD - Passed
REG - Passed
BEC - Passed
FAR - Passed

[saucesah]

I don't want to confuse you if you've already got it straight in your head… but just for further clarification purposes:

The reports can be thought of as levels…

Level 1) GAAS – This is generally accepted auditing standards. Pretty much any audit that is conducted is conducted under GAAS. Includes Auditor's Opinion. If there is a single audit or compliance reqs., add another level of reporting…

Level 2) GAGAS – This is the Government auditing standards which pretty much comes into play when 1) the entity being audited is a govt 2) the entity is required to have a Single Audit performed or 3) Compliance audit, all in addition to the basic financial audit. Includes negative assurance on internal control over FS reporting and Compliance and other matters (other matters = fraud or abuse). If subject to Single Audit… add another level of reporting.

Note here that if the auditors are required to report on compliance, in addition to the basic financial statement – then an opinion over compliance will be issued.

Level 3) A-133 – Report for each major program identified and tested under a Single Audit. This is IC over Compliance and Compliance for each major program tested. Negative assurance over IC over Compliance, however, OPINION on compliance for each major program tested (Note, this reporting is only specific over the major programs tested).

If you're still struggling over this matter (hopefully I didn't make it worse) – google GAAS and GAGAS. Any links to AICPA's website will direct you to links to report examples which normally have background information of ‘when to report' and ‘what to report' which is very helpful in seeing the difference. The other recommendation I have is to review a financial statement of a government (CAFR) which all is open to the public and can be found via on the web. Reviewing the reports (Auditor's report over FS, Report over IC over FS reporting and Compliance, Report on IC over Compliance and Compliance on each major program) will give you the whole picture.

Hope this helps… GL

Today, I became a cool kid.

AUD - Passed
REG - Passed
BEC - Passed
FAR - Passed

[Anonymous]

Thanks, that helps!

The way the Becker material organized parts of this section confused me a bit on the compliance.

Since they first mentioned no opinion is offered on internal controls over compliance and compliance with laws and regulations (for GAGAS) but instead, only the scope of procedures performed and findings are described in the auditor's report.

I got that confused with the actual compliance audit, which does give an opinion on compliance.

But it makes more sense now, thanks again for both of your help.

[Anonymous]

Thanks, that helps!

The way the Becker material organized parts of this section confused me a bit on the compliance.

Since they first mentioned no opinion is offered on internal controls over compliance and compliance with laws and regulations (for GAGAS) but instead, only the scope of procedures performed and findings are described in the auditor's report.

I got that confused with the actual compliance audit, which does give an opinion on compliance.

But it makes more sense now, thanks again for both of your help.

[Author]

Replies