Overview of Recent Auditing Standards and Guidance

Frank Crawford, CPA

Chris Pembrook, CPA, CGAP, CRFAC

Crawford & Associates, P.C.

www.crawfordcpas.com

frank@crawfordcpas.com

chris@crawfordcpas.com

1



1

st

 set of auditing standards that typically apply

to state and local governmental audits



Not much is happening here



Last most 

significant

 auditing standard issued by

the AICPA was SAS 145, 

Understanding the Entity

and Its Environment and Assessing the Risks of

Material Misstatement

 (wait, didn’t we already

have those?)



The AICPA recently released an 89 page Audit

Guide entitled “

Risk Assessment in a Financial

Statement Audit

”, so there must be something

new, huh?

2

3

4



While risk assessment may seem boring, an

inappropriate risk assessment will most likely

lead to a substandard audit



A substandard audit will most likely lead to

trouble



We hate trouble



The risk assessment standards have been

given a renewed focus through the AICPA’s

Enhanced Audit Quality Initiative, as well as

through Peer Review

5



You can’t properly apply the risk assessment

standards if you don’t understand the audit risk

model



While many think they understand the model, the

results of Peer Review, IG desk reviews, and other

audit quality sampling projects say otherwise



Now is the time to reinforce your understanding

of each element of the model, and how the

model is used in determining the nature, timing

and extent of both the risk assessment auditing

procedures and the further auditing procedures

6



Many firms still simply select auditing

procedures from standardized audit

programs with little or no thought of whether

the procedures selected are responsive to the

risks of material misstatement



Other firms will have a basic or core set of

procedures that they perform for each area,

and additional procedures to choose from for

additional assurance if needed, and then

finally more procedures to choose from if

there are additional risks

7



While the previous slide’s second bullet

methodology isn’t necessarily a bad thing,

those illustrative audit procedures are no

substitute for truly understanding the risks of

material misstatement and using professional

judgment to select and tailor procedures that

are responsive to the risks AND which reduce

audit risk to an acceptably low level

8

Audit Risk Model

9



We care because of the “reasonable assurance”

concept



Reasonable assurance is considered a high level

of assurance that the financial statements are

free of material misstatement



Reasonable assurance = sufficient appropriate

audit evidence obtained has reduced the audit

risk to an acceptably low level



If you have no idea if audit risk has been reduced

to an acceptably low level, then you can’t know

that reasonable assurance has been obtained

10



I know in practice, we don’t use numbers or

percentages for completing the model, but

humor me for a bit

◦

Let’s assume that the auditor is willing to live with a 3%

AR, which means that we’re okay with a 3% risk that the

financial statements are materially misstated

◦

Let’s further assume we will not rely on controls and that

we assess control risk at 100% (some really small

governments don’t have very good controls, right?) and

let’s assume inherent risk is 50%

◦

So, what’s the result if you perform all the 

basic audit

procedures

 from the basket of illustrative audit

procedures in your methodology and those procedures

would detect 85% of all material misstatements (leaving

a15% DR)?

11

?  = (50% x100%) x 15%

 7.5%  = (50% x 100%) x 15%

          or, in other words

          Audit Risk is 7.5%

What was the target? (we wanted 3%)

Are we close?

No, we are not close, and we are in big trouble

because we have severely under-audited, and we

haven’t reached reasonable assurance yet

12



We immediately go and perform several

additional procedures from your illustrative

list of 

additional

 procedures and we get DR

(which was at 15%) down to 10%? You’re good

now, right?

13

?  = (50% x100%) x 10%

     5%  = (50% x 100%) x 10%

          or, in other words

          Audit Risk is now 5%

What was the target? (we wanted 3%)

Are we close enough yet?

No, and we are still in trouble because we have

under-audited, and we haven’t reached

reasonable assurance yet

14



We immediately go and perform several

additional procedures from your illustrative

list of 

additional

 procedures and we get DR

(which was at 15%) down to 10%? You’re good

now, right?



Not until you’ve reduced DR to around 6% in

this scenario will you have reduced audit risk

to the acceptably low level that we set of 3%

in order to have obtained reasonable

assurance

15



We go back to our bag of tricks and pull out a

few more procedures in response to our risk

of material misstatement and attempt to get

the DR down to 6% (which in our risk scenario

is the only way to get AR down to 3%)

16

?  = (50% x100%) x 6%

     3%  = (50% x 100%) x 6%

          or, in other words

          Audit Risk is now 3%

What was the target? (we wanted 3%)

Are we close enough yet? YES

We have finally reached our target?  YES, but in

order to get here I had to really work not only my

basic procedures, but several other additional

procedures in response to the risk.

17



You better have some sense of audit risk (AR) you’re

willing to accept or the target that you’re shooting for



The auditor’s assessment of CR and IR is pretty darn

important in planning the nature, timing, and extent of

further audit procedures, which is a direct derivative of the

auditor understanding the entity and the environment that

the entity operates in, and gaining an understanding of the

entity’s internal controls



Thinking about the mix of auditing procedures that are

contained in audit methodology and understanding how

each group or level of procedures reduces detection risk is

essential



Near the end of any audit engagement we should step

back and ask the important question - do the procedures

performed and the evidence obtained reduce audit risk to

an acceptably low level or is more work needed?

18

        AR = (IR x CR) x DR

             Can the following equation work?

L = (L x H) x H

        Yes, but how does it work?

       It works because the font sizes are different!

L = (

L 

x

H

) 

x H

L

 =     

L  

x H

19



Understanding how the audit risk model works

and how to use that theory when designing and

selecting auditing procedures that are responsive

to the risks of material misstatement trumps

merely filling out a checklist



As we plan upcoming audits, we need to ensure

that every member of the engagement team

understands the importance of RMM (or what can

go wrong) and that professional judgment and

professional skepticism is used to challenge

whether sufficient appropriate audit evidence is

being obtained to reduce audit risk to an

acceptably low level

20



Technically titled “Understanding the Entity

and Its Environment and Assessing the Risks

of Material Misstatement”

21



This SAS’s goal was to enhance the auditing

standards relating to the auditor’s risk

assessment and intends to enable auditors to

appropriately address the following:

◦

a. Understanding the entity’s system of internal control,

in particular, relating to the auditor’s work effort to

obtain the necessary understanding

◦

b. Modernizing the standard in relation to IT

considerations, including addressing risks arising from

entity’s use of IT

◦

c. Determining risks of material misstatements,

including 

significant risks 

(new definition)



SAS will be effective for audits of financial

statements for periods ending on or after

December 15, 2023.

22



The ASB did not seek to fundamentally

change the key concepts underpinning audit

risk as the ASB continues to have the view

that the audit risk model is fundamentally

sound.



Rather, the ASB focused on how certain

aspects of the identification and assessment

of the risks of material misstatement can be

clarified and improved in order to drive better

risk assessments and, therefore, enhance

audit quality.

23



Scalability



Modernizing and Updating AU-C Section 315

for an Evolving Business Environment



Automated Tools and Techniques



Information Technology



Fostering Independence of Mind and

Professional Skepticism



The Auditor’s Considerations Relating to

Fraud

24



Focusing on the Applicable Financial

Reporting Framework in Identifying Risks of

Material Misstatement

25



Terms Used to Describe Aspects of the Entity’s

System of Internal Control



Understanding Internal Control Through

Understanding the Five Components of Internal

Control



Work Effort for Understanding Each of the

Components of Internal Control



Controls That Address the Risks of Material

Misstatement



Enhanced Guidance Related to IT



Other Matters Relevant to Understanding the

Entity’s System of Internal Control

26



Identifying and Assessing the Risks of Material

Misstatement

◦

Spectrum of Inherent Risk (fancy name for our font size

example); the word “spectrum” is used 38 times in this

SAS, so they must think it’s a big deal



Relationship of Concepts With AU-C Section 540



Significant Risks



Identified and Assessed Risks of Material

Misstatement at the Financial Statement Level



Stand-Back and Paragraph .18 of AU-C section

330

27



 A new "stand-back" requirement intended to

drive an evaluation of the completeness of

the auditor's identification of significant

classes of transactions, account balances, and

disclosures (see paragraph 5.41)

28



A class of transactions, account balance, or

disclosure for which there is one or more

relevant

 assertions.

◦

What does relevant mean?



An assertion about a class of transactions, account

balance, or disclosure is relevant when it has an

identified risk of 

material

 misstatement.



A risk of material misstatement exists when (a) there is

a reasonable possibility of a misstatement occurring

(that is, its likelihood), and (b) if it were to occur, there

is a reasonable possibility of the misstatement being

material (that is, its magnitude).

29



 A conforming amendment to perform

substantive procedures for each relevant

assertion of each significant class of

transactions, account balance, and disclosure,

regardless of the assessed level of control

risk (rather than for all relevant assertions

related to each material class of transactions,

account balance, and disclosure, irrespective

of the assessed risks of material

misstatement, as previously required)

30

An identified risk of material misstatement

for which the assessment of inherent risk is

close to the upper end of the spectrum of

inherent risk due to the degree to which

inherent risk factors affect the combination of

the likelihood of a misstatement occurring and

the magnitude of the potential misstatement

should that misstatement occur, or that is to

be treated as a significant risk in accordance

with the requirements of other AU-C sections

31



Documentation of key matters



Rationale for the significant judgments made

in identifying and assessing the risks of

material misstatement



Requires

 that the auditor assess inherent risk

and control risk separately

32



Another convergence standard



Special Considerations — Audits of Group

Financial Statements (Including the Work of

Component Auditors and Audits of Referred-

to Auditors)



Supersedes SAS No. 122, as amended,

Section 600, 

Special Considerations — Audits

of Group Financial Statements (Including the

Work of Component Auditors)

, and makes

conforming amendments to other impacted

SASs.

33



SAS No. 149, in superseding Section 600 of SAS

No. 122, shifts the auditor's approach in

determining the components at which to perform

audit work from identifying "significant

components" to using professional judgment

based on assessed risk



SAS No. 149 retains the two reporting options

available to the group auditor

◦

making reference to the audit of a component auditor

◦

assuming responsibility for the work of component

auditors

34



Introduces the term "referred-to auditor," and

defines it as an auditor "who performs an

audit of the financial statements of a

component to which the group engagement

partner determines to make reference in the

auditor's report on the group financial

statements." It also indicates that a referred-

to auditor is not part of the engagement team



Revises the definition of component auditor

to indicate that a component auditor is part

of the engagement team

35



The ASB also issued Statement on Quality

Management Standards (SQMS) No.

3, 

Amendments to QM Sections 10, 

A Firm's

System of Quality Management

,

and

20, 

Engagement Quality Reviews, to conform

certain terms used in the quality management

standards to language used in SAS No. 149 and

provide guidance on differentiating between a

resource and an information source



Effective for audits of group financial statements

for periods ending on or after Dec. 15, 2026, but

now is the time for auditors to prepare. SQMS No.

3 is effective concurrently with the effective dates

provided in QM Sections 10 and 20

36



Also known as the “Yellow Book”



2

nd

 set of auditing standards that typically

apply to a government audit (the 1

st

 set being

the AICPA GAAS that we just talked about)



Last full revision was the 2018



However, the 2018 revision received a

technical update in April 2021

37



1.02 The concept of accountability for use of

public resources and government authority is

key to our nation’s governing processes.

Management and officials entrusted with

public resources are responsible for carrying

out public functions and providing service to

the public effectively, efficiently,

economically, ethically, 

and equitably

 within

the context of the statutory boundaries of the

specific government program.

38



1.03 “….and (3) government services are

provided effectively, efficiently, economically,

ethically, 

and equitably

39



1.23 Examples of program effectiveness and

results audit objectives include f. determining

whether a program provides 

equitable

 access

to or distribution of public resources within

the context of statutory parameters

40



3.83 If auditors provided a nonaudit service in

the period to be covered by the engagement,

they should (1) determine if GAGAS expressly

prohibits the nonaudit service; (2) if audited

entity management requested the nonaudit

service, determine whether the 

skill

, knowledge,

or experience of the individual responsible for

overseeing the nonaudit service 

was

 sufficient;

and (3) determine whether a threat to

independence exists and address any threats

noted in accordance with the conceptual

framework.

41



8.42 

If internal control is significant to the audit

objectives, auditors determine which of the five

components of internal control are significant to

the audit objectives, as all components of

internal control are generally relevant, but not all

components may be significant to the audit

objectives. This determination can also identify

the underlying principles, control objectives, or

specific controls that are significant to the audit

objectives. Determining which internal control

components, principles, control objectives,

and/or specific controls are significant to the

audit objectives is a matter of professional

judgment.

42



8.49 

If internal control is determined to be

significant to the audit objectives, auditors

should plan and perform audit procedures to

assess internal control to the extent

necessary to address the audit objectives.

43



9.30 

When reporting on the scope of their

work on internal control, auditors should

identify the scope of internal control assessed

to the extent necessary for report users to

reasonably interpret the findings,

conclusions, and recommendations in the

audit report.

44



9.32 

Auditors may identify the control components,

underlying principles, control objectives, or specific

controls assessed in describing the scope of their work on

internal control. Auditors may also identify the level of

internal control assessment performed, as discussed in

paragraph 8.50. Control components and underlying

principles that are not considered significant to the audit

objectives may be identified in the scope if, in the

auditors’ professional judgment, doing so is necessary to

preclude a misunderstanding of the breadth of the

conclusions of the audit report and to clarify that control

effectiveness has not been evaluated as a whole. Auditors

may also identify and describe the five components of

internal control so that report users understand the scope

of the work within the context of the entity’s internal

control system

45



Updates to enhance how audit organizations

manage audit quality. Effective quality

management can reasonably assure an audit

organization that its people, audits, and

reports adhere to professional standards and

applicable laws.



Another updated area adds guidance for

financial audits.

46



The proposed Yellow Book revision would

replace extant chapter 5, "Quality Control and

Peer Review," paragraphs 5.01 through 5.59,

and add additional application guidance to

chapter 6, "Standards for Financial Audits."

47



Directs audit organizations that are subject to

selected standard setters' quality

management standards to comply with those

requirements and specific additional Yellow

Book requirements to avoid the potential

burden of audit organizations designing and

maintaining separate systems of quality

management.

48



Emphasizes the responsibility of leadership

for quality management within an audit

organization and requires senior leadership

to take an active role in the system of quality

management



Adds a quality management risk assessment

process and an information and

communication component to the framework

for the system of quality management

49



Emphasizes monitoring of the entire system

of quality management and includes a new

requirement to investigate the underlying

causes of identified quality management

deficiencies



Promotes scalability of the standard for use

by audit organizations differing in size and

complexity

50



Provides for the use of engagement quality

reviews, if the audit organization determines

that engagement quality review is an

appropriate response to address one or more

quality risks



Proposes application guidance for key audit

matters to provide clarity for financial audits

of government entities and entities that

receive government financial assistance

51



3

rd

 set of standards that may typically apply

to your audits of state and local governments



Dictated by the expenditure of a certain level

of federal financial awards in any one fiscal

year



These also don’t change significantly from

year to year



However, how you audit federal financial

awards does change via the compliance

supplement issued each year

52

Historic federal funding (COVID-19 and IIJA funding)

◦

New IIJA programs and continued impact on

existing programs receiving additional funding

◦

“Higher risk” classification by OMB will continue

which impacts major program determination

New recipients/increase in first-time single audits

COVID-19 waiver expiration

Continued workload compression

Federal focus on oversight, accountability, and

transparency

Quality should always be a focus!

53

*

Above numbers do not include

for-profit audits of federal funding

(e.g., healthcare entities and

shuttered venues) which likely

would add another 10,000+ audits

for 2021 and likely 2022

54



Winding down, but still in play for many recipients



Of the pandemic funding programs still in play, the

largest and most pervasive are:

•

CSLFRF

•

PRF

•

ESF



Auditors still need to focus on pandemic funding

nuances and keep a focus on quality



Audits of for-profit recipients of this funding

continue

55



National Emergency has ended and the Public Health

Emergency ends on May 11

•

Many federal COVID-19 waivers were tied to these

emergencies



The result?  Previous waivers provided to recipients for

certain compliance requirements have expired or will

expire soon

•

For example, HHS healthcare-related, USDA nutrition-

related, HUD housing related, ED SFA



Be alert to guidance issued by agencies on expiring

waivers since will impact single audit testing

56

Authorized $1.2

trillion for spending

Signed into law by

President Biden on

November 15, 2021

Over $550 billion

designated for ‘new’

federal programs for

transportation,

infrastructure, and

broadband

Probable that significant amounts of this federal funding will either be passed through States or received

directly by both non-federal entities and for-profit entities

Each of the federal

programs resulting

from the IIJA have

unique aspects

57

Expected by mid-May 2023

Several new programs and changes to many more

programs than usual

•

Performance reporting updates

•

Changes due to law or regulation changes

•

Changes to introduce IIJA provisions

Part 3 will have minimal changes

•

Build America Buy America Act guidance added to

Procurement and Cash Management guidance

tweaked

Highway Planning and Construction Cluster

58

Continues to include listing of higher risk programs in

Appendix IV; programs expected

59

Out-of-Period issues

•

PRF amounts reported on the SEFA align with

report submissions to the PRF Reporting Portal

•

ESF/HEERF allowed institutions to go back to

prior periods for expenditures/lost revenue

•

SVOG allowed pre-award costs back to March

2020

Determining completeness - certain COVID funding

may be handled by departments unaccustomed to

federal funding (e.g., 32.009)

Identification of COVID-19 funding on face of SEFA

Determining when awards exist

Use this GAQC

nonauthoritative

tool as a

resource:

Guidance on the

Reporting of

Certain COVID-

19 Awards on an

Accrual Basis

SEFA

60

Pandemic funding has significantly increased

usage of AU-C 805

, 

Audits of Single Financial

Statements and Specific Elements, Accounts, or

Items of a Financial Statement

; 

for example

:

•

More program-specific audits being

performed

•

GAGAS financial audit option for for-profit

PRF recipients

Remember that the auditor is required to comply

with all AU-C sections relevant to the audit

Access a

related new

GAQC article,

Governmental

Audits of

Single

Financial

Statements or

Elements

61

Have seen an increase in auditor receiving letters and other

requests from federal agencies

•

Letters from Education on the SFA program

•

Letters from HHS regarding the PRF program

When requests involve access to audit documentation, refer

to Interpretation No. 1, 

Providing Access to or Copies of

Audit Documentation to a Regulator 

(AU-C sec. 9230 par.

.01-.15),

Consult within firm/organization to determine protocols for

such requests

62

The provider of the FAC will change from Census to GSA by

October 1, 2023.  Web address will be:  

https://www.fac.gov/

Single audits with a fiscal period ending in 2022 (or earlier)

should be submitted to Census FAC (

https://facweb.census.gov/

)

•

Any draft not fully submitted to the Census FAC by October

1, 2023, may need to be completely re-started at the new

GSA FAC

Single audits with a fiscal period ending in 2023 will be

submitted to the new GSA FAC beginning on October 1, 2023.

GAQC is monitoring this timeline and will request that OMB issue

guidance on late 2023 submissions that may result from the

October launch date of the new FAC

•

Relates to the 30-day part of submission requirement

Auditors and

auditees with

earlier 2023

fiscal year end

single audits

should develop

policies to

ensure

submission

occurs once the

new FAC opens

63

Key resource for auditors; you should be

using this Guide!

2023 update expected in eBook and

paperback this summer

Key changes:

An appendix introducing SAS 145

Issuance of SAS 148

Updates to certain pandemic funding

information

Order when published

at:  

https://www.aicpa-

cima.com/cpe-learning

64

OMB is expected to issue a 

Federal Register 

notice

proposing changes to the UG this summer

•

Stated area of focus are changes that would reduce

administrative burden, areas having inconstant

interpretation, areas needing improved clarity, and

consistency updates

All parts of the UG have the potential for change

In advance, OMB issued a Request for Information,

asking respondents for recommended changes

•

See 

GAQC response

65



So what did $5.4 trillion of pandemic relief

funding mean for auditors last year in the

compliance supplement?



Hint: here is where your risk is

66



29 new programs by AL number have been

added



1,968 total pages in the 2022 Compliance

Supplement



The word “pandemic” appears 134 times



The word “Coronavirus” appears 409 times



The words “Cares Act” appear 424 times



The word “Covid” appears 741 times



I can only guess how many times these will

be mentioned in the 2023 supplement

67



Failure to report findings in the appropriate

form in the Schedule of Findings and

Questioned Costs



Failure to identify and test sufficient and

appropriate major programs, failure to

cluster, failure to properly perform Type A

and Type B program risk assessments, failure

to group programs with the same CFDA/AL

number, and incorrect determination of the

auditee as low-risk resulting in insufficient

coverage

68



Failure to properly conclude and document

either that an applicable compliance

requirement does not apply to the particular

auditee or that noncompliance with the

requirements could not have a direct and

material effect on a major program

69



Failure to document an understanding of

internal control over compliance of federal

awards sufficient to plan the audit to support

low assessed level of control risk for major

programs, including consideration of risk of

material noncompliance (materiality) related

to each applicable compliance requirement

and major program

70



Failure to document the adequacy of the

planned sample size for test of controls over

compliance to achieve a low level of control

risk



Failure to document the testing of controls

and compliance for the relevant assertions

related to each applicable compliance

requirement with a direct and material effect

for the major program

71



Lack of documentation of risk of material

noncompliance for the major program’s

compliance requirements occurring due to

fraud



Lack of documentation related to the SEFA

◦

Internal controls over the preparation of the SEFA

◦

Procedures to determine whether the SEFA is fairly

presented in all material respects

◦

Reconciliation of the SEFA to amounts in the

financial statements

72



Lack of documentation of consideration of

subsequent events related to the major

program and its compliance requirements

73



Remember the old Single Audit Sampling

Project from 2007?



It covered single audits issued from March

2003 to April 2004

◦

55.3% Acceptable

◦

14.4% Limited Reliability

◦

30.3% Unacceptable



A follow up review is being planned…

74



Guess how many pages the 2003 compliance

supplement was?  150 total pages



How many pages did I say the 2022

supplement had in it?  1,968 total pages



What do you think the new stats will show?

75

76