Preparing for a Single Audit

A single audit is an examination of an organization's compliance with federal requirements applicable to each of its major programs.

For a single audit, an organization must be able to demonstrate that it is in compliance with contract provisions as well as with laws and regulations, which could have a direct and material effect on the determination of financial statement balances. In addition, the organization must also be able to demonstrate that it has effective internal controls over compliance with direct and material federal compliance requirements applicable to each major program and financial reporting. 

To prepare for a single audit it is helpful to: (1) Prepare a complete and accurate schedule of expenditures of federal awards; (2) Review applicable requirements to determine compliance objectives; and (3) Ensure that internal controls are appropriate to meet those objectives.

1. Prepare a complete and accurate schedule of expenditures of federal awards
   The first step in preparing for a single audit is to determine the federal expenditures for each federal program during the fiscal year. Use this information to prepare the schedule of federal expenditures (SEFA). This schedule is used in part to determine which federal programs will be audited as major programs for the single audit.


2. Review applicable requirements to determine compliance objectives
   A key step to ensuring that your organization is in compliance with federal requirements is to identify which federal requirements are applicable.
   • Review grant documents to identify all federal money received and the corresponding Catalog of Federal Domestic Assistance (CFDA) number.
   • Determine the scope and limitations of the grant and other requirements per the contract.
   • Review CFDA.gov for additional guidance applicable to the grant.
   • Review the OMB Circular A-133 Compliance Supplement for federal compliance requirements applicable to the your federal funding that may not have been explicitly stated in the grant contract.
   • Also review OMB Circular A-122 Cost Principles for Non-Profit Organizations for guidance on determining costs applicable to grants.
   
   
3. Ensure that internal controls are appropriate to meet those objectives
   A single audit requires an independent auditor to assess internal controls over compliance with the requirements that could have a direct and material effect on a major federal program. Internal controls over financial reporting are also considered as a basis for designing auditing procedures for expressing an opinion on the financial statements. Because assessing internal controls are an important audit objective, it is important for management to ensure that internal controls are in place and operating effectively. It should be management's objective to have internal controls in place to reduce the risks of misstatement and/or noncompliance to low.

It may be helpful to use the COSO (Committee of Sponsoring Organizations) internal control framework to evaluate the adequacy of internal controls.  In the COSO model, there are 5 elements to an effective internal control system:

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

At a minimum the organization should: (1) Demonstrate an appropriate tone at the top regarding internal control (2) Assess risk areas for noncompliance and financial reporting (3) Implement controls over noncompliance (4) Ensure that communication lines are adequate to promote timely feedback (5) Monitor internal controls.

1. Demonstrate an appropriate tone at the top regarding internal control - The board of directors and management should set a tone at the top regarding the importance of internal control. This includes top management modeling ethical behavior and developing and enforcing appropriate standards of conduct.
2. Assess risk areas for noncompliance and financial reporting - Methods of performing a risk assessment will vary from organization to organization based on a number of factors including size and complexity. A risk assessment should include (I) an identification of transaction cycles and compliance requirements from applicable laws, contracts, grant agreements and any other sources of requirements and (II) an evaluation of the significance of those risks and their impact on the organization.
3. Implement controls over noncompliance - Control activities should be implemented to reduce assessed risks to tolerable levels. Examples of control activities include segregating accounting duties and requiring a second person review and approve significant disbursements. 
4. Ensure that communication lines are adequate to promote timely feedback - Lines of comminication should be in place to allow information to be disseminated up, down, and across the organization as well as with external parties to facilitate the other components of the COSO framework.
5. Monitor internal controls - Management should monitor internal controls and transaction cycles to ensure that compliance objectives are being met and internal control procedures are being followed.