SOURCE: Adapted from the GAQC Practice Aid, “HHS Audit Re Requirements for For-Profit Entities with Awards from the Provider Relief Fund Program and Other HHS Programs”
Single audit and program-specific audit under the uniform guidance
A single audit for any for-profit entity with multiple federal awards, or a program-specific audit — if the for-profit entity has funding under one HHS program, such as PRF, and meets certain other requirements — has historically been applicable to states, local governments, Indian tribes, institutions of higher education, and nonprofit organizations. Those organizations that expend $750,000 or more in federal awards annually have been audited under the Uniform Guidance for many years.
A single audit is an entity-wide audit consisting of two main parts: an audit of the financial statements and a compliance audit of the entity’s major federal award programs. The audit of the major programs includes gaining an understanding of — and testing internal controls over — compliance, and testing compliance with applicable compliance requirements for each major program.
The compliance requirements subject to audit and the related internal control and compliance audit steps are outlined in the OMB Compliance Supplement, which is updated annually. The 2021 Compliance Supplement was released in August 2021. PRF is included in Part 4 of the 2021 Compliance Supplement. The 2021 Compliance Supplement Addendum 1 and Addendum 2 were released in December 2021 and January 2022, respectively, but did not affect PRF. Minor technical updates to the 2021 Compliance Supplement were issued in April 2022, one of which affected PRF by removing Part 4 — Section III(N)(1) Special Test and Provisions: Out-of-Network Patient Out-of-Pocket Expenses. Auditors should ignore that particular section when using the 2021 Compliance Supplement to determine audit procedures.
The reporting requirements under a single audit include:
- Auditor’s Report on Financial Statements
- Auditor’s Report on Internal Control over Financial Reporting and on Compliance and Other Matters (required by Government Auditing Standards at the financial statement level)
- Auditor’s Report on Schedule of Expenditures of Federal Awards and Auditor’s Report on Compliance and Internal Control over Compliance Applicable to Each Federal Major Program (required by the Uniform Guidance; in-relation-to opinion on the schedule of expenditures of federal awards and reporting on internal control and compliance at the major program level)
- Auditor’s Schedule of Findings and Questioned Costs
A program-specific audit is only available if the sole federal award of an entity is PRF and the terms and conditions of the award do not require a financial statement audit of the auditee. A program-specific audit effectively means performing a single audit of only one federal program. This may be uncommon due to many for-profit entities receiving other HHS awards in response to COVID-19.
GAGAS financial audit
GAGAS financial audits are required to be performed under AU-C 805, Special Considerations — Audits of Single Financial Statements and Specific Elements, Accounts, or Items of a Financial Statement. The schedule of HHS awards is a specified element of a financial statement. Under AU-C 805, the engagement should also comply with the other provisions of generally accepted auditing standards (GAAS) that apply to financial statement audits.
This includes matters such as planning the engagement; identifying and assessing the risk of material misstatement whether due to error or fraud; obtaining an understanding of the internal control as it relates to the specified element; designing the nature, timing, and extent of further audit procedures; going-concern considerations; and evaluating passed adjustments.
While an opinion on compliance is not required under a GAGAS financial audit, compliance would still need to be considered by the auditor to determine that amounts in the Schedule of HHS Awards are not misstated. Government Auditing Standards requirements go beyond certain AICPA requirements, in that the auditor must also consider noncompliance with the provisions of contracts and grant agreements. Therefore, a significant amount of professional judgment will be required.
The reporting requirements of a GAGAS financial audit include:
- An opinion on the entity’s schedule of U.S. Department of Health and Human Services (HHS) awards in accordance with AU-C section 805, Special Considerations — Audits of Single Financial Statements and Specific Elements, Accounts, or Items of a Financial Statement and Government Auditing Standards
- Auditor’s Report on Internal Control over Financial Reporting and on Compliance and Other Matters
- Schedule of Findings and Responses, when applicable
Part 2 of the FAQ in the GAQC Practice Aid includes guidance specific to the GAGAS financial audit option. Because the PRF program contains unusual and challenging rules and reporting requirements, auditors should be familiar with the included questions and answers in order to successfully execute and complete these engagements. Those topics include:
- Use of GAAP basis versus a special purpose framework — that is, cash or income tax basis only
- Determination of HHS award amounts to be reported on the schedule and for what period
- Relationship between the schedule and the entity’s financial statements
- Materiality for the audit of the schedule
- Additional responsibilities in a GAGAS financial audit
- Which provisions of laws, regulations, contracts, and grant agreements could have a material effect on the schedule and related disclosures
- Internal control considerations
- Level of compliance testing expected
The Appendixes to the GAQC Practice Aid include several facts and circumstance-based scenarios to illustrate the necessary steps to arrive at the appropriate schedules and notes under either the GAAP or cash basis of accounting. The Appendixes also include illustrative auditor’s reports, an illustrative schedule of findings and responses, and a primer on Government Auditing Standards.
Deadlines and audit report submission
The same HHS for-profit audit deadline applies regardless of which option is selected, which is either the earlier of thirty calendar days after the entity’s receipt of the audit report, or nine months after the entity’s fiscal year end. As of the date of this communication, there is an extension in place to allow an additional six months after the normal due date for entities with fiscal years ending through June 30, 2021.
Therefore, the extended due date for audits of entities with a fiscal year ending June 30, 2021, is currently September 30, 2022. There is no extension in place for entities with fiscal years ending after June 30, 2021 — for example, a for-profit entity with a calendar year ending December 31, 2021 would also have a deadline of September 30, 2022.
HHS audit reports of for-profit entities must be submitted via email to HRSA’s Division of Financial Integrity at PRFaudits@hrsa.gov. For-profit entities should not submit their audits to the Federal Audit Clearinghouse.
Government Auditing Standards considerations
Audit firms should carefully consider whether they are able to meet the Yellow Book requirements before taking on an engagement under the Government Auditing Standards — which, as noted previously, apply to each of the HHS audit options of for-profit entities. If the audit firm is not confident that they can meet the requirements, it is conceivable they could continue to audit the financial statements — assuming that it is a continuing engagement — and partner with a firm with Yellow Book expertise for the compliance audit portion of the engagement. Some of the most significant requirements for audit firms as prescribed by the Yellow Book are as follows:
- Independence. The Yellow Book states that in all matters relating to the audit work, the audit organization and individual auditor, whether government or public, must be independent. If independence is impaired, the auditor should decline to perform a prospective audit or should terminate one that is in progress.
The Yellow Book establishes a conceptual framework that should be used to identify, evaluate, and apply safeguards to address threats to independence. The Yellow Book also identifies specific non-audit services that always impair independence and that auditors are prohibited from providing to audited entities. If a non-audit service is not specifically prohibited, the auditor is required to assess its impact on independence using the relevant conceptual framework.
The main differences between the AICPA and Yellow Book independence standards relate to when the conceptual framework is used and documentation of the assessment of management’s skills, knowledge, or experience.
- Professional judgment. The Yellow Book stresses the critical role of professional judgment in complying with Government Auditing Standards. Paragraph 3.109 of the Yellow Book establishes an unconditional — that is, “must” — requirement for auditors to use professional judgment in planning, performing, and reporting on audits. Paragraph 3.110 of the Yellow Book states that professional judgment “includes exercising reasonable care and professional skepticism.”
Reasonable care requires auditors to act diligently in accordance with applicable professional standards and ethical principles. Exercising professional skepticism requires auditors to critically assess audit evidence while assuming that management is neither dishonest nor of unquestioned honesty.
Competence and continuing education: The general standard related to competence in the Yellow Book, beginning at Paragraph 4.02, states that the staff assigned to perform the audit engagement must collectively possess adequate professional competence needed to address the audit objectives and perform the work in accordance with Government Auditing Standards. The Yellow Book, Paragraph 4.03, indicates that the audit organization’s management must assign auditors who, before beginning work on the engagement, possess the competence needed for their assigned roles. The Yellow Book, Paragraph 4.04, states that the audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement.
80-hour and 24-hour CPE requirements: The Yellow Book contains very specific and complex CPE requirements for all auditors of GAGAS engagements, which vary depending on each auditor’s role on the engagement. In addition, due to the COVID-19 pandemic, the GAO issued the COVID-19: GAGAS CPE Alert, which provides exceptions to the normal CPE requirements: The Yellow Book CPE requirements and COVID-19 exceptions are detailed at PHC-CX-1.4 of PPC’s Practice Aids for Audits of Health Care Entities (Nonprofit and Investor-owned Entities)
- Quality control and assurance. The requirement in Paragraph 5.02 of the Yellow Book states “an audit organization conducting engagements in accordance with GAGAS must establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements.”
The requirement in Paragraph 5.04 of the Yellow Book states “an audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures.”
- Peer review. The Yellow Book, Paragraph 5.84, requires an audit organization not already subject to a peer review requirement to obtain an external peer review at least once every three years. The audit organization should obtain its first peer review covering a review period ending no later than three years from the date an audit organization begins its first Yellow Book audit — that is, the start of field work.
The Yellow Book, at Paragraph 5.77, states that external audit firms should make their most recent peer review report publicly available. This can be done, for example, by posting the peer review report on a publicly available internet site or to a publicly available site designed for transparency of peer review results. The 2021 edition of the AICPA Audit Guide, Government Auditing Standards and Single Audits (GAS/SA Audit Guide), Paragraph 2.63, explains that if these options are not available, the audit firm should use the same mechanism it uses to make other reports or documents public. The audit organization also should provide the peer review report to others when requested.
Any separate communication of findings, conclusions, and recommendations that may have been issued does not have to be made publicly available. Government Auditing Standards, Paragraph 5.81, provides additional information on transparency of peer review reports, including information that might be included with a publicly available report to help users understand its meaning.
