Escolar Documentos
Profissional Documentos
Cultura Documentos
Summary of updates:
- New version CPA exam structure (w.e.f. April 2017)
- AUD-7.2: Attestation Engagements [Auditing Standards Board
(ASB) of the AICPA has issued clarified SSAE (AT-C) for clarity
and convergence with international standards]
- AUD-7.3: Governmental Auditing [Miles content revised &
updated; new mnemonics APPEND, AICPA CD-VCD, AICPA SCI-
Fi CD-VCD]
- AUD-7.4: Effect of I.T. on Audit - Also refer to Effect of I.T. on
Internal Controls from BEC-7.5
1
New version CPA exam structure (w.e.f. April 2017):
MCQ testlets TBS/WCT testlets
50% weightage 50% weightage
Recommended time: Recommended time:
Testlet #1: 50 mins Testlet #3: 30 mins
Testlet #2: 50 mins Testlet #4: 50 mins
Testlet #5: 60 mins
15 min
Break:
Testlet #1 Testlet #2 Testlet #3 Testlet #4 Testlet #5
FAR 33 MCQs 33 MCQs 2 TBSs 3 TBSs 3 TBSs
15 min
Break:
Testlet #1 Testlet #2 Testlet #3 Testlet #4 Testlet #5
AUD 36 MCQs 36 MCQs 2 TBSs 3 TBSs 3 TBSs
15 min
Break:
Testlet #1 Testlet #2 Testlet #3 Testlet #4 Testlet #5
REG 38 MCQs 38 MCQs 2 TBSs 3 TBSs 3 TBSs
15 min
Break:
Testlet #1 Testlet #2 Testlet #3 Testlet #4 Testlet #5
BEC 31 MCQs 31 MCQs 2 TBSs 2 TBSs 3 WCTs
* MCQ - Multiple Choice Question | TBS - Task Based Simulation | WCT - Written Communication Task
2
AUD-7 Miles CPA Review
A7-16
Miles CPA Review AUD-7
Attestation standards
Extension of GAAS but conceptually different in the following ways:
SSAE do not refer to F/S Audit = Examination of historical F/S
SSAE do not refer to GAAP Attest = ERA of other than historical F/S
SSAE provide lower levels of assurance than a GAAS audit
11 Standards
5 General standards: {TIP where T includes Know Criteria}
T Training & proficiency
Know Knowledge of the subject matter
Criteria - subject matter should be capable of evaluation against criteria that is suitable
Criteria
& available to users; a suitable criteria is relevant, objective, measurable & complete
I Independence (independence is mandatory for audit & attestation)
Professional care in planning & performance
P
2 Fieldwork Standards {PIC without the I}
P Planning & supervision
Internal Controls
C Corroborative Audit Evidence
4 Reporting Standards {Identify Clean & Dirty Limits - Reporting standards are less specific
due to the wide variety of attestation engagements possible}
I Identify the subject matter or assertion being reported on and state the character of the
engagement
C Conclusions about the subject matter or assertion to be stated
D Disclose significant reservations about the engagement including unresolved problems
or concerns
L Limited use - Restrict use of report to specified parties if:
- Criteria is suitable for or available to limited number of parties,
- Written assertion not provided by the client (engaging party), or
- Reporting on an AUP engagement
Note:
- Traditionally, attest standards were classified as 11 basic standards as above with 3 groups - general, fieldwork and
reporting. Until April 30, 2017, these were authoritative standards and were directly reflected in the SSAE
- Effective May 1, 2017, the Auditing Standards Board (ASB) of the AICPA has issued clarified SSAE (AT-C) for clarity
and convergence with international standards. Though the above classification of attest standards has now been
incorporated into clarified SSAE and are still broadly applicable, the above classification is no longer authoritative
A7-17
AUD-7 Miles CPA Review
Categories of Attestation engagements: {attest = new ERA for practitioners with engagements
beyond historical F/S!}
E Examination leading to opinion
R Review leading to assurance
A7-18
Miles CPA Review AUD-7
May be same Engaging party = client who hires CPA
or different Responsible party = responsible for subject matter (e.g., management)
Few key requirements of attestation engagements:
Written assertion required - An attest engagement is predicated on the concept that a
responsible party makes an assertion about whether the subject matter is measured or
evaluated in accordance with suitable criteria. Therefore, it is required for practitioner to
request a written assertion from the responsible party (ok if the written assertion is included
in an engagement letter, representation letter, alongside presentation of the subject matter or
in the notes, etc.)
Examination & Review Engagements - If responsible party refuses to provide a written
assertion, practitioner should withdraw
Except: 1. Need not withdraw if engaging party responsible party [in this case, disclose the
refusal in the attest report and restrict use of the report to the engaging party]
2. For AUP engagements, responsible partys refusal to provide a written assertion requires
the practitioner to disclose that refusal in the report
Change in terms of the engagement - Practitioner to agree only if reasonable justification exists
If the practitioner agrees to a downgrade of service (e.g., examination to review),
practitioners report should be issued on the lower level of service - with no reference to
the original engagement or scope limitations that resulted in the changed engagement
A7-19
AUD-7 Miles CPA Review
Scope Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable
assurance about whether the schedule of investment returns is in accordance with the criteria, in all material respects.
An examination involves performing procedures to obtain evidence about the schedule of investment returns. The
nature, timing, and extent of the procedures selected depend on our judgment, including an assessment of the risks of
material misstatement of the schedule of investment returns, whether due to fraud or error. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
[Describe significant inherent limitations, if any, associated with evaluation of the subject matter against the criteria]
[May add explanatory paragraph to emphasize certain matters relating to the attest engagement or the subject matter]
Opinion In our opinion, the schedule of investment returns referred to above is presented in accordance with the XYZ criteria
set forth in Note 1, in all material respects.
[Practitioners signature | City and State | Date of report]
A7-20
Miles CPA Review AUD-7
Conclusion Based on our review, we are not aware of any material modifications that should be made to management of ABC
Company's assertion in order for it to be fairly stated.
[Practitioners signature | City and State | Date of report]
A7-21
AUD-7 Miles CPA Review
Examination or Review = CPA decides procedures
AUP = Client decides procedures. CPA performs these agreed procedures & reports findings
I) Agreed-Upon Procedures (AUP) Engagements
Practitioner engaged by client to report findings based on specific agreed-upon procedures
Performed when specified parties require that findings be derived by an independent CPA
May be performed on the subject matter, or assertion(s) about the subject matter
May be performed provided following conditions exist: {ASSURE the practitioner that AUP is ok}
General standards for all attestation engagements = TIP + Know Criteria
A Agreement of the Parties - Practitioner and specified parties must agree regarding
Procedures to be performed
Criteria to be used in the determination of the findings, and
Any materiality limits to be applied for reporting purposes
S Subject Matter - Responsibility of specified parties or the specified parties are able to provide
evidence that a third party is responsible; however, written assertion is generally not required
Procedures to be applied to the subject matter should be expected to result in reasonably
consistent findings using the criteria
S Sufficiency of the Procedures - Responsibility of specified parties Report intended for parties
U Use of the Report is Restricted to the specified parties who prescribed procedures
R Responsibility of Practitioner - Practitioner responsible for performing agreed-upon
procedures and report findings (as per AICPAs SSAE)
E Engagements relating to prospective F/S must include a summary of significant assumptions
A7-22
Miles CPA Review AUD-7
A7-23
AUD-7 Miles CPA Review
A7-25
AUD-7 Miles CPA Review
A7-26
Miles CPA Review AUD-7
E R A
V) Compliance (as a specific engagement)
Relates to an entitys compliance with specified laws, regulations, rules, contracts, or grants
Does not provide a legal determination of an entitys compliance with specified requirements.
However, attest report may be useful to legal counsel or others in making such determinations
A7-28
Miles CPA Review AUD-7
Sample Reports
On Examination of an Entitys Compliance:
Independent Accountants Report
[Appropriate Addressee]
We have examined XYZ Company's compliance with [identify the specified requirements, for example, the requirements
listed in Attachment 1] during the period January 1, 20X1, to December 31, 20X1. Management of XYZ Company is
responsible for XYZ Company's compliance with the specified requirements. Our responsibility is to express an opinion
on XYZ Company's compliance with the specified requirements based on our examination.
Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants. Those standards require that we plan and perform the examination to obtain reasonable
assurance about whether XYZ Company complied, in all material respects, with the specified requirements referenced
above. An examination involves performing procedures to obtain evidence about whether XYZ Company complied with
the specified requirements. The nature, timing, and extent of the procedures selected depend on our judgment,
including an assessment of the risks of material noncompliance, whether due to fraud or error. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
Our examination does not provide a legal determination on XYZ Company's compliance with specified requirements.
In our opinion, XYZ Company complied, in all material respects, with [identify the specified requirements, for example,
the requirements listed in Attachment 1] during the period January 1, 20X1 to December 31, 20X1.
[Practitioners signature | City and State | Date of report]
A7-29
AUD-7 Miles CPA Review
A7-30
Miles CPA Review AUD-7
Relates to the performance of an attest engagement with respect to MD&A (presented in annual
reports and other documents) which are prepared pursuant to SEC rules & regulations
May provide services to:
Public entity that prepares MD&A in accordance with SEC rules & regulations
Non-public entity that prepares MD&A and whose management provides a written
assertion that the presentation has been prepared using SEC rules & regulations
The guidance of this section (AT-C 395) does NOT
Change the auditor's responsibility in an audit of F/S
Apply to situations in which the practitioner is requested to provide recommendations to
improve MD&A rather than to provide assurance (may be taken up as a Consulting service)
Apply if practitioner is engaged to provide attest services with respect to MD&A prepared
based on criteria other than SEC rules and regulations (may be still taken up as an attest
engagement but the guidance of this section AT-C 395 will not apply)
Note: In practical scenarios, practitioners rarely perform attest engagements to report on
MD&A prepared pursuant to SEC rules and regulations (so AT-C 395 rarely applies)
A7-31
AUD-7 Miles CPA Review
Relates to System and Organization Controls (SOC) for Service Organizations - Examination of I/C
at a service organization providing valuable info that users need to assess/address the risks
associated with an outsourced service
SOC 1 - SOC for Service SOC 2 - SOC for Service SOC 3 - SOC for Service
Organizations: ICFR Organizations: Trust Organizations: Trust
Services Criteria Services Criteria for
General Use Report
Professional Examination per SSAE Examination per SSAE Examination per SSAE
Standard
Subject Controls at a service Controls at a service Controls at a service
Matter organization relevant to organization relevant to organization relevant to
user entities ICFR security, availability, security, availability,
processing integrity, processing integrity,
confidentiality, or privacy confidentiality, or privacy
Trust Services Criteria
Report Type - Type 1 Report - Opinion - Type 1 Report - Opinion - Type 2 Report only -
on design of I/C on design of I/C Opinion on design &
- Type 2 Report - Opinion - Type 2 Report - Opinion operating effectiveness
on design & operating on design & operating of I/C
effectiveness of I/C effectiveness of I/C
A7-32
Miles CPA Review AUD-7
Trust Services - SOC 2 & SOC 3 attest engagements require the service organizations controls meet
the specified Trust Service Criteria (TSC) as defined by the AICPA
Trust Services Criteria (TSC) used to evaluate the controls SOC 2 and SOC 3 engagements:
Security - Info & systems are protected against unauthorized access, unauthorized
disclosure of info, and damage to systems that could compromise the availability, integrity,
confidentiality, and privacy of info or systems that affect the entitys ability to meet its
objectives
Availability - Info & systems available for operation and use to meet the entitys objectives
Processing integrity - System processing is complete, valid, accurate, timely, and authorized
to meet the entitys objectives
Confidentiality - Info designated as confidential is protected to meet the entitys objectives
Privacy - Personal info is collected, used, retained, disclosed, and disposed to meet the
entitys objectives
SOC 2 vs. SOC 3
SOC 2 Report - Restricted use report intended for specified parties (management of the
service organization and current/prospective users)
SOC 2 report is detailed; includes auditors opinion, managements assertion, detailed
description of system & organizations controls, and results of auditors test of controls
SOC 3 Report - General use report that is also fit to be displayed online
SOC 3 report is brief; includes auditors opinion, management assertion, brief
background on the service organization. No details on specific controls or results of
auditors test of controls
SOC 2 reports are intended to meet the needs of users who need detailed info and assurance
about the controls at a service organization relevant to security, availability, and processing
integrity of the systems the service organization uses to process users data and the
confidentiality and privacy of the info processed by these systems. These reports can play an
important role in:
Oversight of the organization
Vendor management programs
Internal corporate governance and risk management processes
Regulatory oversight
SOC 3 reports can be issued on one or multiple Trust Services Criteria and allow the service
organization to place a seal on their website as a representation of an unmodified opinion.
Given the focus on e-commerce and online transactions, most common SOC 3 reports include:
Websites (Webtrust) - Examination of website and effectiveness of info system controls
based on the trust services criteria
Information systems (Sys Trust service) - Examination of info system controls based on the
trust services criteria
A7-33
AUD-7 Miles CPA Review
E R A
VII) I/C at a Service Organization Relevant to User Entities ICFR
Attest engagement applicable when service auditor is examining I/C at a service organization
that provides services to user entities
May provide appropriate evidence required by the user auditor relating to the I/C of the
service organization when those I/C are likely to be relevant to users ICFR
E.g., Payroll processing service organization (like ADP) I/C related to the timely remittance
of payroll deductions to government authorities may be relevant to a user entity as late
remittances could incur interest/penalties that would result in a liability to the user
E.g., Service organization I/C over the acceptability of investment transactions from a
regulatory perspective may be considered relevant to a user entitys ICFR
Objective of the service auditor - Obtain reasonable assurance and express opinion regarding:
Managements description of the service organizations system (if it is fairly presented)
Design and implementation of I/C
Operating effectiveness of I/C (only in Type 2 engagement)
Service auditor engagement/report may be a Type 1 or Type 2
Type 1 Report - Opinion on design/implementation of the service organizations I/C
Type 2 Report - Opinion on design/implementation AND operating effectiveness of the
service organizations I/C
A7-34
Miles CPA Review AUD-7
Inherent Limitations
The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit
and report on user entities' financial statements and may not, therefore, include every aspect of the system that each
individual user entity may consider important in its own particular environment. Because of their nature, controls at a
service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions [or
identification of the function performed by the system]. Also, the projection to the future of any evaluation of the
fairness of the presentation of the description, or conclusions about the suitability of the design or operating
effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service
organization may become ineffective.
Opinion
In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion
a. the description fairly presents the [type or name of] system that was designed and implemented throughout
the period [date] to [date].
b. the controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period [date] to [date] and subservice organizations and user entities applied the
complementary controls assumed in the design of XYZ Service Organizations controls throughout the period
[date] to [date].
c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the
description were achieved throughout the period [date] to [date] if complementary subservice organization and
user entity controls assumed in the design of XYZ Service Organizations controls operated effectively
throughout the period [date] to [date].
Restricted Use
This report, including the description of tests of controls and results thereof in [section number where the description of
tests of controls is presented], is intended solely for the information and use of management of XYZ Service
Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date]
to [date], and their auditors who audit and report on such user entities' financial statements or internal control over
financial reporting and have a sufficient understanding to consider it, along with other information, including
information about controls implemented by user entities themselves, when assessing the risks of material misstatement
of user entities' financial statements. This report is not intended to be, and should not be, used by anyone other than the
specified parties.
A7-36
Miles CPA Review AUD-7
Type 1 Report - Design of I/C as of [date]
Type 2 Report - Design and Operating Effectiveness of I/C for the period [date] to [date]
Sample Type 1 Service Auditors Report:
[Note that the Type 2 Service Report template has been taken and modified to the Type 1 Service
Report - all edits are highlighted in grey to appreciate the differences between the two reports]
Independent Service Auditors Report on XYZ Service Organizations Description of Its [type or name of] System and
the Suitability of the Design and Operating Effectiveness of Controls
To: XYZ Service Organization
Scope
We have examined XYZ Service Organization's description of its [type or name of] system entitled "XYZ Service
Organization's Description of Its [type or name of ] System" for processing user entities' transactions [or identification of
the function performed by the system] throughout the period [date] to [date] as of [date] (description) and the
suitability of the design and operating effectiveness of the controls included in the description to achieve the related
control objectives stated in the description, based on the criteria identified in "XYZ Service Organization's Assertion"
(assertion). The controls and control objectives included in the description are those that management of XYZ Service
Organization believes are likely to be relevant to user entities' internal control over financial reporting, and the
description does not include those aspects of the [type or name of] system that are not likely to be relevant to user
entities' internal control over financial reporting.
[Add additional statement(s) in one/more of the below situation(s):
information that is not covered by the report is included in the description of the service organization's system
the service organization uses a subservice organization, the carve-out method is used to present the subservice
organization, and complementary subservice organization controls are required to meet the control objectives
complementary user entity controls are required to meet the control objectives]
Inherent Limitations
The description is prepared to meet the common needs of a broad range of user entities and their auditors who audit
and report on user entities' financial statements and may not, therefore, include every aspect of the system that each
individual user entity may consider important in its own particular environment. Because of their nature, controls at a
service organization may not prevent, or detect and correct, all misstatements in processing or reporting transactions [or
identification of the function performed by the system]. Also, the projection to the future of any evaluation of the
fairness of the presentation of the description, or conclusions about the suitability of the design or operating
effectiveness of the controls to achieve the related control objectives, is subject to the risk that controls at a service
organization may become ineffective.
Other Matter
We did not perform any procedures regarding the operating effectiveness of controls stated in the description and,
accordingly, do not express an opinion thereon.
Opinion
In our opinion, in all material respects, based on the criteria described in XYZ Service Organization's assertion
a. the description fairly presents the [type or name of] system that was designed and implemented throughout
the period [date] to [date] as of [date].
b. the controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively
throughout the period [date] to [date] as of [date] and subservice organizations and user entities applied the
complementary controls assumed in the design of XYZ Service Organizations controls throughout the period
[date] to [date] as of [date].
c. the controls operated effectively to provide reasonable assurance that the control objectives stated in the
description were achieved throughout the period [date] to [date] if complementary subservice organization and
user entity controls assumed in the design of XYZ Service Organizations controls operated effectively
throughout the period [date] to [date].
Restricted Use
This report, including the description of tests of controls and results thereof in [section number where the description of
tests of controls is presented], is intended solely for the information and use of management of XYZ Service
Organization, user entities of XYZ Service Organization's [type or name of] system during some or all of the period [date]
to [date] as of [date], and their auditors who audit and report on such user entities' financial statements or internal
control over financial reporting and have a sufficient understanding to consider it, along with other information,
including information about controls implemented by user entities themselves, when assessing the risks of material
misstatement of user entities' financial statements. This report is not intended to be, and should not be, used by anyone
other than the specified parties.
A7-38
Miles CPA Review AUD-7
A7-39
AUD-7 Miles CPA Review
GAGAS (Generally Accepted Government Auditing Standards) - Standards for use by auditors of
government entities, entities that receive government awards and audit organizations performing
GAGAS audits
Also known as the Yellow Book
Issued by the Comptroller General of the US who is the director of the Governmental
Accountability Office (GAO)
Comprises of:
Auditing Standards
Professional Responsibilities & Ethics
A7-40
Miles CPA Review AUD-7
GAGAS incorporates GAAS (SAS AU-C by AICPA), and details additional requirements that apply
General Standards - TIP + Q {Question - Will the same TIP work for GAGAS?}
Fieldwork Standards - PIC + APPEND {Need to APPEND the Yellow Book to the Field PIC!}
Reporting Standards - ACDE + AICPA CD-VCD {Remember you still are AICPAs auditors
albeit with CDs & VCDs!}
Views of entity
officials
Confidential &
Sensitive Info
Distribution of
reports
A7-41
AUD-7 Miles CPA Review
A7-42
Miles CPA Review AUD-7
A7-43
AUD-7 Miles CPA Review
A7-44
Miles CPA Review AUD-7
A7-46
Miles CPA Review AUD-7
GAGAS
Report on ICFR & Compliance {ICPA of AICPA} = No opinions required
^ Independent Auditors Report
[Appropriate Addressee]
We have audited, in accordance with the auditing standards generally accepted in the United States of America and
the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller
General of the United States, the financial statements of the governmental activities, the business-type activities, the
aggregate discretely presented component units, each major fund, and the aggregate remaining fund information of
XYZ Entity, as of and for the year ended June 30, 20X1, and the related notes to the financial statements, which
collectively comprise XYZ Entitys basic financial statements, and have issued our report thereon dated August 15,
20X1.
A7-47
AUD-7 Miles CPA Review
Reporting requirements for Single Audits {AICPAs auditors now with SCI-Fi CDs & VCDs!}
Reports required per GAGAS: {AICPA}
A Audit Report per GAGAS
C I Report on Compliance for each major program and a report on I/C over compliance
Compliance for each major program - Opinion required on compliance with Federal
statutes, regulations, and terms & conditions of Federal awards which could have a direct &
material effect on each major program
I/C over compliance - No opinion required; auditor only needs to describe the scope of
auditors testing and report any significant deficiencies or material weaknesses
Refer to Fi (Schedule of Findings & Questioned Costs)
A7-50
Miles CPA Review AUD-7
Sample Single Audit Report on Compliance for each major program & Report on I/C over compliance:
Independent Auditors Report
[Appropriate Addressee]
Report on Compliance for Each Major Federal Program
AICPA S C I - Fi
We have audited XYZ Entitys compliance with the types of compliance requirements described in the OMB Compliance
Supplement that could have a direct and material effect on each of XYZ Entitys major federal programs for the year ended
June 30, 20X1. XYZ Entitys major federal programs are identified in the summary of auditors results section of the
accompanying schedule of findings and questioned costs.
Managements Responsibility
Management is responsible for compliance with federal statutes, regulations, and the terms and conditions of its federal
awards applicable to its federal programs.
Auditors Responsibility
Our responsibility is to express an opinion on compliance for each of XYZ Entitys major federal programs based on our
audit of the types of compliance requirements referred to above. We conducted our audit of compliance in accordance
with auditing standards generally accepted in the United States of America; the standards applicable to financial audits
contained in Government Auditing Standards, issued by the Comptroller General of the United States; and the audit
requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles,
and Audit Requirements for Federal Awards (Uniform Guidance). Those standards and the Uniform Guidance require that
we plan and perform the audit to obtain reasonable assurance about whether noncompliance with the types of compliance
requirements referred to above that could have a direct and material effect on a major federal program occurred. An audit
includes examining, on a test basis, evidence about XYZ Entitys compliance with those requirements and performing such
other procedures as we considered necessary in the circumstances.
We believe that our audit provides a reasonable basis for our opinion on compliance for each major federal program.
However, our audit does not provide a legal determination of XYZ Entitys compliance.
Opinion on Each Major Federal Program
In our opinion, XYZ Entity complied, in all material respects, with the types of compliance requirements referred to above
that could have a direct and material effect on each of its major federal programs for the year ended June 30, 20X1.
A7-51
AUD-7 Miles CPA Review
AICPA SCI-Fi
Schedule of findings and questioned costs - Must include:
Summary of the auditors results
Audit of F/S - type of opinion issued
ICFR Report - if audit detected any significant deficiencies or material weaknesses in I/C
Compliance Report - if audit detected any non-compliance that is material to F/S
Regarding Major programs:
Identification/listing of major programs; however in case of cluster of programs, only
the cluster name as shown on Schedule of Expenditures of Federal Awards is required
Dollar threshold used to distinguish between Type A and Type B programs
Compliance Report on each major program - Type of opinion issued
I/C over Compliance - if audit detected significant deficiencies or material weaknesses
in I/C over compliance for major programs
Statement as to whether the auditee qualified as a low-risk auditee
Statement as to whether the audit disclosed any Findings & Questioned costs for Federal
awards that the auditor is required to report
Findings & Questioned costs for Federal awards - Include findings in sufficient detail/clarity
Relating to Compliance of each major program and I/C over compliance:
Material non-compliance with provisions of Federal statutes, regulations, or terms &
conditions of Federal awards related to a major program
Also, circumstances concerning why the auditors report on compliance for each major
program is other than an unmodified opinion, if applicable
Known or likely fraud affecting a Federal award
Significant deficiencies and material weaknesses in I/C over major programs and
significant instances of abuse relating to major programs
Questioned costs:
Known questioned costs > $25K for any compliance requirement for a major program
- Known questioned costs are those specifically identified by the auditor. However,
note that in evaluating the effect of questioned costs on the opinion on compliance,
the auditor considers the best estimate of total costs questioned (likely questioned
costs), not just the questioned costs specifically identified (known questioned costs)
Known questioned costs > $25K for a Federal program not audited as a major program
- Except for Audit follow-up, auditor is not required to perform audit procedures for a
program that is not audited as a major program; therefore, less chances of the
auditor finding questioned costs for such programs
Previous audit engagements - Instances where the auditor detects that the summary
schedule of prior audit findings prepared by the entity was materially misrepresented
A7-52
Miles CPA Review AUD-7
A7-53