Risk Assessment for a Government

AU-C section 220, Quality Control for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards (AICPA, Professional Standards) addresses guidance regarding evaluating acceptance and continuance of audit client relationships.

Auditors should also evaluate their continued independence in consideration of other nonaudit services provided and other factors.

AU-C section 300, Planning an Audit (AICPA, Professional Standards) addresses the auditor's responsibilities to plan an audit of the financial statements.

The auditor should establish an overall audit strategy that sets the

• scope,
• timing,
• direction of the audit, and
• audit plan.

It is important to understand the government's size and complexity.

Understanding of the Entity and Its Environment

The auditor's understanding of the entity and its environment consists of an understanding of the following aspects:

1. Federal and state laws and regulations
2. Local charters
3. Budget documents
4. Recent official statements
5. Prior-period financial reports
6. The request for proposal for audit services
7. Minutes of meetings of the governing body and its committees and boards

Understanding the entity would consist of such information as following:¹

• Economic, legislative, regulatory, accounting, and auditing developments that affect the governmental industry in general and the auditee in particular.²
• The composition of the reporting entity
• Relationships and operations between the reporting entity and its component units
• The form of government for the primary government and its component units, for example, a governing board with an elected governor or mayor as the administrator versus a governing board with an appointed manager
• Organizational structure, including the names and experience of top management
• The relationship between the governing body and the CEO and the relationship between the CEO and key management (that is, heads of agencies, departments, divisions, and so on)
• Federal, state, and local laws and regulations governing the general operations of the entity and its component units
• The nature of any joint ventures and the related underlying business rationale
• Factors affecting the continued functioning of the government, for example, the presence or absence of taxpayer initiatives that limit its budget growth or addition of services
• Budget philosophies (that is, are revenues budgeted conservatively and expenses or expenditures [or both] budgeted aggressively or the reverse?) and how elected officials look to balance the budget in times of economic stress or decline
• Debt management policies and their underlying rationale
• Investment management policies and their underlying rationale
• The existence and functions of an audit committee or other group or individual with oversight responsibility for financial reporting
• Primary sources of revenue (for example, property taxes, appropriations from other governments, grants, contracts, and service charges), how and at what location they are received by the entity (that is, customer remittances, mailed checks, electronic funds transfers, and so on), and how transactions are authorized, initiated, recorded, and reported
• Services provided by the entity and the relative level of resources used for each function or program
• Involvement in complex, unusual, or risky activities and the entity's rationale for entering into such arrangements
• Services and in-kind services provided by separate departments and independent entities (for example, hospitals, school districts, redevelopment agencies) and their relationship to the entity to be audited
• Accounting and financial reporting requirements established by another government with financial reporting oversight responsibilities
• Accounting and financial reporting policies, procedures, and systems, including the number and nature of funds, when funds are created or eliminated, supplementary records that are maintained for capital assets (including infrastructure capital assets) and long-term debt, and the entity's methods of producing information for presentation in the government-wide financial statements from fund-based accounting data
• If accounting and financial reporting functions are automated, the types of computer equipment used, personnel involved, and similar background information, including software packages and operating systems and how often each are reviewed for continued adequacy and relevance.
• Opinion modifications on prior-period financial statements that could lead to opinion modifications on the current-period financial statements
• The current status of deficiencies in internal control previously communicated to those charged with governance and the reasons for any that have not been corrected
• Findings of any regulatory or oversight agency whether they be financial or operational in nature
• The current status of prior-period findings, including findings and questioned costs in compliance audits that could require the reporting of contingent liabilities.
• The nature of any compliance auditing requirements
• Special reporting requirements

For audits performed under Government Auditing Standards, paragraph 4.05 of Government Auditing Standards, 2011 Revision includes an additional requirement for auditors to evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the financial statements or other financial data significant to the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. Also, see the AICPA Audit Guide Government Auditing Standards and Single Audits.

Because of legal or contractual provisions concerning confidentiality, some governments restrict an auditor's access to certain source records that support amounts that are material to the financial statements. For example, state constitution or legislation may restrict access of state income tax returns to employees of the state's revenue collection department. In such a situation, an auditor may be able to perform adequate alternative procedures to obtain sufficient appropriate audit evidence to achieve the audit objectives. Alternatives may include procedures performed by the internal audit organization for the auditor or substantive procedures that provide indirect evidence about the information, such as analytical procedures. AU-C section 610, Using the Work of Internal Auditors (AICPA, Professional Standards), provides requirements and guidance when using the work of internal auditors. AU-C section 520, Analytical Procedures (AICPA, Professional Standards), addresses the auditor's use of analytical procedures as substantive procedures. AU-C section 700, Forming an Opinion and Reporting on Financial Statements (AICPA, Professional Standards), provides requirements and guidance if the auditor is not able to perform adequate alternative procedures. As discussed in AU-C section 700, restrictions on the scope of the audit, whether imposed by the client or by circumstances, (including the inability to obtain sufficient appropriate audit evidence), may require the auditor to qualify the opinion or to disclaim an opinion.

Understanding Internal Controls

AU-C section 315 states that the auditor should obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor's professional judgment whether a control, individually or in combination with others, is relevant to the audit. When obtaining an understanding of relevant controls, the auditor should evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity's personnel. An understanding of the five components of internal control assists the auditor in identifying the types of potential misstatements and factors that affect the risks of material misstatement and in designing the nature, timing, and extent of further audit procedures. Because an audit of a government's financial statements is based on opinion units, the auditor's consideration of internal control in assessing the risks of material misstatement should address each opinion unit.

The auditor should use such knowledge to

• identify types of potential misstatements;
• consider factors that affect the risks of material misstatement; and
• design tests of controls, when applicable, and substantive procedures.

Obtaining an understanding of internal control is distinct from testing the operating effectiveness of internal control. The objective of obtaining an understanding of internal control is to evaluate the design of controls and determine whether they are implemented for the purpose of assessing the risks of material misstatement. In contrast, the objective of testing the operating effectiveness of internal control is to determine whether the controls, as designed, prevent or detect a material misstatement.

AU-C section 315 defines internal control as “a process effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity's objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives.” Internal control consists of the following five interrelated components:

a.     The control environment

b.     The entity's risk assessment process

c.     The information system, including the related business processes relevant to financial reporting and communications

d.     Control activities relevant to the audit

e.     Monitoring of controls

Control Environment—The control environment is the foundation for effective internal control. It is the responsibility of management, with oversight from those charged with governance, to establish a control environment and maintain policies and procedures that assist in achieving the objective of ensuring the orderly and efficient conduct of the entity's business. The control environment sets the tone of the entity, influencing the control consciousness of its employees.

The control environment includes the attitudes, awareness and actions of management and those charged with governance related to internal control, and its importance in the government.

The following list includes examples of unique characteristics of a government's environment and its internal control that the auditor may consider in assessing the risks of material misstatement:

• Members of senior management and the governing board are elected officials or report to elected officials and therefore often are subject to political influences.
• Elected officials may focus on solutions that are popular with the voting public rather than less popular solutions. This focus could result in decisions that benefit the short-term rather than long-term.
• The governing board usually holds its meeting in public.
• The press and citizens often hold management and governing board decisions and otherwise seemingly insignificant matters up to substantial scrutiny.
• Management and governing board actions often are mandated or otherwise affected by laws, regulations, and provisions of contracts and grant agreements.
• GAAP financial statements should conform to GASB standards and governmental financial statements at times are required to conform to accounting and financial reporting requirements established by another government with financial reporting oversight responsibilities.
• Management is, or those charged with governance are, required by law or some other regulation to respond to results of audits and regulatory and grantor reviews.
• Limited financial resources, limitations on the ability to develop new revenue sources, or both, coupled with unfunded mandates for services, may result in officials asking management and staff to do more with less.
• Elected officials sometimes use excess revenues during times of economic growth rather than to create reserves for future budget shortfalls.
• Generous retirement benefits and a disciplinary structure that often requires numerous levels of approval create a relatively stable workforce even though salary structures are often below the market.
• Existence of organized labor in key functions such as law enforcement, fire and rescue, education, health care, and public works may create fiscal challenges for the entity during times of flat or declining revenues.

• The hierarchical structure of government organizations in general, and certain functions specifically (that is, law enforcement, fire and rescue, and so on), may create an environment that is inflexible or resistant to change.

The entity's risk assessment process—When assessing this area we shall obtain an understanding of whether the entity has a process for

a.     identifying business risks relevant to the financial reporting objectives,

b.     estimating the significance of the risks,

c.     assessing the likelihood of their occurrence,

d.     deciding about actions to address those risks. Examples of matters to consider and document when assessing the government's risk assessment process include the following:

1. How management identifies the risk that affects financial reporting.
2. If relevant to financial reporting, whether reports from regulators or other governments are reviewed and how the entity reacts to such reports.
3. What impact the existence of quality management systems has on the entity's risk assessment process.
4. Whether channels of communications (such as a whistleblower hotline) for people to report suspected improprieties have been established.
5. The scope and context of internal audit activities.
6. The entity's conclusions as to the assessment of risk.

• The information system, including the related business processes relevant to financial reporting and communications—To gain an understanding of the entity's information and communication processes, it should be divided into three main areas:

a.     Information systems relevant to financial reporting

b.     How the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting.

c.     Information technology general controls.

Example: An entity's information system may provide details of all assets purchased, and a report provided to management for approval. However, if this report contains asset code numbers instead of asset descriptions or the report is 1,000 pages long with no summary, these reports may not be effective for approval.

In acquiring an understanding of (and assessing) internal control, the auditor should consider information technology controls (commonly referred to as IT controls) as well as the controls over the manual portions of the system (see AU-C section 315). Further, when an entity obtains computer or other services from another organization and if those services are part of the entity's information system, AU-C section 402, Audit Considerations Relating to an Entity Using a Service Organization (AICPA, Professional Standards), provides requirements and guidance on the factors auditors (referred to as user auditors) should consider when auditing financial statements of an entity that uses a service organization to process certain transactions.

Such guidance includes information about the situations in which to consider the effect of the service organization's controls on user organization's controls and how to consider the effect of those controls. Governments use service organizations, for example, to invest bond proceeds and pension plan assets, to serve as third-party administrators for employee health insurance programs, to perform billing services for enterprise activities, to process cash receipts using a lock box arrangement with a financial institution, and to collect taxes. Sometimes service organizations are other governments. For example, counties sometimes collect property taxes for cities, towns, villages, and school districts within the county, and states sometimes collect income and sales taxes for other governments within the state.

AU-C section 402 requires the auditor to evaluate the significance of the controls of the service organization to those of the user organization and available information about the service organization controls. The user auditor may conclude that the auditor has the means from that available information to obtain a sufficient understanding of internal control to assess the risks of material misstatement. Or, instead, the auditor might conclude that there is a need to obtain specific information from the service organization, to perform procedures at the service organization, or to have a service auditor perform procedures.

Often, governments maintain their accounting systems on a basis of accounting other than GAAP, such as the cash or their budgetary basis of accounting. At year-end, those governments may prepare worksheets to convert their accounting system information as needed for the basic financial statements, rather than enter conversion data into their transaction processing systems.

Control activities relevant to the audit—Control activities are those policies and procedures that help ensure management directives are carried out.

• Examples include the following:

  —     Authorization

  —     Performance reviews

  —     Information processing

  —     Physical controls

  —     Segregation of duties

Entity level control activities are those activities designed to directly prevent or detect a material misstatement in the financial statements.

Monitoring—For a government, monitoring falls into the following two categories:

1. Monitoring of financial results
2. Monitoring of the effectiveness of other controls

Monitoring of financial results is a control activity that occurs at the entity level (by management) as a means of identifying potential misstatements in the financial statements.

Monitoring of controls (by management) is a process designed to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions.

When evaluating monitoring controls, the following matters should be assessed:

a.     Whether management seeks feedback on whether controls operate effectively.

b.     The scope, frequency, and methodology of evaluations of the internal controls.

c.     What budget or reports of performance are monitored and whether follow-up actions are taken as necessary.

d.     Whether there are deficiencies in the monitoring process that would impair financial reporting.

Entity Cycles—As part of our understanding of the government, we identify the cycles within the government's business that are relevant and material to the financial statements.

Cycles contain the activities designed to accomplish the following:

1. Assess, purchase, produce, sell, tax, and distribute products and services
2. Record and manage information, including accounting and financial reporting information
3. Ensure compliance with laws and regulations where a violation could have a material impact on the financial statements.

As auditors, we identify and document the relevant processes and controls within each cycle, from initiation of the transactions to the point at which they are reporting in the accounting records. A relevant control is one that is necessary to prevent, or detect and correct, material misstatements in the financial statements. A relevant process is a procedure that, although relevant, generally does not have any potential to prevent, detect, or correct misstatements. In understanding the cycle, we consider whether the information system does the following:

1. Identifies and records all valid transactions.
2. Describes, on a timely basis, the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
3. Measures the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
4. Determines the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
5. Presents properly the transactions and related disclosures in the financial statements.

For a government, the common cycles include the following:

• Revenue—This cycle includes how taxes and services are originated and accounted for; how the receivable is recorded; how the government handles cash collections and how these transactions are reflected in the general ledger.
• Purchasing, Expenses, Expenditures, and Liabilities—This cycle includes (1) the procurement of goods and services to include the initiation, advertising, evaluation and documentation; (2) how the accounts payable and liability balances are recorded; (3) how the government handles payment; and (4) how these transactions are reflected in the general ledger.
• Payroll—This cycle includes (1) the procedures and controls over newly hired employees, terminations of employment; (2) how employees are paid (12-month versus 9-month); (3) what taxes are due to third parties; and (4) how these transactions are reflected in the general ledger.
• Treasury—This cycle includes (1) how investments and daily cash balances are handled; (2) how transactions are monitored and reflected in the general ledger; (3) compliance with laws and regulations; and (4) the manner in which balances are managed and reconciled.
• Financial Reporting—This cycle includes (1) the period-end procedure and controls related to financial reporting; (2) conversion of fund balances to the government-wide financial presentation; (3) checks the presentation of the financial statements and disclosures; and (4) includes controls over adjusting journal entries.

Materiality

Each major component of the reconciliation.

1. The basic financial statements also include notes to the financial statements.
2. Reporting units represent the separate columnar displays required by GASB standards.
3. Financial reporting alternatives exist for the display of discretely presented component units. They can be presented in individual columns or combined into a single column in the government-wide statements. Combining statements may be included for discretely presented component units or condensed information can be included in the footnotes.
4. These are the opinion units required for an audit of a government's basic financial statements. An auditor may be engaged to set the scope of the audit and assess materiality at a more-detailed level than the opinion units required for the basic financial statements.
5. Except as indicated in (7), auditors should make a single quantitative materiality evaluation for the aggregate discretely presented component units, and apply quantitative materiality to those component units independent of the quantitative evaluations they make for other opinion units and regardless of how major component units are reported in the basic financial statements.
6. Except as indicated in (7), auditors should make a single quantitative materiality evaluation for the remaining fund information, and apply quantitative materiality to that remaining fund information independent of the quantitative evaluations they make for other opinion units.
7. Under certain circumstances, auditors may choose to combine the two aggregate opinion units—the one for the aggregate discretely presented component units and the one for the aggregate remaining fund information—into a single opinion unit referred to as the aggregate discretely presented component unit and remaining fund information opinion unit. Auditors should apply quantitative materiality to that combined aggregate opinion unit independent of the quantitative evaluations they make for other opinion units and regardless of how major component units are reported in the basic financial statements.

Auditors should determine opinion units for audits of a special-purpose government's basic financial statements in the same manner as for general-purpose governments.

• A government that is engaged in a single governmental program and that combines its fund financial statements and government-wide financial statements, will have an opinion unit for

  —     each major governmental fund;

  —     an opinion unit for its aggregate nonmajor governmental funds; and

  —     an opinion unit for the government-wide total column, which represents governmental activities.

• A government that is engaged only in business-type activities and that presents more than one enterprise fund (such as a utility district that provides water, sewer, electric, and refuse operations) will have an opinion unit for

  —     each major enterprise fund and

  —     aggregate nonmajor enterprise fund.

• A government that is engaged only in fiduciary activities has only one opinion unit that represents, in effect, “remaining fund information.” For a public employee retirement system with more than one defined benefit pension plan that presents separate financial statements for each plan, as required by GASB standards, those separate plan financial statements do not represent separate opinion units but rather are aggregated into a single opinion unit.

Going Concern Considerations

Under GASB Statement No. 56, Codification of Accounting and Financial Reporting Guidance Contained in the AICPA Statements on Auditing Standards, governments have a responsibility to evaluate whether there is substantial doubt about their ability to continue as a going concern for 12 months beyond the financial statement date. (These evaluations should not be performed on reporting units that constitute less than a legally separate entity.) If there is information that is currently known to the government that may raise substantial doubt shortly after this 12-month period (for example, within an additional 3 months), it also should be considered. Continuation of a legally separate governmental entity as a going concern is assumed in financial reporting in the absence of significant information to the contrary. Information that may significantly contradict the going concern assumption would relate to the following:

• A governmental entity's inability to continue to meet its obligations as they become due without substantial disposition of assets outside the ordinary course of governmental operations
• Restructuring of debt
• Submission to the oversight of a separate fiscal assistance authority or financial review board, or similar actions

Indicators that there may be substantial doubt about a governmental entity's ability to continue as a going concern, as stated in GASB Statement No. 56, include the following:

• Negative trends. Recurring periods in which expenses and expenditures significantly exceed revenues, recurring unsubsidized operating losses in business-type activities, consistent working capital deficiencies, continuing negative operating cash flows from business-type activities, or adverse key financial ratios.
• Other indications of possible financial difficulties. Default on bonds, loans or similar agreements, proximity to debt and tax limitations, denial of usual trade credit from suppliers, restructuring of debt (other than refundings), noncompliance with statutory capital or reserve requirements, or the need to seek new sources or methods of financing or to dispose of substantial assets.
• Internal matters. Work stoppages or other labor difficulties, substantial dependence on the success of a particular project or program, uneconomic long-term commitments (burdensome labor contracts, for example), or the need to significantly revise operations.
• External matters. Legal proceedings, legislation, or similar matters that might jeopardize intergovernmental revenues and the fiscal sustainability of key governmental programs; loss of a critical license or patent for a business-type activity; loss of a principal customer, taxpayer, or supplier; or uninsured or underinsured catastrophe such as a drought, earthquake, or flood.

Additional specific examples of conditions or events that may indicate substantial doubt about a government's ability to continue as a going concern are as follows:

• Continuing significant fund balance or net position deficits, or a pattern of annual operating deficits
• Extremely high estimated liability for actual or incurred-but-not-reported claims for uninsured risks, including large adverse legal decisions or settlements
• Higher anticipated costs on construction and similar long-term projects than the entity can reasonably finance given current economic conditions.
• Burdensome pension plan or other postemployment benefit obligations combined with diminishing revenues.
• Potential for large tax refunds because of taxpayers' challenges, for example
• Declining tax or other revenue base because of, for example, property value reassessments, competitive changes (such as consumer choice for electric utility services), or a recessionary economy
• Unwillingness of government officials to pay legally incurred liabilities
• Unwillingness of other governments to continue funding programs at existing levels
• Large investment losses
• Bond rating lowered below investment grade
• Debt covenant violations
• Excessive use of short-term borrowing to reduce cash shortages, including tax and revenue anticipation notes
• Long-term borrowing to eliminate deficits or to meet current operating needs
• Increased borrowings from component units that are not expected to be repaid within a reasonable period of time

Summary

The auditor, in performing an audit of a state or local government, should perform procedures that provide an understanding of the entity and its environment, perform risk assessment procedures, develop materiality and consider the entities ability to continue as a going concern.