Example of Applying Risk Based Approach
Smith first identifies the Type A and Type B programs. As NPO receives less than $100 million in Federal awards, a Type A pro gram has, by definition, the larger of $300,000 or three percent of total Federal expenditures (which, in this case, is $106,170). Thus, Smith classifies as Type A programs those that have $300,000 or more of Federal expenditures (Programs 1 through 5) and the remaining programs (Programs 6 through 12) as Type B programs.
Smith then identifies low-risk Type A programs. As a general rule, Smith initially considers all Type A programs to be subject to audit as major programs and identifies low-risk programs as follows:
1. Include in the scope of the current audit those awards not audited as major programs within the last two years. Smith keeps tabs of when Type A programs were last audited. When obtaining a new client, Smith determines the year each Type A program was audited as a major program during the review of the predecessor auditor's workpapers. Smith intends to audit Program 1 as a major program because it has not been audited in the last two years.
2. Determine through review of prior reports and, if appropriate, of the predecessor auditor's workpapers, whether the programs audited during the previous two years had any audit findings related to reportable conditions, material weaknesses, irregularities, illegal acts, or noncompliance with the provisions of laws, regulations, contracts, or grant agreements. As a practical matter, unless a written waiver is received from the cognizant or oversight entity, Smith audits as a major program any Type A program reported having material weaknesses, irregularities, illegal acts, and instances of material noncompliance. As a result of this procedure, Smith intends to audit Program 2 as a major program.
3. During the initial consideration of internal control
a. determine the inherent risk related to the program. Programs whose nature indicate a low inherent risk are candidates for lowrisk classification. Smith uses his standard risk assessment procedures and such sources as OMB and GAO reports in identifying inherently high-risk programs. In addition, Smith reviews those programs where newspaper and television reports allege irregularities, if for no other reason but to address the inevitable questions from the cognizant or oversight entities.
b. determine if changes in personnel or systems administering the program occurred and, if so, the effect of those changes on the risks related to the program.
c determine if NPO's system of monitoring subrecipients is properly designed.
d. Identify any new programs administered by NPO. Smith classifies Program 3 as high risk because NPO first received this award in 1999.
4. Review recent reports issued by Federal agencies or pass-through entities to see if any significant problems were identified. …