Frequently Asked Questions about Audits for Foreign-based Recipients
The Centers for Disease Control and Prevention (CDC) is receiving questions from its foreign-based recipient community regarding audits and has compiled a list of Frequently Asked Questions (FAQs). As CDC receives additional questions, CDC will update these FAQs. If recipients have additional or clarification questions about audits, please reach out to RMICU.Audit.Resolution@cdc.gov.
Foreign-based recipients and sub-recipients are defined consistent with the terms “foreign organization” and “foreign public entity” as set out in grants regulations found at 45 CFR 75.2. For the purposes of CDC’s audit processes and these FAQs, CDC uses the broader terms foreign-based recipient or sub-recipient as inclusive of these defined terms.
Per 45 CFR Subpart F, a recipient must have a single or program-specific audit conducted for that fiscal year if the non-federal entity expends $750,000 or more in total on all U.S. government grants during the non-federal entity’s fiscal year. Agencies may not increase the threshold; however, they do have the authority to lower the threshold.
As a policy matter, in most circumstances, CDC has lowered the threshold for foreign-based recipients, requiring those foreign-based recipients to conduct audits if they expend $300,000 or more under all U.S. government grants. If that amount is different under a particular award, CDC will notify the recipient of the applicable threshold. When a single audit is not required, the foreign-based recipient may elect to have a program-specific audit conducted in accordance with 45 CFR 75.501.
A single audit includes an audit of both the financial statements and federal awards. Program-specific audits do not require a financial statement audit (45 CFR 75.501(c)). However, when a program-specific audit guide is not available, a program-specific audit must consist of the financial statement(s) of the federal program, a summary schedule of prior audit findings, and a corrective action plan (45 CFR 75.507(c)(3)).
Awards to foreign-based recipients are subject to 45 CFR Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Department of Health and Human Services (HHS) awards (which includes CDC), Subparts A-E. Though the grants regulations do not specify application of Subpart F (Audit Requirements) with respect to foreign-based recipients, CDC has determined that the same principles may be applied to these recipients.
Per 45 CFR Part 75.514(a), audits must be conducted in accordance with generally accepted government auditing standards. Foreign-based recipients should refer to the Government Auditing Standards (referred to as the Yellow Book) for guidance. The Government Auditing Standards identify generally accepted government auditing standards (GAGAS) for use by auditors of government entities. Foreign countries and in-country jurisdictions may apply additional audit standards, such as the auditing standards promulgated by the International Organization of Supreme Audit Institutions or the auditing guidelines of the International Auditing and Assurance Standards Board (IAASB).
Applicable administrative requirements, cost principles, and audit requirements are set out in the Terms and Conditions (T&C) of the recipient’s Notice of Award (NoA). The terms and conditions of federal awards apply to subrecipients unless the terms and conditions of the award specifically indicate otherwise. If any requirement in the NoA, Notice of Funding Opportunity (NOFO), the HHS Grants Policy Statement, 45 CFR Part 75, or applicable statutes/appropriations acts conflict, then statutes and regulations take precedence.
CDC requires that the auditor used by a foreign-based recipient be a U.S.-based Certified Public Accountant firm, the foreign government’s Supreme Audit Institution or equivalent, or an audit firm endorsed by the U.S. Agency for International Development’s (USAID) Office of Inspector General. CDC may review as necessary any USAID-endorsed audit firm on a case-by-case basis to ensure the firm meets GAGAS requirements.
As noted above, USAID endorsed firms are one of three types of auditing firms that are acceptable for CDC foreign-based awards. USAID maintains the USAID List of Acceptable Audit Firms, which can be requested from Contact Us | U.S. Agency for International Development (usaid.gov). Additionally, CDC recipients can refer to the USAID Financial Audit Guide for Foreign Organizations – A Mandatory Reference for ADS Chapter 591, which provides the criteria used by foreign audit firms to assess recipients. The USAID Framework for Audit Firm Assessment contains guidance for selecting USAID-endorsed independent auditors to perform financial audits.
Foreign-based recipients can confirm with various sources about whether such a body exists and how to contact such a body. Sources that may help include reaching out to the host country government itself or using external sources like the International Federation of Accountants (IFAC). As a general matter, the primary accounting bodies in each country are affiliated with IFAC, which supports the development, adoption, and implementation of international accounting standards. IFAC consists of a 180-member organizations and constituents in more than 135 jurisdictions.
The professional accountancy organizations (PAO) or members affiliated with IFAC are listed at https://www.ifac.org/what-we-do/global-impact-map. The adoption status by jurisdiction and standard are listed at Global Impact Map | IFAC.
Also, a list of global Accounting Professional Bodies is located at List Of Accounting Professional Bodies In The World (trendingaccounting.com). A few of the professional bodies listed do not belong to IFAC, as they operate more like specialist bodies helping the work of accountants and auditors in the fields of taxation and forensic and systems auditing.
The International Financial Reporting Standards (IFRS) is the most common set of accounting principles outside the United States. IFRS is used in the European Union, Australia, Canada, Japan, India, and Singapore. IFRS is equivalent to generally accepted accounting principles (GAAP) in the U.S. and is currently used in 166 jurisdictions.
Additionally, the IFRS Foundation is a not-for-profit international organization responsible for developing a single set of global accounting and sustainability disclosure standards, known as International Financial Reporting Standards (IFRS) Standards. For more information, please see the IFRS webpage.
There are four boards that support and are responsible for setting international standards for audits and assurance, professional ethics, public sector financial reporting, and professional skills and competencies listed below. The structures and processes that support the independent standard-setting boards’ operations are facilitated by IFAC.
- International Auditing and Assurance Standards Board (IAASB) – sets international standards for auditing, assurance, and quality management that strengthen public confidence in the global profession (IAASB | IFAC).
- International Accounting Education Standards Board (IAESB) – establishes standards for professional accountancy education that prescribe technical competence and professional skills, values, ethics, and attitudes (IAESB | IFAC).
- International Ethics Standards Board for Accountants (IESBA) – sets internationally appropriate ethics standards for professional accountants, including auditor independence requirements (IESBA | IFAC (ethicsboard.org).
- International Public Sector Accounting Standards Board (IPSASB) – develops standards, guidance, and resources for use by public sector entities around the world for preparation of general-purpose financial statements (IPSASB | IFAC).
Yes. Audit organizations affiliated with one of the recognized organizations listed below should comply with the respective organization’s peer review requirements and the requirements listed in GAGAS paragraphs 5.66 through 5.80.
- American Institute of Certified Public Accountants
- Council of the Inspectors General on Integrity and Efficiency
- Association of Local Government Auditors
- International Organization of Supreme Audit Institutions
- National State Auditors
Any audit organization not affiliated with an organization listed above should meet the minimum peer review requirements from GAGAS paragraphs 5.66 through 5.94.
CDC will inform recipients of the audit firm’s noncompliance with GAGAS, which is reported as a noncompliant audit. Recipients must then provide CDC with a corrective action plan on how noncompliance will be addressed. Once a plan is provided, CDC will process the audit and will check the next audit for compliance.
Yes. Recipients and audit firms must follow GAGAS requirements. CDC policy reflects the two categories of GAGAS requirements (Chapter 2 of the Yellow Book) listed below.
- Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. GAGAS uses “must” to indicate an unconditional requirement.
- Presumptively mandatory requirements: Auditors and audit organizations must comply with a presumptively mandatory requirement in all cases where such a requirement is relevant except in rare circumstances discussed in paragraphs 2.03, 2.04, and 2.08. GAGAS uses “should” to indicate a presumptively mandatory requirement. Auditors and audit organizations can choose not to comply with a “should” statement but will need to justify the departure in working papers and disclose the non-compliance in the audit report.
Yes. Per GAGAS paragraph 5.01 (peer review) and GAGAS paragraph 4.01 (continuing professional education), the requirements are intended to be followed in conjunction with those of all other applicable GAGAS requirements. The purpose of peer review and continuing education requirements are to ensure the quality of audits.
Consistent with GAGAS, a peer review provides assurance that an audit organization is following its established policies and procedures and applicable auditing standards. Per 45 CFR 75.509, any recipient procuring audit services must request a copy of the audit organization’s peer review report which the auditor is required to provide under GAGAS. According to GAGAS paragraph 5.60, audit organizations conducting engagements are required to obtain an external peer review conducted by independent reviewers to determine whether an audit organization’s quality control system is suitably designed and is in place and operating effectively.
Per GAGAS paragraph 5.84, an audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement. Findings related to peer review and continuing education credits correlate to the competence and quality of work by the audit firm.
CDC does not endorse any specific peer review or quality control programs. However, there are quality control guides published by reputable organizations specifically for single audit reviews.
Per GAGAS, auditors in governments or jurisdictions without access to established peer review programs may engage other auditors, including public accounting firms, to conduct external peer reviews. If access to an established peer review program is not available, auditors may organize regional programs with other auditors.
CDC will reject an audit when it does not comply with peer review or continuing education requirements. CDC will send a noncompliant letter outlining the peer review and continuing education requirements and indicate that the recipient did not comply. Once the recipient responds to CDC with an acceptable corrective action plan to meet the requirement(s), then CDC will process the audit. At the next fiscal audit year, CDC will not accept the audit if the requirements are still not met. If a recipient needs further clarification on this question, please reach out to RMICU.Audit.Resolution@cdc.gov.
Per 45 CFR 75 Subpart F – Audit Requirements and GAGAS, auditors who plan, direct, perform, and report on an engagement must develop or maintain their competency by completing 80 hours of Continuing Professional Education (CPE) during every two-year period, with a minimum of 20 hours of CPE in each year of that period. Of those 80 hours, at least 24 hours need to be directly related to the government environment, government auditing, or the specific environment in which the audited entity operates; the remaining 56 hours of subject matter should directly enhance professional expertise to conduct engagements (GAGAS paragraphs 4.16 – 4.17).
To maintain audit independence, CDC is unable to advise audit firms on specific vendors or training courses. According to GAGAS paragraph 4.21, determining what subjects are appropriate for individual auditors to satisfy the CPE requirements is a matter of professional judgment to be exercised by auditors in consultation with appropriate officials in their audit organization. When determining what specific subjects qualify for the CPE requirement, the auditors may consider the types of knowledge, skills, and abilities, and the level of proficiency necessary to be competent for their assigned roles. Auditors may consider probable future engagements to which they may be assigned when selecting specific CPE subjects to satisfy the 24-hour and the 56-hour CPE requirements. The audit organization is ultimately responsible for determining whether a subject or topic qualifies as acceptable for its auditors.
CDC recommends an audit firm also review the Statement on Standards for CPE Programs jointly published by the American Institute of Certified Public Accountants (AICPA) and National Association of State Boards of Accountancy (NASBA). The document provides a framework for the development, presentation, measurement, and reporting of CPE programs. Generally, NASBA-certified courses are widely accepted towards continuing education, and can be taken online, in-person, or through self-study.
Most auditing and accounting authoritative bodies require a system of quality control in foreign countries.
For example, in December 2020, the International Auditing and Assurance Standards Board (IAASB) released three new International Standards on Quality Management (ISQM) which are comprised of ISQM 1, ISQM 2 and ISA 220 (revised). Each of the standards is outlined below.
- ISQM 1 explains the firm’s responsibility to establish policies or procedures addressing engagements that are required to be subject to engagement quality reviews.
- ISQM 2 describes the appointment and eligibility of the engagement quality reviewer, and the performance and documentation of the engagement quality review.
- ISA 220 strengthens and modernizes the audit firm’s approach to quality management.
IAASB requires firms to have systems of quality management designed and implemented in accordance with ISQM 1 by December 15, 2022. The ISQM 1 first-time implementation guide can be found at: ISQM 1 First-Time Implementation Guide | IFAC (iaasb.org).
For audits to be relied on, audit firms must be independent in appearance and fact. There are many threats facing audit firms, and the auditor must apply any necessary safeguards to remove those threats to independence or minimize them to an acceptable level in which independence would no longer be impaired. To learn more about threats to independence and safeguards that can mitigate these threats, review GAGAS paragraphs 3.17-3.108.