The 2021 Compliance Supplement: Key takeaways for auditors and auditees

On Aug. 12, 2021, the Office of Management and Budget (OMB) released the 2021 Compliance Supplement, which is updated annually. The 2021 Compliance Supplement is used by external auditors to perform single audits for fiscal years ending on or after June 30, 2021. While the Compliance Supplement guidance is intended for auditors, it’s also a great resource for auditees. Here are the key changes and updates to the 2021 Compliance Supplement and some important considerations for your upcoming single audit.

Caution: We’re aware that OMB intends to release addenda to the 2021 Compliance Supplement to address programs funded by the American Rescue Plan Act (ARPA). This year, the Addenda will be posted to CFO.gov. It’s critical for auditors and auditees to understand what’s included in the 2021 Compliance Supplement and subsequent Addenda, as each will have a significant impact to audit testing and conclusions reached. Access the 2021 Compliance Supplement here.

Overall takeaways

• Higher risk designation: A significant number of programs have been given the “higher risk” designation by OMB. This designation is expected to have a considerable impact on auditors’ major program determination and will likely result in a substantial increase in the number of major programs. A full list of programs is included in the table below.
• Single audit due dates: The due dates outlined in OMB’s Memorandum M-21-20, published in March 2021, are included in Appendix VII. These extensions are only applicable to fiscal year-ends through June 30, 2021. To learn more, read our recent article, OMB issues M-21-20.
• FFATA: The 2021 Compliance Supplement brings back testing of the reporting required under the Federal Funding Accountability and Transparency Act (FFATA) and expands the applicability of this from the 2020 Compliance Supplement Addendum. Auditors will be required to test FFATA reporting for prime recipients, for all major programs where reporting is subject to audit (i.e., if reporting is marked “Y” in the matrix of compliance requirements), regardless of whether COVID-19 funding was involved. Note there’s one exception that relates to CRF. Although CRF identifies reporting as subject to audit, Treasury OIG Reporting Guidance (FAQ 31) indicates CRF is not subject to FFATA. The required testing will focus on the input system.
• Revised Uniform Guidance: Part 3 has been updated with consideration of certain revisions to the Uniform Guidance that became effective in 2020; however, the revisions aren’t called out separately in the Compliance Supplement. Due to Uniform Guidance changes that occurred partway through the year under audit, auditors will have to be especially cognizant of the terms and conditions of the awards subject to audit.
  • The Compliance Supplement provides specific instructions related to Uniform Guidance procurement threshold changes, stating that “auditors are not expected to develop findings for entities that have implemented increased thresholds for all awards after November 12, 2020.”
• SEFA and DCF presentation: Similar to last year, Appendix VII includes guidance that auditees should separately identify awards funded through COVID-19 relief on the SEFA and DCF, and provides a sample illustration. The Department of Education also has program-specific instructions related to Assistance Listing Number 84.425 (Education Stabilization Fund).
• Issuing single audit reports: If a SEFA contains a major program that will be included in either of the Addenda, the AICPA has strongly encouraged auditors not to issue single audit reports until the respective Addenda is published. Although single audits will be delayed, the Addenda will provide auditors with a much better understanding of agency expectations for the audits of these new programs.

Program-specific takeaways

• ARPA programs included in the Addendum: The complete list of potential programs that will be included (as listed in Appendix VII) is shown below. Note that we recently learned that OMB may expand the list of programs included in a second Addenda.

*Final agency determination in pending as to whether program will be in the Addenda.

• Provider Relief Fund (PRF) (93.498) SEFA reporting: Auditees are to report PRF expenditures and/or lost revenue on their SEFA for fiscal year-ends ending on or after June 30, 2021. This guidance supersedes the 2020 Compliance Supplement Addendum. Auditors will also be required to test out-of-network patient out-of-pocket expenses in conjunction with the Special Test and Provisions compliance requirement. To learn more about PRF SEFA reporting, read our recent article detailing the required timing to report PRF expenditures on the SEFA.
• Education Stabilization Fund (ESF) (84.425) structure: ESF has more than 20 distinct subprograms that are all considered as one program for the purposes of major program determination. Again, in 2021, there are two sections of the Compliance Supplement that provide guidance for 84.425, each with separately identified compliance requirements subject to audit. This program has been funded through three separate legislative acts, which has resulted in incremental funding to existing awards that comes with new or different terms and conditions. Users of the Compliance Supplement will need to pay particular attention to which subprograms are included in the Compliance Supplement and the Addenda. Ultimately, it’s expected that certain subprograms won’t be included in any publication, which means that auditors will need to utilize Part 7 of the 2021 Compliance Supplement to determine which compliance categories are direct and material. The Compliance Supplement includes specific instructions from the Department of Education on how auditees should report ESF and subprograms on the SEFA and data collection form (DCF). Refer to the “Other Information” section included in Part 4 of the 2021 Compliance Supplement.
• Community Facilities Loans and Grants Cluster (10.766/10.780): The “Other Information” section of this program includes important guidance related to a prospective change in the SEFA reporting for these funds. Community facilities loans will be deemed to have continuing compliance requirements which will require the loan balance to be reported on the SEFA. The United States Department of Agriculture (USDA) plans to inform all borrowers of this change through an Administrative Notice, which will be posted to USDA’s website. This will likely result in many organizations requiring single audits for the first time in many years, starting with fiscal years ending on June 30, 2022. The “Other Information” section explicitly states that there’s no expectation that borrowers with outstanding loan balances in years prior to June 30, 2022 retrospectively have single audits performed for prior periods.

Guidance for higher risk designations

When completing major program determination, auditors will have to consider guidance outlined in the Compliance Supplement when determining the risk classification of a program/cluster. For a Type A program/cluster designated as higher risk to be considered low risk, both of the following criteria must be met:

• The program otherwise meets the criteria for a low-risk Type A program in section 200.518 of the Uniform Guidance.
• The percentage of COVID-19 funding in the program or other cluster during the entity’s fiscal year is not material to the program or other cluster as a whole.

When completing major program determination, auditors will have to consider guidance outlined in the Compliance Supplement when determining the risk classification of a program/cluster.

Auditors are not required to prioritize the assessment of risk for higher risk Type B programs/clusters over other type B programs/clusters. However, auditors must consider the “higher risk” designation along with the other factors of risk assessment included in section 200.519 of Uniform Guidance when assessing Type B programs/clusters.

There’s a carve-out for the Research and Development (R&D) cluster. The inclusion of COVID-19 funding within the R&D cluster doesn’t create a “higher risk” designation.

All programs created by the American Rescue Plan Act (ARPA) that meet the Type A threshold are deemed higher risk and will be required to be tested as major. Below is a list of non-ARPA programs that are designated as higher risk, as outlined in Appendix IV:

*Part 4 of the 2021 Compliance Supplement doesn’t include this program, and it’s not expected to be included in either Addenda scheduled for later release. Auditors will need to follow the guidance in Part 7 when determining what direct and material compliance requirements will be tested.

Closing thoughts

As you prepare for your single audit and navigate the complexities of your federal funding, we’re here and ready to help. Don’t hesitate to reach out.

To learn more about key changes to the 2021 Compliance Supplement and audit implications, join us on August 24 for our webinar: 2021 Compliance Supplement and Single Audit Update.