The CARES Act: Impact on Single Audits
By Urszula Skarzynski, Manager, Assurance Services
Overview
The Coronavirus Aid, Relief, and Economic Securities (CARES) Act of 2020 was intended to provide fast and direct economic assistance to American workers, families, and small businesses, and preserve jobs for American industries. The two programs introduced were the Paycheck Protection Program (PPP) and the Economic Injury Disaster Loan (EIDL) Program. These two programs are also available to not-for-profit (NFP) healthcare organizations.
The PPP is the federal government’s main effort to help small businesses withstand the COVID-19 pandemic and is intended to keep people employed at businesses experiencing financial hardship. The CARES Act also expanded the Small Business Administration’s (SBA) long-standing EIDL. The EIDL program was created to assist businesses, renters, and homeowners located in regions affected by declared disasters. The loans distributed under both of these programs have the possibility of being forgiven and if such loans are considered federal grants.
The SBA concluded that PPP loans issued to NFPs do not represent federal financial assistance as contemplated by Uniform Guidance and will not be required to be presented on the Schedule of Expenditures of Federal Awards (SEFA). Therefore, they will not be subject to Single Audit requirements. However, SBA loans issued under EIDL will be considered federal financial assistance and are required to be on the SEFA.
The Treasury Department stated that there will be a safe harbor for PPP loans of less than $2 million. Any borrowers with an original principal amount of $2 million or less will be deemed to have made the required certification concerning necessity of the loan request in good faith. However, as many public companies have substantial market value and access to capital, if meeting the “necessity of the loan in good faith” could not be supported; thus, resulting in return of PPP loans to the Treasury Department.
Best Practice
It is crucial that organizations follow best practices by ensuring that funds received under the CARES Act are used for the intended purpose (i.e. payroll, utilities, etc.), accurately tracked and appropriately supported. In addition, policies and controls should be developed and formally documented to ensure funds are safeguarded and the purpose of spending is clear and supports the purpose of the loan provisions. Training should also be performed at all levels of the organization, from executive leadership to those working in cash management and grant reporting, to ensure compliance with policies and controls.
For both PPP and EIDL loans, organizations should maintain sufficient records such as tracking activity for each loan in separate general ledger accounts, identifying any issues with implementation or processing of funds and documenting them, and continuously monitoring enforcement and changes that may impact current and future loans. Tracking will benefit the organization in two ways. It will provide an audit trail that could be subject to single audit procedures performed by external auditors and will also provide a sound audit trail in the event the organization is required to provide data relating to the program for reporting requirements to governmental agencies.
For NFP organizations, it is essential to note that if an the organization is already receiving funding from another federal or state grant-making source, EIDL or PPP loans should not be used for the same expenditures. If this were to occur, the organization would essentially be receiving double the funding for the expenditures being reimbursed, or “double dipping.” If an NFP is receiving either EIDL or PPP loans, it is recommended that they reach out to existing federal and/or state funding agencies to ensure that double dipping is not occurring.
What we want to know and what we do know
In a letter dated April 10, 2020, the Governmental Audit Quality Center of the American Institute of Certified Public Accountants (AICPA) issued a letter to the U.S. Office of Management and Budget (OMB) to raise several concerns and questions regarding the future impact of CARES Act funding on single audits. Some of the concerns raised and potential impact on single audits include:
- Effect on funding of programs and clusters – Will this funding be part of existing CFDAs and impact existing clusters, or will new CFDAs be added?
- Importance of information in award terms and conditions – Several agencies recently released provider relief funding but did not mention whether the funds will be subject to Uniform Guidance, and there is no mention of CFDA numbers or clusters.
- Single audit extension deadlines – Extensions are expected due to the uncertainty of the questions raised and other factors, including the availability of the 2020 Compliance Supplement.Compliance supplement/compliance requirements – OMB is holding the release of the 2020 Compliance Supplement so that COVID-19 updates can be made by key agencies. This will impact the timing of external audit procedures.
- Agency implementation – Currently, guidance is not available across all governmental agencies, which increases complexity for loans recipient receiving funds from multiple sources.
- Major program determination – Auditors cannot begin audit procedures until there is clear guidance on how the CFDA/clusters will be impacted by the CARES Act.
- Risk assessment – It’s expected that an organization’s major program determinations may include more high-risk A programs for 2020 single audits, and type B risk assessments may be impacted.Internal control – Due to COVID-19, many organizations have implemented remote working conditions, which may require adopting a phased approach to internal control, documenting the internal control environment in three stages: (1) pre-COVID, (2) stay in place in orders, and (3) reopening.
- Low-risk auditee status – One of the low-risk auditee requirements is for the auditee to submit its single audit on time for two consecutive years. Many organizations will take advantage of the extensions offered; however, if the 2020 Compliance Supplement is not revised, these filings may be considered late, and an organization may not qualify as a low-risk auditee. This may result in increased testing by external auditors, becoming potentially more costly for organizations.
As we await a formal response from the OMB to the AICPA for factors that are uncertain at this time, what we do know is that audit requirements will be effective for organizations with a fiscal or calendar year ending in June 30, 2020 if the organization expends a minimum of $750,000 in federal awards, which will impact a majority of NFPs first. In addition, several states, including New Jersey and Connecticut, have their own single audit requirements with differing limits, some could potentially trigger a single audit starting around $100,000 in expenditures.
Although the ultimate impact of the CARES Act is dependent on many moving parts, many organizations that were never previously subject to a single audit may now be subject to one due to the additional funding received and should also expect an increase in major programs to be tested by its external auditors. As a result of these two factors, the scope of the work CPA firms will be performing is expected to significantly increase and due to additional time incurred, engagement fees might need to be renegotiated and increased.
It’s imperative that organizations follow the best practices above and treat the funding with the same diligence afforded the programs already subject to a single audit. Organizations and their auditors should have open lines of communications during this time, as the audit process will also be impacted due to COVID-19. Many organizations and CPA firms continue to work in a remote environment, which may impact how the single audits are conducted, including testing and observing internal controls.
The CARES Act impact on single audits is rapidly changing, due to a level of uncertainty never seen before. It is incumbent on organizations to document, plan, monitor, and communicate to timely and effectively respond to requirements imposed now and in the future when the 2020 Compliance Supplement is released. It’s crucial to monitor the responses that will be received from the OMB in the upcoming months and stay proactive on developments.
Coronavirus Resource Center
Have more questions about the impact of the coronavirus on your business? Visit Marcum’s Coronavirus Resource Center for up-to-date information.