There is no disputing that the intent of the Coronavirus Aid, Relief and Economic Securities (CARES) Act of 2020 is to provide immediate and tangible economic relief to American workers, families and small businesses. What has been less clear since its passage in March 2020 is how the acceptance of funds available through various CARES Act programs could impact single audit requirements.
Among the most prominent programs in the CARES Act are the Paycheck Protection Program (PPP) and the Economic Injury Disaster Loan (EIDL) Program.
The PPP is designed to help small business owners and other individuals adversely affected by the COVID-19 pandemic. It provides direct government subsidies for payroll, rent and other expenses. Subsidies are in the form of federal loans that can be forgiven if borrowers apply at least 60 percent of the funds for payroll and retain their employees on payroll for a defined number of weeks. Loans can range up to $10 million and can also become grants. To date, more than 4.8 million small businesses have received loans totaling approximately $520 billion.
Additionally, the CARES Act expanded the Small Business Administration’s (SBA) EIDL program, which is intended to assist businesses, renters and homeowners located in regions affected by declared disasters. Loans distributed under both of these programs can be forgiven if they are considered federal grants.
Clarity on Single Audit Requirements
Under existing requirements, if a nonfederal entity expends $750,000 or more of federal awards in a fiscal year, a single audit must be performed following the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards (Uniform Guidance). With the introduction of the PPP and expansion of the EIDL program, however, there has been uncertainty regarding whether or not corresponding loans or grants would be subject to single audit requirements.
Now, the SBA has clarified that PPP loans issued to nonprofit organizations in fact do not represent federal financial assistance as contemplated by Uniform Guidance. As such, they will not be required to be presented on the Schedule of Expenditures of Federal Awards (SEFA), and they will not be subject to single audit requirements.
Furthermore, the SBA has stated that SBA loans issued under EIDL will be considered federal financial assistance and are required to be on the SEFA. In other words, they will be subject to single audit requirements.
According to the Treasury Department, a safe harbor of less than $2 million for PPP loans will exist. For borrowers with an original principal amount of $2 million or less, they will be deemed to have made the required certification concerning necessity of the loan request in good faith. That said, many public companies possess substantial market value and access to capital. Therefore, if meeting the “necessity of the loan in good faith” cannot be supported, PPP loans would be required to be returned to the Treasury Department.
Understanding Best Practices With Respect to Single Audits
With no exceptions, funds received under the CARES Act must be used for their intended purpose, and they must be accurately tracked and appropriately supported. Controls and policies should be devised and formally documented to ensure funds are safeguarded; to support the purpose of the loan provisions; and to articulate the clear purpose of spending. Along with this, in order to ensure compliance, proper training should be performed throughout the enterprise, from the C-suite to staff working in cash management and grant reporting positions.
Recordkeeping is also essential. For both PPP and EIDL loans, tracking activity should be logged for each loan in separate general ledger accounts, and any issues with implementation or processing of funds should be documented. Tracking provides the enterprise with an audit trail that could be subject to single audit procedures performed by external auditors. It also delivers a solid audit trail in the event that governmental agencies compel the enterprise to provide data relating to the program for reporting requirements.
Nonprofit organizations must consider whether they currently receive funding from another federal or state grant-making source, as EIDL or PPP loans must not be applied to the same expenditures – this would mean the enterprise essentially receives double the funding for the expenditures being reimbursed. Therefore, nonprofit recipients of either EIDL or PPP loans should contact the appropriate federal and/or state funding agencies to ensure this does not occur.
What Is Currently Known and Questions to Be Answered
The Governmental Audit Quality Center of the American Institute of Certified Public Accountants (AICPA) raised concerns and questions about future impacts of CARES Act funding on single audits in an April 10, 2020 letter to the U.S. Office of Management and Budget (OMB). These include:
- Single audit extension deadlines: Owing to the uncertainty of questions raised and other factors (including the availability of the 2020 Compliance Supplement), many experts believe extensions are expected.
- Compliance supplement/compliance requirements: OMB is holding the release of the 2020 Compliance Supplement pending COVID-19 updates from relevant agencies. This is expected to impact the timing of external audit procedures.
- Relevance of information in award terms and conditions: Several agencies recently released provider relief funding but did not make mention of whether funds will be subject to Uniform Guidance. Additionally, there is no mention of CFDA clusters or numbers.
- Agency implementation: Guidance currently is not available across all governmental agencies. This, in turn, makes matters more complex for loan recipients that receive funds from multiple sources.
- Effect on funding of clusters and programs: Will this funding be part of existing CFDAs and impact existing clusters, or will new CFDAs be added?
- Significant program determination: Until there is clear guidance regarding how the CFDA/clusters will be impacted by the CARES Act, auditors cannot begin appropriate audit procedures.
- Risk assessment: Many expect that an organization’s significant program determinations may include more high-risk A programs for 2020 single audits. Type B risk assessments could also be impacted.
- Internal control: Owing to COVID-19, many organizations have implemented remote working conditions that could necessitate a phased approach to internal control. This means documenting the internal control environment in three stages: (1) pre-COVID, (2) stay in place in orders and (3) reopening.
- Low-risk auditee status: One low-risk auditee requirement necessitates the auditee to submit its single audit on time for two consecutive years. While many organizations will take advantage of the extensions offered, these filings may be considered late, and an organization may not qualify as a low-risk auditee if the 2020 Compliance Supplement is not revised. Consequently, increased testing by external auditors could occur, which could mean potentially higher costs for organizations.
Until a formal response is given from the OMB to the AICPA, audit requirements, for the time being, will be effective for organizations with a fiscal or calendar year ending in June 30, 2020 if the organization expends a minimum of $750,000 in federal awards. This is expected to impact a majority of NFPs first. Note also that several states, including Connecticut and New Jersey, have their own single audit requirements with differing limits, which potentially could trigger a single audit with an approximate $100,000 starting price in expenditures.
In the end, the eventual broad impact of the CARES Act will be determined by a number of factors. Yet, one fact remains certain: organizations that were not previously subject to a single audit may now be subject to one owing to additional funding received. As such, they should expect an increase in testing of major programs by external auditors. Eventually, work scopes by CPA firms engaged to perform the work should greatly increase which, in turn, could compel renegotiation of engagement fees.
For enterprises impacted by this, it is crucial to follow the best practices outlined above and treat the funding with the same diligence afforded to programs already subject to a single audit. Many organizations and CPA firms work in remote environments due to COVID-19, which could impact how single audits are conducted. Given this impact on the audit process, organizations and their auditors should maintain open lines of communication throughout the process.
Finally, it is worth stressing how important it is for organizations to effectively plan, monitor, document and respond to requirements imposed now and in the future when the 2020 Compliance Supplement is released. They should closely monitor responses from the OMB in the upcoming months and stay abreast of developments.