Provider Relief Fund: What does an audit mean to me?

By Venson Wallin, CPA, CGMA, CFE, CHC, CHFP, FHFMA, HCISPP

Venson Wallin (vwallin@bdo.com) is Managing Director, National Healthcare Compliance and Regulatory Leader at BDO in Chesterfield, VA.

Over the course of 2020, many providers received numerous rounds of Provider Relief Fund (PRF) money though the Coronavirus Aid, Relief, and Economic Security Act[1] as well as though the Coronavirus Preparedness and Response Supplemental Appropriations Act[2] and the Families First Coronavirus Response Act.[3] While these funds were eagerly received as a means of offsetting significant declines in operations as a result of the pandemic, providers in many cases were also agreeing to be the subject of audits on their use of the funds. A lot of those same providers have never been through an audit before and are not sure what to expect. Over the course of this article, we will discuss what an audit means and some of the issues to plan for in preparation for one.

What is an audit?

For many providers, the PRF audits will be the first time they are being audited, and that can be quite unnerving. Uncertainties such as what documentation one needs, what kind of questions the auditors ask, how long it takes, and what type of report the auditors provide are all issues that anyone who has not had an audit faces. The truth is that the types of audits that providers will be facing associated with PRF requirements are different than traditional financial statement audits, where auditors examine comprehensive documentation, such as general ledgers, individual transactions, and contracts, in order to provide an opinion on the financial results and position of the organization. The PRF audits will be singularly focused on the usage of the PRF during the period being examined (i.e., January 1, 2020, through December 31, 2020, and/or January 1, 2021, through June 30, 2021).

The PRF instructions state that any distribution exceeding $750,000 will require a single audit;[4] so what is a single audit? What many refer to as a “Yellow Book audit,” a single audit is one that is performed according to 45 C.F.R. Part 75 Subpart F—the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for the U.S. Department of Health & Human Services Awards.[5] The single audit must be performed in accordance with generally accepted government auditing standards, which are issued by the Government Accountability Office and are commonly referred to as the Yellow Book.[6] These standards include guidance on independence, required audit procedures and processes, continuing professional education requisites, supervisory guidelines, and quality control procedures. Auditors must meet all of these standards when performing an audit or risk being sanctioned by the federal government for failure to meet minimum standards. The Compliance Supplement Addendum specifically addressing the single audit requirements of the PRF can be found at whitehouse.gov.[7]

Timing

Traditionally, single audits have been due within nine months of the end of the audit period and have included financial statement audits. For June 30 fiscal year-ends, for example, that would mean the single audit would be due March 31 of the following year. Per the 2020 Compliance Supplement Addendum, however, for organizations with fiscal year-ends prior to December 31, 2020, the single audit requirement will be deferred until their fiscal 2021 year-end. Typically, single audits include both the financial statements of the auditee and the Schedule of Expenditures of Federal Awards. The PRF audits, however, may be different in that a number of PRF recipients do not have annual audits performed, so the first single audit may be limited to the PRF report required for the period ending December 31, 2020 (the first reporting period as required by the PRF instructions) in the form of a program-specific audit. As a result, it may be due September 30 of the following year.

Applicability

Nonprofit organizations meeting the $750,000 threshold will likely be required to have a single audit performed. For-profit organizations, for which single audits would be new, may choose between a single audit or a financial audit in accordance with the generally accepted government auditing standards.

Thresholds

Traditionally, auditors have looked at all governmental program funds that are closely related as a cluster of funds that are considered as one major program for threshold determinations (i.e., $750,000). This would mean that even if an organization received less than $750,000 in PRF, if it also received other similar funds in another distribution, it may meet the major program threshold if the sum of all of the similar funds exceeds $750,000.

Schedule of Expenditures of Federal Awards

It is designed to contain all of the activity related to the federal award. In the case of the PRF, this will include both the calculation of lost revenue and the COVID-19–related expenses by type of expense.

Internal control

Historically, single audits have included a review of internal controls that the organization is required to implement related to the federal program funds. These internal controls include the following components.[8]

  • Control environment: Policies and procedures that establish a foundation for the organization to implement internal controls.

  • Risk assessment: Process by which the organization determines the likelihood that an action occurs that will adversely affect the organization.

  • Control activities: Actions designed to mitigate the occurrence of adverse events affecting the organization.

  • Information and communication: Ongoing process of distributing information in support of the control activities and other internal control activities that contribute to the control environment and the organization’s goals.

  • Monitoring: Continual assessment of each of these components to determine how effectively they are being implemented on a consistent basis.

A lot of organizations receiving PRF, while having never received a financial statement audit, have also not focused on a complex system of internal controls. As a result, requiring a traditional internal review assessment as part of the single audit may not be feasible. Instead, the Compliance Supplement Addendum addresses compliance with laws and regulations, both in general and specifically related to the PRF, and while an opinion on compliance may not be required, auditors should consider compliance with such as part of their review.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings