Printer-friendly Version

Frequently Asked Questions

Reporting Suspected Fraud, Waste and Abuse of Public Resources to the Office of the State Auditor (OSA)

1. What is the mission of the Office of the State Auditor?

The mission of the Office of the State Auditor is to hold local and state government accountable in its use of public funds. Pursuant to the Audit Act (Sections 12-6-1 through 12-6-14 NMSA 1978) and the Audit Rule (2.2.2. NMAC), every government agency in New Mexico that receives or expends public funds is required to account for that money daily, and submit a report to the OSA annually. Accounting for this money may take the form of an audit, a tiered system certification, or a tiered system engagement.

2. What is an audit?

An audit is a thorough examination of the financial accounts and transactions of an entity that is conducted by an independent public body. The Audit Act (Sections 12-6-3(A) NMSA 1978) states that, “the financial affairs of every agency shall be thoroughly examined and audited each year by the state auditor, personnel of the state auditor’s office designated by the state auditor or independent auditors approved by the state auditor.” The statute also requires that “the audits shall be conducted in accordance with generally accepted auditing standards and rules issued by the state auditor.” The rules issued by the state auditor applicable to financial audits are contained in 2.2.2. NMAC, Audits of Governmental Entities Requirements for Contracting and Conducting Audits of Agencies (The Audit Rule).

3. What are audit opinions and what does each type of opinion mean?

An audit opinion in a financial audit is the independent public accountant’s statement, based on audit work performed in accordance with applicable standards, of whether an entity’s reported financial information is presented fairly, in accordance with recognized criteria. The following are types of opinions issued by an auditor upon review of a report:
Unmodified Opinion- Expressed when the auditor concludes that the financial statements of a given entity are presented fairly, in all material respects, in accordance with accounting principles generally accepted in the United States of America.
Modified Opinion- Expressed when the auditor concludes that, based on audit evidence, the financial statements, as a whole, are materially misstated, or the auditor is unable to obtain enough appropriate evidence to conclude that the financial statements, as a whole, are free from material misstatement. Therefore, the auditor modifies the opinion in his or her report. There are three types of modified opinions:
Qualified Opinion- Expressed under the following circumstances:

  1. When the auditor, having obtained enough good audit evidence, concludes that misstatements, either by themselves or when grouped with all other misstatements, are material to the financial statements, and are confined to specific elements, accounts, ot items of the financial statements.
  2. When the auditor is unable to obtain enough good audit evidence upon which to base an opinion, and concludes that the possible effects on the financial statements of undetected misstatements, if any, could be material but are confined to specific elements, accounts, or items in the financial statements.

Report language that indicates the auditor has issued a qualified opinion states, “In our opinion, except for the effects of… the matter described in the basis for Qualified Opinion paragraph, the financial statements referred to above present fairly.”
Adverse Opinion- Expressed when, after having obtained enough good audit evidence, the auditor concludes that misstatements, individually or when grouped with other misstatements, are both material and affect multiple elements, accounts, or items of the financial statements.
Report language that indicates that the auditor has issued an adverse opinion states, “In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion paragraph, the financial statements referred to above do not present fairly the financial position of the entity.”
Disclaimer Opinion- The auditor disclaims an opinion when he or she is unable to obtain enough good audit evidence to base an opinion on, and concludes that the possible effects of undetected misstatements on the financial statements could be both material and pervasive.

4. What is an agreed upon procedure (AUP) engagement under the tiered system of financial reporting?

Pursuant to the Audit Act (Sections 12-6-1 through 12-6-14 NMSA 1978) and the Audit Rule (2.2.2 NMAC) every government agency in New Mexico that receives or expends public funds is required to account for that money, and submit a report to the OSA on an annual basis. Accounting for this money may take the form of an audit, tiered system certification, or tiered system engagement. The tiered system of financial reporting applies to “local public bodies” that have less than $500,000 in annual revenue (excluding capital outlay appropriations and grants). Under the tiered system, an agency’s annual revenue is calculated on a cash basis of accounting and excludes federal grant revenue, private grant revenue and capital outlay awards received by the agency from the State of New Mexico. Local public bodies include land grants, mutual domestic water consumer associations, incorporated municipalities and special districts (e.g. acequias and soil and water conservation districts). In general, agencies that qualify for the tiered system do not have to receive annual financial and compliance audits. However, the agency must comply with the requirements of the specific “Tier” that corresponds with the agency’s annual revenue. This may include the requirement that an agency submit an “agreed-upon procedures” financial report for a specific fiscal year. An AUP engagement is performed in lieu of a full audit, and is generally more affordable for entities with low annual revenue.

5. Who gets audited or undergoes an AUP?

Any agency that receives or expends public funds is required to receive an audit or agreed-upon procedures engagement (under the tiered system of financial reporting) on an annual basis by the Office of the State Auditor, or by an independent public accountant (IPA) approved by the State Auditor. “Agency” refers to the following: any department, institution, board, bureau, court, commission, district, or committee of state government, including district courts, magistrate and metropolitan courts, district attorneys and charitable institutions for which appropriations are made by the legislature; any political subdivision of the state, created under either general or special act, that receives or expends public money from whatever source derived, including counties, county institutions, boards, bureaus or commissions; municipalities; drainage, conservancy, irrigation or other special district; schools districts’ any entity or instrumentality of the state specifically provided for by law, including the New Mexico Finance Authority and the New Mexico Lottery Authority; and every office or officer of any entity listed above.

6. What is the difference between and audit and an AUP under the tiered system of financial reporting?

An AUP engagement is performed in lieu of a full audit. The scope of an AUP is determined using the tiered system of financial reporting, and applies to local public bodies (detailed in question 4).   

AGREED- UPON
PROCEDURES
AUDIT
Applicable AICPA
Standards
Statements on Standards for
Attestation Engagements
(SSAEs) – Eleven Standards
U. S. Auditing Standards –
AICPA (Clarified)

Does Audit Rule require
the Yellow Book
(GAGAS) to be followed
in this type of
engagement?
No Yes

Is IPA Independence
Required for the
engagement?
Yes Yes

Does the IPA provide an
opinion?
No Yes

What dictates the
procedures to be
performed during the
engagement?
Procedures must be
approved by the specified
parties (report users)
Procedures are dictated by
auditing standards

Does the IPA write
findings when the IPA
discovers problems?
Yes Yes

Does the IPA provide a
report that includes
findings at the end of the
engagement?
Yes Yes


7. What are the Generally Accepted Government Auditing Standards (GAGAS)?

The Generally Accepted Government Auditing Standards (GAGAS), also commonly referred to as the Yellow Book, is a collection of government auditing standards published by the Comptroller General of the United State (housed within the Government Accountability Office (GAO)). GAGAS was most recently revised in 2011. A copy of the revision is available at http://www.gao.gov/assets/590/587281.pdf. Pursuant to paragraph 2.08, GAGAS incorporates, by reference, the American Institute of Certified Public Accountants (AISCPA) Statements of Auditing Standards.

GAGAS provides a framework for conducting high quality audits with competence, integrity, objectivity, and independence. These standards are used by auditors of government entities, entities that receive government awards, and auditor organizations performing GAGAS audits.

GAGAS provides a framework for conducting high quality audits with competence, integrity, objectivity, and independence. These standards are used by auditors.

8. What is the Yellow Book?
The Yellow Book is the same thing As GAGAS (see the answer to the related question “What are Generally Accepted Government Auditing Standards?”). The hard copy of this GAO publication has a yellow cover, and is therefore often referred to as the Yellow Book. 

9. Where can I find out more about Government Auditing Standards and requirements for continuing professional education (CPE)?

The Government Auditing Standards Guidance on GAGAS Requirements for continuing professional education (GAO-05-568G) is available on the GAO website at http://www.gao.gov/assets/80/76894.pdf

10. What is the Audit Rule?

Section 12-6-12 NMSA 1978, requires the state auditor to promulgate regulations necessary to carry out the duties of his office, including regulations required for conducting audits in accordance with auditing standards generally accepted in the United States of America. The regulations the state auditor promulgates appear in Section 2.2.2 NMAC Requirements for Conducting Audits of Agencies. This document is more commonly known as the “Audit Rule.” The latest version of the Audit Rule is available on the State Auditor’s website at http://osanm.org/state_auditor_rule, and is reviewed and updated annually by the Office of the State Auditor.

11. What should an agency do in order to obtain an exemption from a specific requirement provided in the Audit Rule?

Agencies must submit requests for exemption from a requirement of the Audit Rule in writing to the State Auditor. The written request should reference the section of the Audit Rule that the request pertains to, and contain an explanation regarding the necessity of the exemption. It should be noted that the Office of the State Auditor does not grant exemption requests to extend the due dates of audit or AUP reports.

Some examples of situation in which an agency might request an exemption from the Audit Rule are:

  1. When a component unit needs to be presented as a “blended” component unit of the primary government (Sections 2.2.2.10(A)(1)(a) and 2.2.2.12(B)(2) NMAC) or (Section 2.2.2.12(E)(5) NMAC);
  2. When a component unit wants to use a different IPA than the primary government’s IPA (Section 2.2.2.10(A)(1)(c) NMAC);
  3. If extraordinary circumstances exist that will prevent the exit conference from taking place in person (Section 2.2.2.10(J)(1) NMAC); or
  4. If the HUD Financial Data Schedule needs to be presented in a separate report from the annual financial audit report (Section 2.2.2.10(T)(4) NMAC).

12. What should be contained in a request for an exemption related to housing authorities?

A request to report a housing authority as a department of the primary government, rather than as a discretely presented component unit, requires the following additional statements in the written request for exemption:

  1. A statement that the housing authority is not a corporation registered with the Public Regulation Commission;
  2. A statement that there was never a resolution or ordinance making the housing authority a public body corporate; and
  3. A statement that the housing authority was authorized under the Municipal Housing Law, Section 3-45-1 NMSA 1978


13. What is required if a component unit requests to be audited by a firm other than the firm auditing the primary government?

When a component unit requests an exemption to be able to use an auditor other than the primary government’s auditor, the component unit and the proposed “other” auditor must agree to the following requirements, specified in 2.2.2.10(A)(1)(c) NMAC:

  1. The primary auditor must agree to use the information from the work of the component unit auditor;
  2. The component unit auditor selected must appear on the Office of the State Auditor list of eligible independent public accountants;
  3. The bid and auditor selection process must comply with the requirements set forth in this rule;
  4. The Office of the State Auditor standard contract must be used;
  5. All component unit findings must be disclosed in the primary government’s audit report; and
  6. Any separately issued component unit audit reports must be submitted to the state auditor to undergo review.


14. How can an independent audit firm get on the OSA’s list of firms approved to contract for government agency audits?

In order to be approved, a firm must first submit a complete firm profile to the OSA for consideration.

A firm profile is a bound document submitted to the OSA by any independent public accounting firm (IPA) that wishes to be placed on the approved IPA list. A firm profile currently consists of five sections and must contain the following information to be reviewed by the OSA prior to approval:

  1. Contact information;
  2. Copy of New Mexico firm permit to practice;
  3. Evidence of professional liability insurance;
  4. Peer review details;
  5. Information regarding whether the firm is sanctioned by an inspector general (IG) or the American Institute of Certified Public Accountants (AICPA);
  6. Late audit report information;
  7. List of professional service contracts; and
  8. Information regarding staff members’ continuing professional education (CPE) status


Firm profiles are typically due at the end of October so that the OSA can review them in time for the next audit season. However, a firm may submit a profile at any time to be considered for approval. For further information related to firm profiles, click here.

15. What is the report review process?

Once an audit report is received by the OSA, and it has met all submission criteria, it is assigned to an available OSA reviewer. After a report is reviewed, the OSA sends either an ‘OK to Print’ notice, or a ‘Notice of Rejection’, depending upon the quality of the report.

Upon receiving an ;’OK to Print’ notice, an IPA has two days to address any review comments included in the notice, and submit the required number of hard copies, plus an electronic copy of the report to the OSA as specified in the audit contract (Section 2.2.2.9(C)(3) NMAC). Along with the submission of the final reports, an IPA should include a letter or memo that contains responses to each of the review comments in the notice and that indicates any changes that have been made to the report. When the revised copies of the reports are received by the OSA, they undergo a final review prior to being released.

If a ‘Notice of Rejection’ is received for a report which is considered to be incomplete and/or excessively deficient, the responsible IPA is required to address the review comments and send a complete, corrected, hard copy of the report to the OSA. This revised report is to include a finding for the late submission of the report, if applicable (Section 2.2.2.9(C) NMAC) (please note that in the case of initial rejection of a report, corrected replacement pages will not be accepted in place of a complete, corrected, hard copy of the audit report). Upon resubmission to the OSA, the report is reviewed for the purpose of ensuring that all appropriate revisions have been made. If a report is still considered to be incomplete and/or excessively deficient, a revised ‘Notice of Rejection’ is sent. However, if the report has been appropriately corrected, an ‘OK to Print’ notice is sent. In that case, the process then follows the ‘OK to Print’ process detailed above (please note that if acceptable revisions are not made to the resubmitted report, the responsible IPA must provide, in writing, the reason(s) for the absence of appropriate adjustments to the report).

16. Why are some reports rejected?

Reports received by the OSA that are considered to be incomplete and/or excessively deficient will be rejected in accordance with Section 2.2.2.9(C)(1) NMAC. While the following is by no means an exhaustive list, some of the more common reasons for rejection of a report are: a prior year fund balance not in agreement with the prior year audited balance, with no restatement; a number of significant pages missing from a submitted report; significant notes not tied to financial statements; the absence of a required finding (e.g. a budget expenditure overage notes in the statement with no correlated audit finding in the report).

17. If an audit report is turned in prior to the submission deadline and is subsequently rejected, is the report considered late when it is resubmitted?

Unfinished and/or excessively deficient reports that are rejected during the review process are not considered ‘received’ until the corrected hard copy of the audit report is submitted to the OSA (Section 2.2.2.9(C)(1) NMAC). If the resubmission is received prior to the original due date, the audit report is not considered late. However, if the resubmission is received after the original due date, the audit report is considered late, and the responsible IPA is required to add a finding in the audit report for late submission, in accordance with Section 2.2.2.9(A) NMAC (please note that in the case of initial rejection of a report, corrected replacement pages will not be accepted in place of the resubmission of a complete, corrected, hard copy of the audit report). IPAs and agencies have the shared responsibility of ensuring that audit reports to the OSA for review and timely and complete.


18. Under what circumstances are contract amendments allowed?

Section 2.2.2.9(R) NMAC permits contract amendments under circumstances where the following requirements are met:

  1. There is an executed contract in place;
  2. The proposed amendment is submitted on the original signed contract amendment form (available at www.osanm.org);   
  3. The proposed amendment to the contract is in compliance with the New Mexico Procurement Code (i.e. the amended total will not exceed the amount over which an RFP is necessary, if an RFP was not originally issued for the engagement.);
  4. The following information must be included with the proposed contract amendment:
    1. a description of the work to be performed under the amendment;
    2. estimated hours and fees required for completion of each separate professional service contemplated;
    3. an explanation of how the work to be performed is beyond the scope of work outlined in the original contract; and
    4. an explanation of when the auditor or agency became aware that the work needed to be performed.
  5. Contract amendments will not be approved for the IPA to perform additional procedures in order to achieve an unqualified opinion (Section 2.2.2.8 (R)(3) NMAC).

 

19. What are the “At-Risk” program and the “At-Risk” list?


The At-Risk program was started in 2009 by State Auditor Hector Balderas, in order to combat the problem of late audits. Under the “At-Risk” program, government agencies that fail to submit requires annual audits or AUP engagements are designated “at-risk” and are required to submit written status reports to the OSA at regular intervals until compliance with the Audit Act is achieved.

The OSA maintains and updates the “At-Risk” on a weekly basis, and notifies appropriate oversight agencies of designations on a monthly basis. These oversight agencies include the Legislative Finance Committee, Department of Finance and Administration, Public Education Department, and Attorney General. Once an agency achieves compliance, the “at-risk” designation is removed. The list is updated and published on the OSA’s website in mid-January with the most current fiscal year. 

20. How can I make an inspection of public records (IPRA) request?

All IPRA requests must be received in writing, either by US Mail or email. For more specific information regarding IPRA requests, please click here.

21. How do I report suspected acts of financial fraud, waste, and abuse of public resources?

You may report suspected acts of financial fraud, waste or abuse through the OSA’s hotline website link or the OSA’s seven-day-a-week, 24-hour-a-day, toll-free hotline (1-866-OSA-FRAUD). The hotline is operated by The Network (http://tnminc.com/), an independent service provider with an extensive customer base and over 25 years of experience. The Network is nationally recognized as a leader in the area of hotline support and integrated case management.
Each hotline report is evaluated by the OSA’s Special Investigations Division, and an appropriate course of action is determined. The OSA may share information and coordinate efforts with other government agencies as appropriate on a case-by-case basis. If your issue does not directly fall within the jurisdiction of the OSA, it may be referred to the appropriate agency.
If a caller or complainant chooses to remain anonymous when reporting, he or she may communicate with the OSA via the Fraud Hotline callback feature. The caller simply calls the hotline, or logs in using the unique passcode given to them at the time that they officially file their complaint. He or she will have the opportunity to write an inquiry/complaint, or dictate it to a network operator. The message will automatically be sent to a case manager at the OSA for a response. The assigned investigator or appropriate OSA staff member can either enter a response for the caller to read online, or it may be read to the caller by a network operator if the caller so chooses. This is the only way that a complainant may remain anonymous.
The OSA has a list of standard, approved questions that each caller is asked when he or she calls in or makes a complaint online. A sample list is provided here.