SAS 115 Communicating Internal Control Related Matters Identified in an Audit

1
SAS 115Communicating Internal Control Related
Matters Identified in an Audit

• Donna Brown, Audit Partner
• Bernadette Britz-Parker, Audit Partner
• Trey Long, Audit Manager

2
Todays Objectives

• Overview of SAS 115
• Understanding Implementing Internal Controls
• Real-Life Examples

3
1. Overview of SAS 115
4
1) Overview of SAS 115

• Effective for periods ending on or after December
  15, 2009.
• Early implementation is allowed.
• Applies when the auditor expresses an opinion on
  financial statements.
• Except when expressing an opinion on the
  effectiveness of internal control over financial
  reporting.

5
1) Overview of New Risk Assessment Standards
(cont.)

• This statement
• Defines the terms deficiency in internal control,
  significant deficiency, and material weakness.
• Provides guidance on evaluating the severity of
  deficiencies in internal control.
• Requires the auditor to communicate, in writing,
  to management and those charged with governance,
  significant deficiencies and material weaknesses.
• This statement was issued to converge definitions
  for the various kinds of deficiencies in internal
  control with PCAOB standards.

6
1) Overview of New Risk Assessment Standards
(cont.)

• Overall SAS 115 retains many of the provisions of
  SAS 112.
• It provides guidance to enhance the auditors
  ability to identify and evaluate deficiencies in
  internal control and to communicate those to
  management if they are considered to be
  significant deficiencies or material weaknesses.
• The key differences between 115 and 112 lies in
  the definitions of material weaknesses and
  significant deficiencies.
• 115 allows more judgment in determining whether a
  control deficiency is a significant deficiency.

7
1) Overview of New Risk Assessment Standards
(cont.)

• What is a deficiency in internal control?
• A deficiency in internal control exists when the
  design or operation of a control does not allow
  management or employees in the normal course of
  performing their assigned functions, to prevent,
  or detect and correct misstatements on a timely
  basis.

8
Internal Control Deficiency in Design

• A deficiency in design exists when
• a control necessary to meet the control objective
  is missing, or
• an existing control is not properly designed so
  that, even if it operates as designed, the
  control objective would not be met.

9
Examples of Deficiencies in the Design of
Controls

• Inadequate design of controls over the
  preparation of financial statements.
• Inadequate design of controls over a significant
  account or process.
• Insufficient control consciousness (tone at the
  top).
• Inadequate segregation of duties.

10
Examples of Deficiencies in the Design of
Controls (cont.)

• Inadequate controls over the safeguarding of
  assets.
• Inadequate design of IT general and application
  controls.
• Employees or management who lack the
  qualifications and training to fulfill their
  assigned functions.
• Inadequate monitoring of controls.

11
Deficiency in Operation of Internal Controls

• A deficiency in operation exists when
• a properly designed control does not operate as
  designed, or
• when the person performing the control does not
  possess the necessary authority or competence to
  perform the control effectively.

12
Failures in the Operation of Internal Control

• Failure in the operation of controls over a
  significant account or process.
• (i.e., dual authorization for significant
  purchases)
• Failure of the information and communication
  component of IC (not receiving accurate or timely
  information from remote locations in order to
  prepare FS).

13
Failures in the Operation of Internal
Control(cont.)

• Failure to perform reconciliations of significant
  accounts.
• Undue bias or lack of objectivity of those
  responsible for accounting decisions.
• Misrepresentation by entity personnel to the
  auditor.
• Failure of an application control caused by a
  deficiency in the design or operation of an IT
  general control.

14
Auditors Responsibility

• What is the auditors responsibility to identify
  deficiencies in internal control?
• Auditor is not required to perform procedures to
  identify deficiencies.
• If deficiencies are identified, they may be
  communicated to management after evaluation.

15
Level of Deficiencies

• Deficiencies In Order of Severity
• Control Deficiency
• Significant Deficiency
• Material Weakness

16
Material Weakness SAS 112 Definition (OLD)

• A significant deficiency, or a combination of
  significant deficiencies, that results in more
  than a remote likelihood that a material
  misstatement of the financial statements will not
  be prevented or detected.

17
Material Weakness SAS 115 Definition (NEW)

• One or a combination of deficiencies such that
  there is a reasonable possibility (reasonably
  possible or probable) that a material
  misstatement will not be prevented, or detected
  and corrected on a timely basis.

18
FASB 5 Contingencies

• Reasonably possible The chance of the future
  event or events occurring is more than remote but
  less than likely.
• Probable The future event or events are likely
  to occur.

19
Significant Deficiency - SAS 112 Definition (OLD)

• A control deficiency, or a combination of control
  deficiencies, that adversely affects the entitys
  ability to initiate, authorize, record, process,
  or report financial data reliably in accordance
  with GAAP such that there is more than a remote
  likelihood that a misstatement of the entitys
  financial statements that is more than
  inconsequential will not be prevented or detected.

20
Significant Deficiency SAS 115 Definition (NEW)

• A deficiency, or a combination of deficiencies,
  in internal control that is less severe than a
  material weakness, yet important enough to merit
  attention by those charged with governance.

21
Evaluating Deficiencies

• Auditor evaluates severity of deficiencies
  depending on the
• Magnitude of the potential misstatement, and
• Whether there is a reasonable possibility
  controls will fail to prevent or detect and
  correct a misstatement of an account balance or
  disclosure.
• Note The severity does not depend on whether a
  misstatement actually occurred.

22
Evaluating Deficiencies (cont.)

• Factors that affect the magnitude
• Amounts or total of transactions.
• Generally the maximum amount of an account
  balance or total of transactions that can be
  overstated is the recorded amount
  (understatements could be larger).
• The volume of activity.

23
Risk Factors

• Risk factors that affect whether there is a
  reasonable possibility of a misstatement include
• The nature of the accounts.
• The susceptibility of the asset or liability to
  loss or fraud.
• The extent of judgment in determining the amount.

24
Indicators of Material Weaknesses

• Identification of fraud on the part of senior
  management.
• Restatement of previously issued financial
  statements for a correction due to error or
  fraud.
• Identification of a material misstatement that
  would not have been detected by the entitys
  internal control.
• Ineffective oversight of financial reporting and
  internal control by those charged with governance.

25
Prudent Official Test

• If the auditor determines that a deficiency is
  not a material weakness, the auditor should
  consider whether a prudent official would agree
  with the auditors conclusion.
• Because a prudent official is cautious, this test
  is used to increase the severity, not to justify
  a decrease in severity.

26
Communication

• Communications should be in writing.
• Best if made by report release date but not later
  than 60 days following release date.
• Can be communicated earlier if warranted.
• Must be communicated even if management has
  accepted the risk associated with the deficiency.
• Auditor cannot issue written communication that
  no significant deficiencies were identified
  during the audit.

27
Yellow Book and Single Audits

• GAO has issued Interim Guidance (November 2008).
• http//www.gao.gov/govaud/icguidance0811.pdf
• Auditors will currently follow SAS 115 as new
  definitions and requirements.
• Revisions are being worked on.

28
2) Understanding Implementing Internal Controls
29
What does this mean for you?

• Higher quality audits.
• Communication of more internal control
  deficiencies.

30
Higher Quality Audits

• A more thorough, effective, and focused audit.
• We will be better able to
• Provide useful information.
• Identify problems or opportunities and make
  recommendations.
• Assist with special projects.

31
Communicate More Internal Control Deficiencies

• More deficiencies may be discovered.
• More deficiencies may meet the criteria for
  reporting.
• Uncorrected deficiencies will be reported each
  year.
• Beat the dead horse.

32
Common Deficiencies in the Design of Controls

• Inadequate controls over the preparation of
  financial statements.
• Inadequate segregation of duties.
• Inadequate controls over the safeguarding of
  assets.
• Inadequate design of IT general and application
  controls.

33
Common Failures in the Operation of Controls

• Failure in the operation of controls over a
  significant account or process.
• Failure of controls designed to safeguard assets.
• Misrepresentation by entity personnel to the
  auditor.
• Management override of controls.

34
Common Significant Deficiencies

• Failure to maintain effective controls over
  journal entry processing.
• Failure to review account reconciliations.
• Failure to reconcile accounts to supporting
  documents.
• Failure to prepare financial statements and note
  disclosures.

35
Common Material Weaknesses

• Identification of fraud on the part of senior
  management.
• Identification of a material misstatement of the
  financial statements under audit.
• Restatement of previously issued financial
  statements.

36
What Are Your Responsibilities?

• Evaluate financial statement risks.
• Evaluate whether internal controls are adequate.

37
What are Financial Statement Risks?

• Risks that affect the achievement of financial
  reporting objectives.
• Conditions or indications that something could go
  wrong in the financial statements.
• May relate to error or fraud.
• May be pervasive to the financial statements or
  related to specific transactions, accounts, or
  disclosures.

38
Examples of Risks
39
Internal Control

• Process employed by the company to provide
  reasonable assurance of achieving financial
  reporting objectives and safeguarding assets.
• Applies to all entitiesboth small and large.
• Helps prevent, or detect and correct,
  misstatements resulting from risks and helps
  safeguard assets.
• Need to identify key controls.
• Controls that are most important in achieving the
  objective.

40
Control Activities

• Can be either automated or manual.
• Directed toward transaction processing.
• Can be associated with one or more assertions.
• Includes
• Performance reviews.
• Information processing controls.
• Physical controls.
• Segregation of duties.
• Asset accountability.

41
Control Activities Objectives -Processing Cash
Receipts

• Cash receipts information is valid and processed
  only once.
• Cash receipts are appropriately safeguarded.
• Cash received is posted in the proper period.
• Cash receipt information is recorded in the
  correct account.
• All cash receipts are recorded.

42
Control Activities Examples -Processing Cash
Receipts

• Cash receipts are deposited intact promptly or
  stored in a secure location.
• Cash receipts (restricted revenue) are deposited
  in separate bank accounts when required by
  funding sources.
• Daily cash receipts are compared to postings to
  customer accounts by an independent person.
• Bank reconciliations are prepared and reviewed in
  a timely manner.

43
Putting It All Together A Process for
Identifying Risks Assessing Controls

• Consider the aspects of the company that are
  sources of risk.
• Gather information that indicates potential
  risks.
• Accumulate and synthesize the information to
  identify risks.
• Identify key controls that address the risks by
  focusing on control objectives.
• Assess whether controls are properly designed and
  implemented to achieve the objectives.
• Identify gaps and prioritize deficiencies for
  improvement.

44
A Practical Approach to Reviewing Internal
Control

• Supporting tools to help you assess
  activity-level controls
• Complete (or update) a narrative describing your
  activity-level controls.
• Supplement the documentation by completing the
  related Control Activities Form.
• These can usually be obtained from your auditors.

45
A Practical Approach to Reviewing Internal
Control (cont.)

• Evaluate controls to determine if
• Key controls are present to achieve control
  objectives and address relevant financial
  statement risks.
• Controls are properly designed to prevent, or
  detect and correct, misstatements.
• Controls are in place to address all identified
  risks.

46
A Practical Approach to Reviewing Internal
Control (cont.)

• If controls are missing or improperly designed,
  determine
• Whether other compensating controls address the
  control objective.
• The likelihood and magnitude of potential errors.
• The pervasiveness of potential errors.
• The priority for corrective action.

47
3) Real-Life Examples
48
Questions or Comments?

• Donna Brown
• Donna_at_jmco.com
• Bernadette Britz-Parker
• Bernadette_at_jmco.com
• Trey Long
• TreyL_at_jmco.com