Title: SAS 115 Communicating Internal Control Related Matters Identified in an Audit
1SAS 115Communicating Internal Control Related
Matters Identified in an Audit
- Donna Brown, Audit Partner
- Bernadette Britz-Parker, Audit Partner
- Trey Long, Audit Manager
2Todays Objectives
- Overview of SAS 115
- Understanding Implementing Internal Controls
- Real-Life Examples
31. Overview of SAS 115
41) Overview of SAS 115
- Effective for periods ending on or after December
15, 2009. - Early implementation is allowed.
- Applies when the auditor expresses an opinion on
financial statements. - Except when expressing an opinion on the
effectiveness of internal control over financial
reporting.
51) Overview of New Risk Assessment Standards
(cont.)
- This statement
- Defines the terms deficiency in internal control,
significant deficiency, and material weakness. - Provides guidance on evaluating the severity of
deficiencies in internal control. - Requires the auditor to communicate, in writing,
to management and those charged with governance,
significant deficiencies and material weaknesses. - This statement was issued to converge definitions
for the various kinds of deficiencies in internal
control with PCAOB standards.
61) Overview of New Risk Assessment Standards
(cont.)
- Overall SAS 115 retains many of the provisions of
SAS 112. - It provides guidance to enhance the auditors
ability to identify and evaluate deficiencies in
internal control and to communicate those to
management if they are considered to be
significant deficiencies or material weaknesses. - The key differences between 115 and 112 lies in
the definitions of material weaknesses and
significant deficiencies. - 115 allows more judgment in determining whether a
control deficiency is a significant deficiency.
71) Overview of New Risk Assessment Standards
(cont.)
- What is a deficiency in internal control?
- A deficiency in internal control exists when the
design or operation of a control does not allow
management or employees in the normal course of
performing their assigned functions, to prevent,
or detect and correct misstatements on a timely
basis.
8Internal Control Deficiency in Design
- A deficiency in design exists when
- a control necessary to meet the control objective
is missing, or - an existing control is not properly designed so
that, even if it operates as designed, the
control objective would not be met.
9Examples of Deficiencies in the Design of
Controls
- Inadequate design of controls over the
preparation of financial statements. - Inadequate design of controls over a significant
account or process. - Insufficient control consciousness (tone at the
top). - Inadequate segregation of duties.
10Examples of Deficiencies in the Design of
Controls (cont.)
- Inadequate controls over the safeguarding of
assets. - Inadequate design of IT general and application
controls. - Employees or management who lack the
qualifications and training to fulfill their
assigned functions. - Inadequate monitoring of controls.
11Deficiency in Operation of Internal Controls
- A deficiency in operation exists when
- a properly designed control does not operate as
designed, or - when the person performing the control does not
possess the necessary authority or competence to
perform the control effectively.
12Failures in the Operation of Internal Control
- Failure in the operation of controls over a
significant account or process. - (i.e., dual authorization for significant
purchases) - Failure of the information and communication
component of IC (not receiving accurate or timely
information from remote locations in order to
prepare FS).
13Failures in the Operation of Internal
Control(cont.)
- Failure to perform reconciliations of significant
accounts. - Undue bias or lack of objectivity of those
responsible for accounting decisions. - Misrepresentation by entity personnel to the
auditor. - Failure of an application control caused by a
deficiency in the design or operation of an IT
general control.
14Auditors Responsibility
- What is the auditors responsibility to identify
deficiencies in internal control? - Auditor is not required to perform procedures to
identify deficiencies. - If deficiencies are identified, they may be
communicated to management after evaluation.
15Level of Deficiencies
- Deficiencies In Order of Severity
- Control Deficiency
- Significant Deficiency
- Material Weakness
16Material Weakness SAS 112 Definition (OLD)
- A significant deficiency, or a combination of
significant deficiencies, that results in more
than a remote likelihood that a material
misstatement of the financial statements will not
be prevented or detected.
17Material Weakness SAS 115 Definition (NEW)
- One or a combination of deficiencies such that
there is a reasonable possibility (reasonably
possible or probable) that a material
misstatement will not be prevented, or detected
and corrected on a timely basis.
18FASB 5 Contingencies
- Reasonably possible The chance of the future
event or events occurring is more than remote but
less than likely. - Probable The future event or events are likely
to occur.
19Significant Deficiency - SAS 112 Definition (OLD)
- A control deficiency, or a combination of control
deficiencies, that adversely affects the entitys
ability to initiate, authorize, record, process,
or report financial data reliably in accordance
with GAAP such that there is more than a remote
likelihood that a misstatement of the entitys
financial statements that is more than
inconsequential will not be prevented or detected.
20Significant Deficiency SAS 115 Definition (NEW)
- A deficiency, or a combination of deficiencies,
in internal control that is less severe than a
material weakness, yet important enough to merit
attention by those charged with governance.
21Evaluating Deficiencies
- Auditor evaluates severity of deficiencies
depending on the - Magnitude of the potential misstatement, and
- Whether there is a reasonable possibility
controls will fail to prevent or detect and
correct a misstatement of an account balance or
disclosure. - Note The severity does not depend on whether a
misstatement actually occurred.
22Evaluating Deficiencies (cont.)
- Factors that affect the magnitude
- Amounts or total of transactions.
- Generally the maximum amount of an account
balance or total of transactions that can be
overstated is the recorded amount
(understatements could be larger). - The volume of activity.
23Risk Factors
- Risk factors that affect whether there is a
reasonable possibility of a misstatement include - The nature of the accounts.
- The susceptibility of the asset or liability to
loss or fraud. - The extent of judgment in determining the amount.
24Indicators of Material Weaknesses
- Identification of fraud on the part of senior
management. - Restatement of previously issued financial
statements for a correction due to error or
fraud. - Identification of a material misstatement that
would not have been detected by the entitys
internal control. - Ineffective oversight of financial reporting and
internal control by those charged with governance.
25Prudent Official Test
- If the auditor determines that a deficiency is
not a material weakness, the auditor should
consider whether a prudent official would agree
with the auditors conclusion. - Because a prudent official is cautious, this test
is used to increase the severity, not to justify
a decrease in severity.
26Communication
- Communications should be in writing.
- Best if made by report release date but not later
than 60 days following release date. - Can be communicated earlier if warranted.
- Must be communicated even if management has
accepted the risk associated with the deficiency. - Auditor cannot issue written communication that
no significant deficiencies were identified
during the audit.
27Yellow Book and Single Audits
- GAO has issued Interim Guidance (November 2008).
- http//www.gao.gov/govaud/icguidance0811.pdf
- Auditors will currently follow SAS 115 as new
definitions and requirements. - Revisions are being worked on.
282) Understanding Implementing Internal Controls
29What does this mean for you?
- Higher quality audits.
- Communication of more internal control
deficiencies.
30Higher Quality Audits
- A more thorough, effective, and focused audit.
- We will be better able to
- Provide useful information.
- Identify problems or opportunities and make
recommendations. - Assist with special projects.
31Communicate More Internal Control Deficiencies
- More deficiencies may be discovered.
- More deficiencies may meet the criteria for
reporting. - Uncorrected deficiencies will be reported each
year. - Beat the dead horse.
32Common Deficiencies in the Design of Controls
- Inadequate controls over the preparation of
financial statements. - Inadequate segregation of duties.
- Inadequate controls over the safeguarding of
assets. - Inadequate design of IT general and application
controls.
33Common Failures in the Operation of Controls
- Failure in the operation of controls over a
significant account or process. - Failure of controls designed to safeguard assets.
- Misrepresentation by entity personnel to the
auditor. - Management override of controls.
34Common Significant Deficiencies
- Failure to maintain effective controls over
journal entry processing. - Failure to review account reconciliations.
- Failure to reconcile accounts to supporting
documents. - Failure to prepare financial statements and note
disclosures.
35Common Material Weaknesses
- Identification of fraud on the part of senior
management. - Identification of a material misstatement of the
financial statements under audit. - Restatement of previously issued financial
statements.
36What Are Your Responsibilities?
- Evaluate financial statement risks.
- Evaluate whether internal controls are adequate.
37What are Financial Statement Risks?
- Risks that affect the achievement of financial
reporting objectives. - Conditions or indications that something could go
wrong in the financial statements. - May relate to error or fraud.
- May be pervasive to the financial statements or
related to specific transactions, accounts, or
disclosures.
38Examples of Risks
39Internal Control
- Process employed by the company to provide
reasonable assurance of achieving financial
reporting objectives and safeguarding assets. - Applies to all entitiesboth small and large.
- Helps prevent, or detect and correct,
misstatements resulting from risks and helps
safeguard assets. - Need to identify key controls.
- Controls that are most important in achieving the
objective.
40Control Activities
- Can be either automated or manual.
- Directed toward transaction processing.
- Can be associated with one or more assertions.
- Includes
- Performance reviews.
- Information processing controls.
- Physical controls.
- Segregation of duties.
- Asset accountability.
41Control Activities Objectives -Processing Cash
Receipts
- Cash receipts information is valid and processed
only once. - Cash receipts are appropriately safeguarded.
- Cash received is posted in the proper period.
- Cash receipt information is recorded in the
correct account. - All cash receipts are recorded.
42Control Activities Examples -Processing Cash
Receipts
- Cash receipts are deposited intact promptly or
stored in a secure location. - Cash receipts (restricted revenue) are deposited
in separate bank accounts when required by
funding sources. - Daily cash receipts are compared to postings to
customer accounts by an independent person. - Bank reconciliations are prepared and reviewed in
a timely manner.
43Putting It All Together A Process for
Identifying Risks Assessing Controls
- Consider the aspects of the company that are
sources of risk. - Gather information that indicates potential
risks. - Accumulate and synthesize the information to
identify risks. - Identify key controls that address the risks by
focusing on control objectives. - Assess whether controls are properly designed and
implemented to achieve the objectives. - Identify gaps and prioritize deficiencies for
improvement.
44A Practical Approach to Reviewing Internal
Control
- Supporting tools to help you assess
activity-level controls - Complete (or update) a narrative describing your
activity-level controls. - Supplement the documentation by completing the
related Control Activities Form. - These can usually be obtained from your auditors.
45A Practical Approach to Reviewing Internal
Control (cont.)
- Evaluate controls to determine if
- Key controls are present to achieve control
objectives and address relevant financial
statement risks. - Controls are properly designed to prevent, or
detect and correct, misstatements. - Controls are in place to address all identified
risks.
46A Practical Approach to Reviewing Internal
Control (cont.)
- If controls are missing or improperly designed,
determine - Whether other compensating controls address the
control objective. - The likelihood and magnitude of potential errors.
- The pervasiveness of potential errors.
- The priority for corrective action.
-
473) Real-Life Examples
48Questions or Comments?
- Donna Brown
- Donna_at_jmco.com
- Bernadette Britz-Parker
- Bernadette_at_jmco.com
- Trey Long
- TreyL_at_jmco.com