AICPA Statement on Auditing Standards No. 112, Communicating Internal Control Matters Identified in an Audit

1
AICPA Statement on Auditing Standards No. 112,
Communicating Internal Control Matters Identified
in an Audit

• NASACT Audio Conference
• October 19, 2006

2
Objectives

• Know the key concepts for this recently issued
  audit standard
• Identify the issues associated with implementing
  the standard (auditors)
• Identify the issues associated with those
  responsible for internal controls (preparers)

3
SAS No. 112, Communicating Internal Control
Matters Identified in an Audit
4
About SAS No. 112

• Issued May 2006
• Supersedes SAS No. 60
• Effective for audits of financial statements for
  periods ending on or after December 15, 2006
• Fairly short brief Appendix

5
The Quick Snapshot

• Requires auditor to communicate, in writing,
  significant deficiencies and material weaknesses
  to management and those charged with governance

6
Definitions

• Control deficiency
• Design or operation of a control that does not
  prevent or detect misstatements

7
Definitions

• Significant deficiencyControl deficiency(ies)
  that adversely affects the entitys financial
  reporting process such that there is more than a
  remote likelihood that a misstatement in the
  financial statements that is more than
  inconsequential will not be prevented or detected

8
Definitions

• Material weaknessSignificant deficiency(ies)
  that results in more than a remote likelihood
  that a material misstatement of the financial
  statements will not be prevented or detected

9
Definitions

• Those charged with governanceThe person(s) with
  responsibility for the entitys strategic
  direction and accountability, including the
  financial reporting process

10
Evaluating Control Deficiencies

• The significance depends on the potential for a
  misstatement, not an actual misstatement
• The absence of an identified misstatement does
  not provide evidence that a deficiency is not
  significant or material

11
EvaluatingFactors Affecting Likelihood

• Nature of accounts, disclosures, and assertions
• Susceptibility to loss or fraud
• Subjectivity and complexity
• Cause and frequency of detected exceptions

12
EvaluatingFactors Affecting Likelihood

• Interaction or relationship of the control with
  other controls
• Interaction of deficiency with other deficiencies
• Possible future consequences of the deficiency

13
EvaluatingFactors Affecting Magnitude

• Financial statement amounts or total transactions
  exposed
• Volume of activity in account balance or class of
  transactions affecting current or future periods

14
EvaluatingOther Considerations

• Multiple control deficiencies that affect the
  same financial statement account balance or
  disclosure
• Mitigating effects of effective compensating
  controls
• Results of tests of controls

15
ExamplesDeficiencies That Are at Least
Significant

• Deficiencies in controls over
• Selection and application of GAAP
• Antifraud programs
• Nonroutine and nonsystematic transactions
• Period-end financial reporting process

16
ExamplesStrong Indicators of Material Weaknesses

• Presumptive requirementsignificant deficiencies
• Ineffective oversight by those charged with
  governance
• Restatement of previously issued financial
  statements
• Material misstatement identified by the auditor

17
ExamplesStrong Indicators of Material Weaknesses

• Presumptive requirementsignificant deficiencies
• Ineffective internal audit or risk assessment
  functions
• Ineffective regulatory compliance function, when
  applicable
• Any fraud by senior management

18
ExamplesStrong Indicators of Material Weaknesses

• Presumptive requirementsignificant deficiencies
• Managements failure to assess previously
  reported significant deficiencies
• Ineffective control environment

19
Communicating Deficiencies

• In writing
• To management/governance
• All significant deficiencies and material
  weaknesses
• Items reported in prior years, not yet remediated
• Within 60 days of report release date

20
Communicating Deficiencies

• Importance of early communications
• Managements cost-benefit decisions does not
  relieve auditor responsibility
• Permits other matters to be communicated

21
Communicating Deficiencies

• Content
• Required elements
• Illustrative samples
• Management's written responses may be included

22
The Auditors Perspective
23
Impact on Auditors

• Timing
• Observations
• Concerns/Issues

24
TimingPre-SAS 112
Auditors report on financial statements
Single Audit reports
Management letters
Points for discussion
25
TimingUsing SAS 112

• All of these must now be communicated to
  management within 60 days after release date of
  our report on the CAFR/Basic Financial Statements

26
TimingUsing SAS 112

• Yellow Book report issued soon after CAFR, and
  not in our single audit report
• Management letter will also need to be issued
  within 60 days after our report on CAFR released

27
Our Experiment

• Take all the financial statement audits issued
  last year
• Summarize all findings into their four buckets
• Re-categorize the findings under the new criteria
  of SAS No. 112

28
Our Experiment

• Pre-SAS 112

29
Our ExperimentResults
30
Our ExperimentResults
31
Observations

• Difference between government audits and other
  audits
• Others2 vehicles for reporting
• Govt.3 vehicles for reporting

32
Observations

• We noticed overlap with
• SAS No. 103
• Risk Assessment Suite of Standards
• Independence Standards
• Government Auditing Standards

33
Observations

• Auditors need to make a clear change in their
  thought process
• Auditors may need to gather more information to
  make the SAS No. 112 determinations

34
Observations

• This will be a fresh look

35
Concerns/Issues

• Changing our process for Yellow Book reports and
  management letters
• When to begin writing process
• Sharing time for audit and writing
• Getting auditee responses

36
Concerns/Issues

• Developing clear understanding to assist in
  applying
• More than inconsequential
• Reasonable person

37
Concerns/Issues

• For Yellow Book audits, determining what goes in
  the management letter

38
Concerns/Issues

• Determining auditees inability to apply GAAP or
  prepare statements vs. choosing to have someone
  else do so (and other similar determinations)

39
Concerns/Issues

• Educating auditee (whos job is it?)
• Preparers
• Management
• Governing bodies
• Employees responsible for performing control
  activities

40
Managements Perspective
41
Change in Perspective

• Former Points for Discussion now in Management
  Letter
• Former Reportable Conditions may now result in
  Qualified Opinion
• All without any change in operations

42
Change in Perspective

• Proposed Audit Adjustments
• Does this mean that Internal Controls were not
  effective in fairly presenting financial
  information?
• Sometimes methodology and approach differs

43
Application to Arizona

• Decentralized Environment
• 135 State agencies
• Some agencies have own system
• Some agencies have own financial statements

44
Application to Arizona

• Internal Controls combination of Statewide and
  Agency
• Reliance on Policies, Procedures, Communications

45
Application to Arizona

• Primary Concern an Internal Control problem at
  a large agency or combination of agencies could
  now become a statewide Opinion Qualification
• Perception and Understanding of Importance of
  Internal Controls

46
Application to Arizona

• Planning and Preparation Essential
• Discuss with Auditors
• Coordinate with Agencies/CFOs
• Communication and Relationships Key
• Manage Expectations

47
Application to Arizona

• Follow Common Project Cycle
• Plan
• Implement
• Evaluate
• Adjust as needed

48
Questions and Discussion