This document provides an overview and examples of SAS 112, which establishes requirements for communicating internal control deficiencies identified during an audit. It defines key terms like control deficiency, significant deficiency, and material weakness. It discusses how auditors evaluate the severity of control deficiencies based on factors like potential misstatement, likelihood, and magnitude. Examples are provided of common control deficiencies as well as indicators of material weaknesses. Methods for strengthening internal controls over areas like cash, payroll, purchases are also outlined.
5. Objectives
Define SAS 112 (Boring)
Explain SAS 112, the nuts and bolts
–
Lots of examples
Raise awareness within your organization
What will the auditors’ areas of concern be?
–
Get the answers to the test before the test
–
All of these points are available on the internet, through
–
books, consultants, etc. Don’t reinvent the wheel when
presenting to your organization. Google “SAS 112
summary”
Reduce your audit fees
5 www.metrometro.com
6. Sas 112 - What does it do?
SAS 112 provides guidance to enhance
your ability to identify and evaluate
control deficiencies during an audit and
then communicate to management and
those charged with governance those
deficiencies that you believe are
significant deficiencies or material
weaknesses.
6 www.metrometro.com
7. What does it really do?
defines the terms quot;significant deficiencyquot; and
quot;material weaknessquot;
provides guidance on evaluating the severity of
control deficiencies identified in an audit of financial
statements; and
requires the auditor to communicate, in writing, to
management and those charged with governance
(e.g., Board of Directors), significant deficiencies and
material weaknesses identified in an audit
7 www.metrometro.com
8. Two Unconditional Requirements
The auditor must evaluate identified
1.
control deficiencies and determine
whether those deficiencies,
individually or in combination, are
significant deficiencies or material
weaknesses.
and…
8 www.metrometro.com
9. Two Unconditional Requirements
2. The auditor must communicate, in
writing, significant deficiencies and
material weaknesses to management
and those charged with governance.
Including those found in prior audits but
not yet fixed.
9 www.metrometro.com
10. What is an Internal Control
The accounting profession, collaborating in a body known as
COSO (Committee on Sponsoring Organizations) has adopted
a definition of internal controls:
A process, effected by the entity’s board of directors,
management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives
in the following categories:
Reliability of financial reporting
–
Effectiveness and efficiency of operations
–
Compliance with applicable laws and regulations
–
10 www.metrometro.com
11. Reliability of financial reporting
… refers to the published financial
statements. While this is primarily the
responsibility of an organization’s accounting
group, all transactions within the organization
are affected since transactions and financial
results emanate from all activities of an
organization.
11 www.metrometro.com
12. Operations and Compliance
The other two bullets (Operations and Compliance) also have
significance for all organization activities.
Within any department or organization, the goals of internal
controls are:
To control the financial, operational and managerial activities of a
–
department
To comply with federal, state and local laws, rules and regulations
–
and organization policies
To prevent fraud
–
To highlight positive and negative aspects of an operation or
–
function
To alert management and other concerned parties of relevant
–
required courses of action
12 www.metrometro.com
13. The Meat of SAS 112
Definition 1 – Control Deficiency
When the design or implementation of a
control does not allow management or
employees, in the normal course of
performing their assigned functions, to
prevent or detect misstatements on a timely
basis. Two categories:
Design Deficiency
–
Operation Deficiency
–
13 www.metrometro.com
14. Definition 2 – Significant Deficiency
A significant deficiency is a control deficiency, or
combination of control deficiencies, that
adversely affects the entity’s ability to initiate,
authorize, record, process, or report financial
data reliably in accordance with GAAP such that
there is more than a remote likelihood that a
misstatement of the entity’s financial statements
that is more than inconsequential will not be
prevented or detected.
14 www.metrometro.com
15. Definition 3 – Material Weakness
A material weakness is a
significant deficiency, or
combination of significant
deficiencies, that results in
more than a remote likelihood
that a material misstatement
of the financial statements will
not be prevented or detected.
15 www.metrometro.com
16. HOW DO WE DETERMINE SEVERITY?
16 www.metrometro.com
17. Evaluation of a Control Deficiency
(3 considerations)
Potential for misstatement - Not just “did” it
occur, but “will” it occur.
Likelihood – probability that a misstatement
will occur. “reasonably possible”
Magnitude – extent of the misstatement that
could occur.
17 www.metrometro.com
18. Magnitude
Inconsequential
More than inconsequential
Material
18 www.metrometro.com
19. “Prudent Official” Test
When evaluating the significance of a
deficiency, auditors are to step back and
consider whether a prudent official with the
same knowledge of the situation would agree
with our classification of the deficiency.
19 www.metrometro.com
20. Form and Timing of Communication
Significant deficiencies and material
weaknesses must be communicated in
writing within 60 days from the issuance of
the report
to management AND those charged with
–
governance.
If communicated last year but not fixed,
–
communicate again.
20 www.metrometro.com
21. EXAMPLES
We’ll tackle some general and specific
examples of control deficiencies, significant
deficiencies and material weaknesses.
21 www.metrometro.com
22. Examples of Control Deficiencies
lack of review and reconciliation of
departmental expenditures
no supervisor signature required on travel
expenditure
same person able to request and approve an
expenditure
same person does billing, opens mail,
receives and deposits checks
same person initiates and approves payroll
22 www.metrometro.com
23. Case Study
One of the most discussed deficiencies is the
Auditor preparing the client’s financial
statements. Must this be reported as a
material weakness in internal control?
Under what circumstances can an auditor
prepare statements and not have to report a
material weakness? Let’s see….
23 www.metrometro.com
24. Clients Accountant Is Capable
The client’s accountant is capable of preparing
the financial statements but is too busy. The
auditor knows the accountant is capable
because he/she prepared last year and did a
good job. Accountant provides adjusted trial
balance =
Not a control deficiency
24 www.metrometro.com
25. Clients Accountant is Capable but
does less work
Similar situation as last slide. This time, accountant
does not have enough time to prepare year end
closing entries, accruals and adjusted trial balance.
Instead, auditor is given the task of preparing
accruals, closing entries, draft statements and notes.
Accountant will review all entries and auditor
prepared documents and trace entries back to
source documents… What do you think? Control
Deficiency or no?
25 www.metrometro.com
26. The Old “Professional Judgment”
Excuse
Although the accountant is capable of doing the
work and seems to have controls in place to
prevent and detect misstatements it could be
argued that the client does not take the
closing process seriously. If the preparation
of the financial statements is a low priority
and this is an annual event, could be a
strong indicator of a material weakness.
26 www.metrometro.com
27. Clients Accountant is Not Capable
The staff accountant/bookkeeper is unable to
either adjust the trial balance or evaluate the
auditors adjustments. Neither the
accountant nor anyone else in the
organization is capable of evaluating whether
the financial statements are fairly presented
in accordance with GAAP….
Control Deficiency and Material Weakness
27 www.metrometro.com
28. Some Slam Dunks (Strong indicator of
material weakness)
Ineffective oversight by those charged with
governance of the entity’s financial reporting and
internal control, or an ineffective overall governance
structure.
Restatement of previously issued financial
statements to reflect the correction of a material
misstatement.
Auditor finds a material misstatement that was not
picked up by the internal control system.
28 www.metrometro.com
29. Slam Dunks
An ineffective internal audit function or risk
assessment function when such functions
are important to the monitoring of internal
controls such as for large or complex entities.
Identification of fraud of any magnitude on
the part of senior management.
Failure to assess the effect of a significant
deficiency previously communicated.
29 www.metrometro.com
30. Case Study – Lack of segregation of
duties
Small Nonprofit
30 www.metrometro.com
31. Audit Adjustments
Q- In reading the definition of significant
deficiency and material weakness, it seems
that if the auditor discovers material audit
adjustments during the audit, there is one or
more material weaknesses?
True or False
31 www.metrometro.com
32. Audit Adjustments
A - If the auditor discovers a material misstatement and
proposes an audit adjustment, then obviously, the
client’s system of internal control did not prevent or
detect the misstatement. Accordingly, the auditor
would have identified a control deficiency that must
be evaluated. Since the amount is material, the only
remaining question is whether the likelihood is more
than remote. If yes, then by definition, there is a
material weakness.
32 www.metrometro.com
33. Audit Adjustment Consideration
Q - A client knows there are significant audit issues that
need to be addressed in the financial records but
does not make adjustments for those issues until he
can discuss them with the auditor as to an
appropriate resolution during the audit. Once
discussed, a significant audit adjustment is then
proposed by the auditor and accepted by the
company. Would this result in the reporting of a
material weakness?
33 www.metrometro.com
34. Audit Adjustment Consideration
A - The fact that a client is aware that there is a
financial statement matter that needs
attention or clarification indicates that the
preparer could be sufficiently knowledgeable
about accounting standards. That awareness
and follow up is one element of effective
internal controls over financial reporting.
34 www.metrometro.com
35. Clean Opinion?
Q - Can the auditor still justify issuing a clean
opinion on the financial statements if the
client has significant deficiencies or material
weaknesses?
35 www.metrometro.com
36. Clean Opinion?
A - Yes, the role of the auditor is to obtain a
sufficient understanding of the entity’s
internal control sufficient to plan and conduct
his or her audit. When there are material
weaknesses, the auditor responds to those
control risks by adjusting the nature, timing
and extent of the audit procedures.
36 www.metrometro.com
38. Control Environment
The control environment sets the tone of an
organization, influencing the control consciousness
of its people. It is the foundation for all other
components of internal control, providing discipline
and structure. Control environment factors include
the integrity, ethical values and competence of the
entity's people; management's philosophy and
operating style; the way management assigns
authority and responsibility, and organizes and
develops its people; and the attention and direction
provided by the board of directors.
38 www.metrometro.com
39. Control Environment Examples
Does management communicate
to employees its views on business
practices and ethical behavior
either orally or by example?
39 www.metrometro.com
40. Control Environment Examples
Has the nonprofit organization adopted and
communicated to employees and board members a
specific policy on conflict of interest that specifies
that personnel in a position of trust are not related to
each other; employees are prohibited from having
business dealings with companies affiliated with, or
who act as major customers or suppliers of, the
nonprofit organization; transactions with officials of
the nonprofit organization are adequately controlled
and disclosed in the records; and such transactions
occur only in the normal course of business and are
approved by the governing board?
40 www.metrometro.com
41. Control Environment Example
Is management satisfied that all employees
are honest?
Does management consider the competence
levels that are necessary for various jobs and
the skills and knowledge that are required for
reliable accounting and financial reporting.
Do human resource policies and practices include
background and reference checks for new employees,
adequate training, and regular performance evaluations,
especially for accounting and IT personnel?
41 www.metrometro.com
42. Cash Controls
Mail is opened and a list of daily receipts is
prepared by two or more people independent
of the cashier and accounts receivable
bookkeeping.
Cash receipts from special events are
counted by at least two people and no more
than one volunteer.
A separate imprest payroll bank account is
used.
42 www.metrometro.com
43. Cash Controls
Checks are not to be returned to the preparer after
signing.
Stale checks are followed up on periodically by
individuals independent of accounts payable and
cash disbursement functions.
Collectors issue prenumbered receipts for canister
collections and the contents are counted in the
presence of two persons.
Prenumbered bid sheets from silent auctions are
reconciled to cash receipts.
43 www.metrometro.com
44. Cash Controls
Bank accounts are reconciled by individuals
independent of cash receipts and disbursements
functions.
Checks are prepared only after proper matching of
supporting documentation (vendor’s invoice,
receiving report, purchase order, etc.).
How does all of this relate to online bill pay? We
hardly write any checks in our office. Soon we won’t
write checks or receive checks.
44 www.metrometro.com
45. Payroll Controls
There is restricted access to:
Blank payroll checks
–
Mechanical check signers or signature plates (if
–
used)
Personnel records
–
Payroll computer files used to calculate payroll
–
45 www.metrometro.com
46. Payroll controls when using outside
service
If payroll is processed by an outside service
organization, procedures are in place to ensure that:
Time records submitted for processing are complete and
–
accurate and appropriate control totals are maintained for
subsequent reconciliation to payroll registers.
All other payroll information provided to the service
–
organization (pay rates, withholdings, etc.) is authorized,
and all authorized information is communicated.
Payroll registers produced by the service organization are
–
reviewed after processing, reconciled to control totals, and
approved prior to distribution of paychecks.
Total of paychecks and/or direct deposits agrees with
–
payroll registers.
46 www.metrometro.com
47. Controls over purchases and payables
A current purchasing manual defines
restrictions on purchases of goods or
services from governing board members,
employees, or other suppliers that would
create a conflict of interest. (Related party)
Program managers periodically compare
actual expenses to budgeted expenses and
investigate unanticipated variances.
47 www.metrometro.com
48. Controls over purchases and payables
There is an approved vendors list.
The appropriate level of management or
another appropriate person periodically
compares actual expenditures to budgeted
expenditures and follows up on significant
variances.
48 www.metrometro.com
49. Controls over donated materials,
facilities and services
The organization has established procedures
for the supervision of volunteers.
The organization maintains time sheets or
other records to substantiate the date of
donated services, nature of the services, and
time; and those records are reviewed and
approved by responsible personnel.
49 www.metrometro.com
50. Controls over revenue and receivables
The organization publishes the names of
donors in its journals, newsletters, programs,
etc., and someone independent of
accounting investigates complaints of errors
or omissions.
The organization periodically sends
statements to service recipients, members,
etc.
50 www.metrometro.com
51. Controls over revenue and receivables
Customer/member/donor complaint follow-up
is independent of accounts receivable,
bookkeeping, and cash handling.
Monthly statements of customer/member
accounts are mailed by someone other than
the person responsible for accounts
receivable bookkeeping.
The organization prohibits loans to
employees and governing board members.
51 www.metrometro.com
52. Controls over revenue and receivables
Employees with receivable responsibilities
are required to take vacations and other
employees are required to perform those
functions when an employee is absent.
The organization uses prenumbered
contribution acknowledgement forms.
52 www.metrometro.com
53. Fraud Assesment
Incentives or pressures for management to
intentionally misstate the financial statements.
The organization is experiencing a shortfall in
unrestricted contributions that may create an
incentive to use restricted net assets to cover the
shortfall.
The organization has donors, grantors, or other
providers who set up restrictions or conditions
based on reported financial statement amounts.
53 www.metrometro.com
54. Fraud Assessment
Conditions that indicate management’s personal
net worth may be threatened by the organization’s
financial performance, such as:
A significant portion of management’s compensation
–
depends on bonuses, or other incentives, the value of
which is dependent on the organization meeting
aggressive performance targets (for example, program
accomplishments, budget, fund-raising targets, financial
position, cash flow, or other financial or operating goals).
The organization is experiencing a poor or deteriorating
–
financial condition and board members or management
have personally guaranteed significant debts of the
organization.
54 www.metrometro.com
55. Fraud Assessment
The organization engages in significant
related-party transactions not in the ordinary
course of business.
Management fails to effectively define,
communicate, implement, support, or
enforce the organization’s values or ethics.
55 www.metrometro.com
56. Communication and enforcement of
ethical values
Are members of the organization’s governing body (board of directors, board of trustees,
committees of the board, etc.) elected to their positions?
Is the governing board sufficiently independent from management so that necessary questions
are raised?
Does the governing board meet in regularly scheduled meetings, and are clear, written minutes
kept of all meetings?
Does the governing board (or audit committee) hold frequent and timely meetings with the chief
financial and/or accounting personnel and external auditors?
Does the governing board (or audit committee) approve the appointment of auditors?
Does the governing board take an active interest in the financial affairs of the organization and
in the reports available to them?
Does the governing board include outside members with business experience?
Is sufficient information provided to the governing board (or audit committee) in a manner that
allows adequate and timely monitoring?
Does the governing board (or audit committee) meet with the auditors to discuss the auditor’s
report, the communication of internal control related matters, the Single Audit reports (if the
organization receives federal awards and is required to have a Single Audit), and other matters
related to the audit?
56 www.metrometro.com
58. Take Control - Make Your Audit Easier
Make less journal entries - Audit standards
require that we review journal entries for
unusual activities. The more entries, the
longer the audit takes. You can cut down on
journal entries by recording bank charges,
debits and manual checks as you would any
other cash disbursement. Record bank
account interest earned like you would a
deposit.
58 www.metrometro.com
59. Take Control - Make Your Audit Easier
Be ready for us - Make sure your auditor
has provided you with a long Client
Assistance List (CAL) or PBC (Provided by
Client) list. The longer the better so that you
can do the work at your schedule instead of
scurrying during the audit fieldwork. Number
the list and have a folder, notebook tab, or
pile for each number. Impress the auditor,
be organized, that's what we're looking for.
59 www.metrometro.com
60. Take Control - Make Your Audit Easier
Be consistent and predictable - We like ordinary
and boring. If you have a group of month end
journal entries for depreciation, accrued payroll, etc.,
make them all on one entry that looks the same each
month. Keep entries as ordinary and routine as
possible. Record deposits the same. Record
invoices the same. Make the transactions as easily
identifiable as possible.
60 www.metrometro.com
61. Take Control - Make Your Audit Easier
Support, Support, Support - Every
transaction requires support. Checks,
deposits, journal entries. Be consistent by
including the same support on each type of
transaction. Make sure every transaction
has the required approvals.
61 www.metrometro.com
62. Take Control - Make Your Audit Easier
Document your approval processes and
follow them - If a disbursement requires a
board signature, make sure it has a board
signature. Make sure your approval
processes will pass the auditor's tests.
62 www.metrometro.com
63. Take Control - Make Your Audit Easier
Don't turn the audit engagement into an
accounting engagement. Get the accounting work
done first. Post accruals, depreciation, make sure
everything ties in, etc. We don't want to do
accounting work at the audit. Auditors like to tick
and tie to get comfort that the numbers are
right. Every time we have to make an entry, you lose
credibility and it takes longer for us to get
comfortable. Your auditors don't have to be your
accountants, you can hire an accountant to do a
monthly or quarterly review so that you'll be more
prepared for your audit.
63 www.metrometro.com
64. Take Control - Make Your Audit Easier
Insist on consistency from your audit
team. Ask ahead of time, who will be
coming. Are they the same auditors as last
year? If not, push back a little bit. The more
consistency, the less learning curve and the
less interruptions.
64 www.metrometro.com
65. From RSM McGladry
Educate your board on the new requirements of SAS No. 112 and the
possible findings.
Ensure internal controls over financial reporting are formally
documented. Monitor and test these internal controls for accuracy on a
semi-annual or annual basis.
Reconcile the general ledger to the amounts reported in the financial
statements (including disclosures) and apply analytical review
procedures to the financial statements.
Begin taking inventory of your significant controls over your most
guarded assets (or financial reporting process) and start documenting
those critical aspects of internal controls.
Assess your reliance on external auditors to draft your financials. At
least for this year, formally designate a person responsible for
reviewing and approving the financial statements and design
checklists to document this review.
65 www.metrometro.com
66. Don’t reinvent the wheel – web
resources
If you want to make a powerpoint
presentation on SAS 112 to your
organization and/or its board, then google
“SAS 112 powerpoint” and several
presentations will come up.
Communicate, communicate, communicate
66 www.metrometro.com