1 / 17

SAS 112 Update Chapter 9 Presented by Chris Ray, Partner KPMG LLP KPMG LLP

SAS 112 Update Chapter 9 Presented by Chris Ray, Partner KPMG LLP KPMG LLP. SAS No. 112. Was implemented during the CSU’s June 30, 2007 audits Established standards and provided guidance on communicating matters related to internal control Defined control deficiencies as either:

gwidon
Download Presentation

SAS 112 Update Chapter 9 Presented by Chris Ray, Partner KPMG LLP KPMG LLP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SAS 112 UpdateChapter 9Presented by Chris Ray, PartnerKPMG LLPKPMG LLP

  2. SAS No. 112 • Was implemented during the CSU’s June 30, 2007 audits • Established standards and provided guidance on communicating matters related to internal control • Defined control deficiencies as either: • Control deficiencies • Significant deficiencies • Material weaknesses

  3. “Control Deficiencies” Exist… • When the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

  4. Deficiency in Design Exist When… • A control necessary to meet the control objective is missing or • An existing control is not properly designed so that, even if it operates as designed, the control objective is not always met.

  5. A Deficiency in Operation Exists When… • A properly designed control does not operate as designed or • When the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

  6. Unconditional Requirements • An auditor is required to evaluate whether identified control deficiencies are, individually or in combination: • significant deficiencies or • material weaknesses • Significant deficiencies and material weaknesses are required to be communicated in writing to those charged with governance.

  7. Definitions of Significant Deficiency and Material Weakness • Significant deficiency: a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles (GAAP) such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. • Material weakness: a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

  8. Magnitude • The magnitude of a misstatement may be: • Inconsequential • More than inconsequential but less than material • Material • Factors that may affect the magnitude of a misstatement that could result in a deficiency or deficiencies in controls include by are not limited to the following: • The financial statement amounts or total of transactions exposed to the deficiency • The volume of activity in the account balance or class of transactions exposed to the deficiency in the current period or expected in future periods.

  9. Significant Deficiency Indicators • Controls over the selection and application of GAAP accounting principles • Antifraud programs and controls • Controls over non-routine and nonsystematic transactions • Controls over period-end financial reporting process, including controls over procedures used to enter transaction totals in the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.

  10. Significant Deficiency Indicators (Continued) • Examples of situations which indicate the controls over the period-end financial reporting process were either not designed appropriately or were not operating effectively: • When adjustments and/or financial statement reclassifications are identified by the auditor which were not originally identified by management, these represent factors that indicate the controls over the financial reporting process were either not designed appropriately or were not operating effectively. • The quantitative and qualitative nature of the adjustments and/reclassifications are then required to be evaluated to determine if the amounts are either more than inconsequential or material to the respective financial statements. In addition to the actual amounts of the adjustments or reclassifications identified, the auditor is also required to consider the potential for unrecorded amounts. • Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a significant deficiency or material weakness, even though such deficiencies are individually insignificant.

  11. Material Weakness Indicators • Ineffective oversight of the entity’s financial reporting process and internal control by those charged with governance • Restatement of previously issued financial statements • Identification by the auditor of a material misstatement in the financial statements not initially identified by the entity’s internal control • An ineffective internal audit function or risk assessment function • Identification of fraud of any magnitude on the part of senior management • Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them or either correct it or conclude that it will not be corrected.

  12. Magnitude/Likelihood

  13. The Prudent Official Test The last step in the evaluation is to conclude the following: • Would a prudent official consider an identified control deficiency to be at least a significant deficiency? If yes, would the prudent official consider the same to be a material weakness? • The prudent official test is used only to increase the severity of a control deficiency and NOT to justify a decrease in the severity.

  14. Examples of Significant Deficiencies and Material Weaknesses noted during CSU’s June 30, 2007 Audits Financial Reporting • Issues were noted related to the conversion of legal basis accounting records to the accrual basis of accounting in accordance with U.S. generally accepted accounting principles (GAAP). • The following are examples of the issues noted: • Incomplete account reconciliations • Lack of support of components comprising financial statement amounts • Detailed listings and support ledgers that do not support amounts reflected in the financial statements • Inaccurate completion of the required financial reporting packages requiring various audit adjustments and reclassification entries not initially identified by management • Inaccurate completion of the respective entities financial statements requiring various audit adjustments and reclassification entries not initially identified by management

  15. Examples of Other Significant Deficiencies Noted During CSU’s June 30, 2007 Audits Information Technology – Segregation of Duties • At one of the campuses, we noted that all payroll department employees have access to both Personal Information Management System (PIMS) and Common Management System (CMS)/Financial Reporting System (FRS). Thus all employees can add/delete/change employee pay, while also submitting changed files to State Controller's Office. We noted overall that campus management (IT or Business Process Management) does not perform a periodic review to help ensure proper segregation of duties exists among critical business functions within the PeopleSoft Finance and HR modules.

  16. Examples of Other Significant Deficiencies noted during CSU’s June 30, 2007 Audits Information Technology – User Access • Based on our review of security and access privileges in-scope applications and systems at the campuses, we observed that certain obsolete, inactive, or otherwise inappropriate user profiles have not been disabled. Below is the list of the issues we encountered during our review which were present in varying degrees at each of the campuses tested in the current year: • Users have inappropriate system administrative access to the PeopleSoft Finance and HCM applications and the PeopleSoft database, • Users had inappropriate access to override the matching rules within the PeopleSoft Finance application. • Users had inappropriate access to enter and modify grades within PeopleSoft application. • Users with system administrative access to PeopleSoft FIN application had inappropriate access rights.

  17. Questions?

More Related