670 likes | 864 Views
Introduction: SAS 112. What does SAS 112 do?. Establishes new requirements: For auditors to communicate internal control matters. What does SAS 112 do?. Defines the terms: “Control Deficiency” “Significant deficiency” “Material weakness”. What does SAS 112 do?.
E N D
Introduction: SAS 112
What does SAS 112 do? Establishes new requirements: For auditors to communicate internal control matters
What does SAS 112 do? Defines the terms: “Control Deficiency” “Significant deficiency” “Material weakness”
What does SAS 112 do? Provides guidance for evaluating the severity of control deficiencies
What does SAS 112 do? Requires auditors to communicate in writing with those responsible for organizational governance
When is it applicable? Effective for audits of periods ending on or after December 15, 2006
SAS 112: Governance
Who provides governance? • Persons responsible for: • Overseeing strategic direction • The entity’s financial reporting and disclosure process Board of Directors and Committees Management
SAS 112 Control Deficiencies
Deficiency in “Design” • Exists when: • A control necessary to meet the control objective is missing, or • 2. A control is not designed to achieve the control objective
Deficiency in “Design” • SAS 112 Identified Significant or Material Deficiency • InadequateDocumentation • COMPONENTS • OFINTERNALCONTROL • Control Environment • Risk Assessment (including Fraud) • Control Activities • Information and Communication • Monitoring
COMPONENTS OFINTERNALCONTROL Internal Control - Integrated Framework Defined 1st by “COSO” 1992, 2004 Committee of Sponsoring Organizations the TREADWAY COMMISSION Formed in 1985 Sponsor National Commission on Fraudulent Financial Reporting Treadway was former SEC Commissioner AICPA, AAA, IIA, NAA, FEI Industry, Public, Investment Firms, NYSE
InternalControlComponents as per the IntegratedFramework Common Language in Audit Standards and Regulatory Guidance AICPA (Auditing Standards Board) Generally Accepted Auditing Standards (GAAS) SAS #112 “Communicating Internal Control Related Matters Identified in an Audit” Effective for Audits of Financial Statements Periods Ending On or After December 15, 2006
InternalControlComponents as per the IntegratedFramework Common Language in Audit Standards and Regulatory Guidance GAO “Yellow Book” Government Auditing Standards (GAS) 2007 Revision Effective for Engagements Periods Beginning On or After January 1, 2008 OMB Circular A-133 Implementation Circular for Single Audit Act and Amendments And Requires Audits in Accordance with “GAS”
Deficiency in “Design” Other Examples: Absent or inadequate segregation of duties within a significant account or process Failure to perform reconciliations of significant accounts Inadequate design of internal control over the preparation of financial statements
Deficiency in “Design” Other Examples: Employees or management who lack the qualifications and training to fulfill their assigned functions Restatement of previously issued financial statements Identification by auditor of material misstatements during audit not identified by entity internal control
Deficiency in Design Other Examples: Ineffective oversight of the entity’s financial reporting and internal control by “those charged with governance.”
Deficiency in “Operation” • Exists when: • 1. Control does not operate as it was “designed” • Responsible staff “do not actually perform the control”
Important Note! You can outsource controls but your auditor cannot be used as a control
SAS 112 Definitions: • Deficiency • Significant Deficiency • Material Weaknesses
TERMINOLOGY Old Versus New
SAS 112 / Yellow Book Definitions “Control Deficiency”
SAS 112 / Yellow Book Definitions “Significant Deficiency”
SAS 112 / Yellow Book Definitions “Material Weakness”
SAS 112 Classification Factors: • Likelihood • Magnitude
CLASSIFCATIONS “Likelihood”and “Magnitude” (Of a Potential Misstatement of the Financial Statements)
Significant Deficiencies • Controls over selection and application of GAAP principles • Antifraud programs and controls
Significant Deficiencies • Non-routine and non-systematic transactions • Period-end financial reporting processes including year-end adjusting journal entries
Evaluating Deficiencies General Considerations
Evaluating Deficiencies • Factors affecting magnitude of misstatement resulting from deficiency: • F/S amounts or transactions exposed to deficiency • Volume of activity in account balance • Class of transactions exposed to deficiency • Compensating controls
Evaluating Deficiencies Factors affecting magnitude of misstatement resulting from deficiency Nature of accounts, disclosures, and assertions involved
Evaluating Deficiencies Factors affecting magnitude of misstatement resulting from deficiency: Susceptibility of related assets or liabilities to loss or fraud
Evaluating Deficiencies Factors affecting magnitude of misstatement resulting from deficiency Subjectivity-complexity of amounts and extent of judgment involved.
Important Note! The auditor must consider whether “prudent individuals,” having knowledge of facts and circumstances, would come to the same conclusion.
Evaluating Deficiencies Other Strong Indicators of Significant Deficiencies
Significant Deficiency Strong indicators: Ineffective internal audit, risk assessment, or regulatory compliance functions
Significant Deficiency Strong indicators: Identified fraud of any magnitude by senior management.
Significant Deficiency Strong indicators: Failure to assess and correct the effect of a previous significant deficiency (or conclude it will not be corrected).
Communication Illustrative written communications: 1. Audit Risk Alert – Understanding SAS 112 2. Evaluating Control Deficiencies – A Companion to SAS 112
Communication Written communication is required no later than 60 days following the issuance of the audit report.
Communication Verbal communication is not an option. All required communication under SAS 112 must be in writing.
Communication Should include all significant deficiencies and material weaknesses (even if communicated previously)
Communication Nothing precludes the auditor from communicating other matters of potential benefit to the entity
Communication Client may ask auditor to issue a communication indicating no material weaknesses were identified
Important Note! Auditor should not issue a written communication stating no significant deficiencies were identified Potential for misinterpretation Provides limited assurance
Communication Management can prepare a written response to the auditor’s communication
Important Note! Existence of deficiencies may be known to management and the BOD May represent a conscious decision by management to accept a degree of risk because of cost or other considerations.