With the recent release of SAS Nos. 112 and 114, expectations have increased for auditors to openly and candidly communicate significant findings and issues related to the audit. This course will help you understand how to implement these standards as well as other forms of auditor/accountant communications including engagement and management representation letters, confirmations, auditor/accountant reports and other types of communications.
SAS No. 112 – Establishes standards and provides guidance on communicating matters related to an entity's internal control over financial reporting including evaluating the severity of control deficiencies identified in an audit of financial statements.
SAS No. 114 – Identifies specific matters to be communicated and provides guidance on the communication process, in particular, the principal purposes of communication and the importance of effective two-way communication.
SSARS No. 1 – Establishes the standards by which compilation and review engagements are performed.
OBJECTIVES
PREREQUISITE: Basic understanding of accounting and auditing principles
733740
Chapter 1
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit Learning ObjectivesAfter completing this chapter, the participant should
Introduction
In May 2006, the AICPA's Auditing Standards Board (ASB) issued SAS No. 112 which establishes standards and provides guidance on communicating matters related to an entity's internal control over financial reporting (internal control) identified in an audit of financial statements.
The ASB believes that SAS No. 112 will strengthen the quality of auditor communications concerning internal control matters noted in a financial statement audit. In particular, SAS No. 112
The AICPA has also issued its Audit Risk Alert, Understanding SAS No. 112 and Evaluating Control Deficiencies – A Companion to SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, which is intended to help users understand and implement the requirements of SAS No. 112.
SAS No. 112 is included as Appendix A, and the Audit Risk Alert is included as Appendix B to this course material. Excerpts and examples from both are included throughout the course.
Why SAS No. 112 Was IssuedThe Sarbanes-Oxley Act of 2002 and the issuance of Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, created considerable interest in management's responsibility for internal control and the auditor's responsibility for bringing certain internal control related matters to management's attention in an audit of financial statements. Auditing Standard No. 2 was superseded by Auditing Standard No. 5, An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements, when it was approved by the Securities and Exchange Commission (SEC) on July 25, 2007 and only applies to audits conducted in accordance with PCAOB standards. Generally, this means that Auditing Standard No. 5 applies to audits of public companies (issuers1). However, the issuance of both Auditing Standard Nos. 2 and 5 has created a desire on the part of nonissuers to better understand and evaluate control deficiencies.
The ASB revised SAS No. 60 because it believed there was a need to reconsider and clarify the internal control matters that auditors must communicate to their audit clients. The ASB recognized that auditors were perceived to be inconsistent in communicating the significant deficiencies and material weaknesses identified in prior audits that had not yet been remediated. The ASB also concluded that generally accepted auditing standards (GAAS) should require auditors to communicate these matters in writing, rather than continue to provide auditors with the option of communicating them orally. To achieve greater consistency with Auditing Standard No. 2, the ASB decided that certain terms and definitions in SAS No. 60 should be replaced with the corresponding terms and definitions in Auditing Standard No. 2. Finally, the ASB concluded that it would be beneficial to incorporate some of the guidance in Auditing Standard No. 2 on evaluating control deficiencies that would be applicable to audits of nonissuers.
Key RequirementsSAS No. 112 supersedes SAS No. 60, Communication of Internal Control Related Matters Noted in an Audit, as amended. SAS No. 112 is applicable whenever an auditor expresses an opinion on financial statements (including a disclaimer of opinion) and has two unconditional requirements:
SAS No. 112 is effective for audits of financial statements for periods ending on or after December 15, 2006.
1 An issuer is an entity subject to the provisions of the Sarbanes-Oxley Act of 2002 or the rules of the SEC. Nothing in the PCAOB's rules precludes a CPA from conducting an audit of a nonissuer in accordance with PCAOB standards and stating so in the auditor's report.
ApplicationSAS No. 112 applies to all audits conducted in accordance with GAAS. Such audits range in size and complexity from audits of small owner-operated entities to large multi-national entities. They also range from profit-motivated entities to not-for-profit entities to employee benefit plans. The divergence in entities poses a challenge to an auditor in applying SAS No. 112 because these entities vary as to the effectiveness and sophistication of their internal control system.
Effects on AuditsSAS No. 112 provides definitions of the kinds of control deficiencies that must be communicated, optional items that may be communicated, and illustrative communications. However, an auditor will need to understand the entity and its environment, including its internal control, in order to analyze the facts and circumstances surrounding control deficiencies, and apply sound judgment in determining the items that must be communicated.
The SAS No. 112 requirement that the communication relating to certain internal control deficiencies be in writing may pose particular problems in audits of smaller entities. Such entities may not have the sophisticated internal control systems generally found in larger companies, and therefore, the auditors of smaller entities may be more likely to identify and have to communicate significant deficiencies and material weaknesses to these clients. This could create unnecessary conflict between the auditor and the client. The prevention or resolution of such conflict will require better communication between the auditor and the client concerning these matters.
Auditors of smaller entities should also recognize that SAS No. 112, together with the requirements of the Risk Assessment Standards (SAS Nos. 104-111), may have a significant impact on their work. These requirements are likely to cause an auditor to focus more closely on internal control, which may reveal control deficiencies that require communication under SAS No. 112.
733740
