Internal Control Deficiencies: Assessment and Reporting Under SAS Nos. 112 & 115

• Chapter 0 - Overview
  • Course Objectives
  • Summary of SAS No. 115
    • Key Differences between SAS Nos. 112 and 115
    • Revised Definitions
    • Other Revisions in SAS No. 115
    • Appendix to this Course
  • About This Course
    • Contents
    • Conventions
• Chapter 1 - The Context for SAS No. 115 and the Risk Assessment Standards
• Learning Objectives
• Introduction
• Changes in Definition of Internal Control over Financial Reporting
  • Evolution of the Internal Control Definition
  • SAS No. 109 Definition of Internal Control
• Consideration of Internal Control in Financial Statement Audits
  • Audit Consideration of Internal Control under SAS Nos. 109 and 11
• Summary
• Chapter 2 - Analytical Procedures - Who Uses Them?
  • Learning Objectives
  • Introduction
• What Are Deficiencies in Internal Control?
  • Purpose
  • Definitions
  • Does Not Allow
  • Management or Employees
  • Normal Course of Performing Assigned Functions
  • Timely Basis
• What Are the Types of Deficiencies in Internal Control?
  • Purpose
  • Deficiency in Design
  • Importance of Recognizing Deficiencies in Design
  • Deficiency in Operation
  • Examples
  • Practice
  • Suggested Solutions
• How to Identify Deficiencies in Internal Control
  • Relation to the Audit
  • Audit Activities Likely to Identify Deficiencies in Internal Control
  • Where in the Accounting System may Deficiencies in Internal Control be Identified
  • The Five Interrelated Components of Internal Control
  • Financial Statement Level
  • Examples
• What are Relevant Assertions?
  • Relevant Assertions
  • Examples
  • Types of Assertions
  • Identifying Relevant Assertions
• What Are Significant Risks?
  • Significant Risks
  • Example
  • Identification
  • Potential Significant Risks from Nonroutine Transactions
  • Potential Significant Risks from Judgmental Matters
  • Internal Controls for Significant Risks
  • Example
• What Are Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate Audit Evidence?
  • Purpose
  • Examples
  • Identification
• Practice: Identifying Deficiencies in Internal Control
  • Suggested Solutions
• Summary
• Chapter 3 - Evaluating Deficiencies in Internal Control
• Learning Objectives
• Introduction
• A Framework for Complying with SAS No. 115
  • Other Resources
• Magnitude of Misstatement and Probability of Occurrence
  • Magnitude of Misstatement
  • Probability of Occurrence
• Practice: Assessing the Probability of a Deficiency
  • Suggested Solutions
• What Is Materiality?
  • Definition
• “Material” at the Financial Statement Level
  • Quantitative Factors
  • Qualitative Factors
• “Material” at the Particular Item Level
  • Considerations in Determining Materiality for Particular Items
  • Examples
• How to Assess the Magnitude of a Potential Misstatement
  • Basic Approach
  • Other Considerations
• Practice: Assessing the Probability of Occurrence and Magnitude of Potential Misstatements
  • Situation
  • Questions
  • Suggested Solutions
• What Are Revisions to the Magnitude of “Material”?
  • Purpose
  • The Problem
  • The Solution
• Practice: Revising the Materiality Threshold
  • Suggested Solution
• What Is the Severity of a Deficiency?
  • Definitions
• How to Categorize Deficiencies by Severity
  • Criteria for Significant Deficiency
  • Criteria for Material Weakness
  • Example
• Practice: Categorizing Deficiencies by Severity
  • Suggested Solutions
• Indicators of Material Weaknesses in Internal Control
• What Are Compensating Controls?
• What Is the Prudent Official Test?
• What Are Combined Deficiencies?
• Practice: Combination of Several Deficiencies
  • Situation
  • Suggested Solution
• Frequently Asked Question - Does Assessing Control Risk as High, Trigger a Deficiency Requiring a Written Communication?
  • Background
  • SAS No. 115 Requirements
• Framework Stages Requiring a High Degree of Judgment
• Practice: Assessing Deficiencies in Internal Control
  • Lack of Segregation of Duties
  • Lack of Client Expertise in Financial Accounting and Reporting
  • Inventory-Related Deficiency in Internal Control
  • Failure to Review Modifications of Standard Sales Contracts to Evaluate Their Effect on the Timing and Amount of Revenue Recognition
  • Fraud Involving C
  • Control Testing Exceptions
• Summary
• Suggested Solutions to Practice: Assessing Deficiencies in Internal Control
  • Situation 1 Suggested Solution
  • Situation 2 Suggested Solution
  • Situation 3 Suggested Solution
  • Situation 4 Suggested Solution
  • Situation 5 Suggested Solution
  • Situation 6 Suggested Solution
  • Situation 7 Suggested Solution
  • Situation 8 Suggested Solution
  • Situation 9 Suggested Solution
  • Situation 10 Suggested Solution
  • Situation 11 Suggested Solution
• Chapter 4 - Communicating Deficiencies in Internal Control
• Learning Objectives
• Introduction
• Who Is the Required Addressee of a SAS No. 115 Communication?
  • Definitions
• How to Identify the Addressee in Governance
  • Importance
  • Selecting the Appropriate Person Among Those Charged with Governance
  • Communication with a Governance Subgroup
• How to Communicate with Management
  • Communication with Management
  • When All of Those Charged with Governance Are in Management
• What Should Be the Date of the Communication?
  • Standard
  • Report Release Date
  • Interim Communications
  • Practical Matters
• What Are the Contents of the SAS No. 115 Communication?
  • Prior-Year Matters Not Communicated in Writing
  • Prior-Year Matters Not Remedied Due to Cost Benefit Considerations
  • Illustrative Written Communication
  • Need for Planning
  • Option to Include Additional Language in the Communication
  • Language Describing Inherent Limitations of Controls
  • Language Explaining Management Override of Controls
  • Language Describing Auditor’s Consideration of Internal Control
  • Determining Whether Additional Language Should Be Used
• Communication for Submission to Governmental Authorities or Other Specified Parties
  • Applicability
  • Requisite Conditions
  • Practice Note
  • Illustrative Communication for Submission to Governmental Authorities
• Prohibition against Issuing a “No Significant Deficiencies” Communication
• Management’s Written Response to the Auditor’s SAS No. 115 Communication
  • Desirability of Management’s Written Response
  • Practice Note
  • Need for Planning
• What Other Communications Regarding Internal Control Matters Are Available?o
• Summary
• Chapter 5 - Practice Issues
• Learning Objectives
• Introduction
• Understanding Internal Control and Internal Control Services
  • What Is Internal Control?
  • Management Objectives
  • Internal Control over Financial Reporting
  • Components of Internal Control
  • What Are Nonattest Services?
  • What Are Internal Control Services?
  • Summary
• Technical Practice Aids
  • Internal Control
• Nonattest Services, Internal Control over Financial Reporting, and Auditor Independence
  • Overview
  • Practical Guidance for Private Company Auditors
  • Analysis
  • Responses to Consider
• Accounting Services and Deficiencies in Internal Control over Financial Reporting
  • Overview
  • Practice Exercise
  • Suggested Solution
  • Analysis
  • Responses to Consider
• Responses to Consider
• Effects of SAS No. 115 on the Audit
  • The Challenge
  • Areas Demanding a High Degree of Judgment
  • Other Challenges
  • Challenges and Opportunities for Practitioners
  • Changing the Client’s Perception
  • Changing Your Own Perception
  • Opportunities and Cautions
• Private Companies Practice Section SAS No. 112 Frequently Asked Questions
  • SAS No. 112 Frequently Asked Questions
  • What Is SAS No. 112?
  • What’s Changing as a Result of SAS No. 112?
  • What Is Internal Control Over Financial Reporting?
  • What Other Concepts Does a Member Need to Understand in Order to Implement SAS No. 112?
  • Refreshing Your Staff on the COSO Internal Control Framework
  • What Has Changed for Those Performing Governmental Audits?
  • Why is it Necessary to Reiterate Deficiencies from Prior Years?
  • Will SAS No. 112 Cause an Increase of Time and Fees on an Engagement?
  • What Additional Client Communications or Services May Result from Applying this Standard?
  • How Does an Auditor Determine any Potential Cost Increase to their Client?
  • How Does an Auditor Convey the Benefits of SAS No. 112?
  • What Concerns Does SAS No. 112 Raise Regarding the Potential Loss of Services a Practitioner Can Perform for His or Her Client (i.e., Preparation of Financial Statements, Making Recommendations for Adjusting Journal Entries, Managing a Client’s Fixed Assets Schedule and Making Recommendations on the Depreciation Schedules and Adjustments, etc.)?
  • What Are the Guidelines to Determine Whether a Client has Sufficient Accounting Competence and Knowledge to Detect or Prevent a Misstatement or Mistake (i.e., In the Case of Calculating the Depreciation Adjustment, Preparing Financials, etc)?
  • The Client has Designated a Person on Staff to Review the Financial Reports, Adjustments, etc., that the Auditor Is Providing. Is This Considered an Internal Control?
  • What Does the Auditor Need To Do Once a Control Deficiency Is Identified?
  • Can the Auditor Modify the Report in SAS No. 112?
  • The Auditor Discusses a Draft Report of Deficiencies or Weaknesses with Management and Management Responds that they have Sufficient Controls or Compensating Controls in Place. Should the Auditor Test the Controls or the Compensating Controls?
  • I Still Have Questions. Where Can I Go for Additional Information?
  • I Have Read All the Materials Suggested and Still Have Questions. Who Can I Contact?
• Summary
• Chapter 6 - Latest Developments
• Appendix A - SAS No. 115
• Appendix B - Commentary on Lists of Strong Indicators and Presumed Deficiencies
  • Deficiencies in Specified Areas that Are Presumed to Ordinarily be at Least Significant Deficiencies
    • Controls over Selection and Application of Accounting Principles
    • Antifraud Programs and Controls
    • Controls over Non-Routine and Nonsystematic Transactions
    • Controls over the Period-End Financial Reporting Process
  • Indicators of Deficiencies that Should Be Regarded at Least as Significant Deficiencies
    • Ineffective Oversight of the Entity's Financial Reporting and Internal Control by Those Charged with Governance
    • Restatement of Previously Issued Financial Statements to Reflect the Correction of a Material Misstatement
    • Auditor Finds a Material Misstatement
    • Ineffective Internal Audit or Risk Assessment Functions
    • Ineffective Regulatory Compliance Function
    • Fraud by Senior Management
    • Failure of Management to Assess and/or Remediate Known Significant Deficiencies
    • An Ineffective Control Environment

733293

Chapter 0 - Overview

Course Objectives

During the course, you will

• Familiarize yourself with the provisions of Statement on Auditing Standards (SAS) Nos. 112 and 115, Communicating Internal Control Related Matters Identified in an Audit.

• Identify primary changes from the previous auditing standard SAS No. 60.

• Learn to apply the concepts in SAS Nos. 112 and 115 through numerous illustrations and exercises.

• Be exposed to practical problems and potential solutions.

Note. Since SAS No. 112 is still effective at the time this course is being produced, and SAS No. 115 permits early implementation during the same timeframe, this course will include references to and discussions of both standards throughout the material where applicable.

Summary of SAS Nos. 112 and 115

SAS No. 112

Key Requirements

SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit, supersedes SAS No. 60 and requires that whenever an audit opinion is issued or disclaimed, within sixty days of the audit report release date, written auditor communication be given to management and those charged with governance describing significant deficiencies and material weaknesses in internal control over financial reporting that were identified in the course of the current audit (as well as those communicated in prior audits and still not remediated) and evaluated using the guidance and definitions in SAS No. 112.

Effective Date

SAS No. 112 is effective for the audit of financial statements for periods ending on or after December 15, 2006.

Application

SAS No. 112 applies to the audit of all non-issuers’ companies. Such companies range in size and complexity from small owner-operated entities to large multi-national entities. They also range from profit-motivated entities to not-for-profit entities. The divergence in entities poses a challenge to an auditor in applying SAS No. 112 because these entities vary as to the effectiveness and sophistication of their internal controls.

Effects on Audits

SAS No. 112 provides definitions of the kinds of deficiencies in internal control that must be communicated, optional items that may be communicated, and illustrative communications. However, an auditor will need to understand the entity and its environment, analyze the facts and circumstances surrounding the deficiency in internal control, and apply sound judgment in determining the items that must be communicated.

The SAS No. 112 requirement that the communication relating to deficiencies in internal control be in writing may pose particular problems in audits of smaller entities. Since such entities may not have as elaborate internal control features as some larger companies do, the auditors of smaller entities are likely to identify and communicate significant deficiencies and material weaknesses. This may create unnecessary conflict between the auditor and the client. The prevention or resolution of such conflict will require better communication between the auditor and the client. This course includes tips and hints to that end.

Because SAS No. 112 may have a significant impact on auditors of smaller entities, many of the illustrations and exercises in this course are written as applicable to be smaller entities, including owner-operated entities.

Auditors of small entities should recognize that SAS No. 112 together with the requirements of the Risk Assessment Standards (SAS Nos. 104-111) may have a significant impact on their work. These requirements are likely to cause an auditor to focus more closely on internal control, which may reveal deficiencies in internal control that require communication under SAS No. 112.

SAS No. 115

In October 2008, the ASB issued SAS No. 115, Communicating Internal Control Related Matters Identified in an Audit. SAS No. 115 supersedes SAS No. 112 and was issued to eliminate differences within the AICPA’s Audit and Attest Standards resulting from the issuance of Statement on Standards for Attestation Engagements (SSAE) No. 15, An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements. SSAE No. 15 establishes standards and provides guidance to practitioners performing an examination of a nonissuer’s internal control over financial reporting in the context of an integrated audit. SSAE No. 15 aligns the definitions of the various kinds of deficiencies in internal control and the related guidance for evaluating such deficiencies with the definitions and guidance in Public Company Accounting Oversight Board Auditing Standards No. 5, An Audit of Internal Control That is Integrated with an Audit of Financial Statements. SAS No. 115, in turn, aligns the definitions and related guidance for evaluating deficiencies in internal control with the definitions and guidance in SSAE No. 15.

The AICPA has also issued the Audit Risk Alert - Communicating Internal Control Related Matters in an Audit – Understanding SAS No. 115, which is intended to help users understand and implement the requirements of SAS No. 115.

Key Differences between SAS Nos. 112 and 115

In general, SAS No. 115 retains many of the provisions of SAS No. 112; it provides guidance to enhance the auditor's ability to identify and evaluate deficiencies in internal control during an audit, and then communicate to management and those charged with governance those deficiencies that the auditor believes are significant deficiencies or material weaknesses.

The key differences between SAS No. 112 and SAS No. 115 lie in the definitions of significant deficiencies and material weaknesses and the process for making that determination. Under SAS No. 112, the auditor applies the criteria of likelihood and magnitude described in the standard to determine if a deficiency in internal control reached the threshold of a significant deficiency or material weakness. Under SAS No. 115, the same criteria are used; however, more judgment is allowed for in determining whether a deficiency in internal control is a significant deficiency.

Revised Definitions

SAS No. 112 defines a significant deficiency as

A control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.

SAS No. 115 contains the following revised definition of a significant deficiency:

A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

SAS No. 112 defines a material weakness as

A significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

SAS No. 115 contains the following revised definition of a material weakness:

A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility¹ that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis.

Other Revisions in SAS No. 115

In addition to revising the definitions of a significant deficiency and material weakness, SAS No. 115

• Revises the list of deficiencies in internal control that are indicators of material weaknesses to consist of

– Identification of fraud, whether or not material, on the part of senior management;

– Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud;

– Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control; and

– Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.

• No longer includes a list of deficiencies that ordinarily would be considered at least significant deficiencies.

• Contains a revised illustrative written communication to management and those charged with governance of material weaknesses and significant deficiencies.

Effective Date

SAS No. 115 is effective for audits of financial statements for periods ending on or after December 15, 2009. Earlier implementation is permitted.

Appendix to this Course

SAS Nos. 112 and 115 are included in Appendix A to this course material. Excerpts and examples from both are included throughout the course.

1 In this SAS, a reasonable possibility exists when the likelihood of the event is either reasonably possible or probable as those terms are used in FASB Accounting Standards Codification 450, Contingencies (SFAS No. 5).

733292