Finance and Business Operations Symposium Understanding SAS No. 115: “Communicating Internal Control Related Matters Identified in an Audit” Gelman, Rosenberg & Freedman, CPAs Ms. Terri McKnight, CPA, Director Mr. Jim Larson, CPA, Director Connecting Great Ideas and Great People May 6, 2010 Agenda Topic Topic Topic Topic Topic Topic Topic 12– 3– 4– 5– 6– 7- Definitions Risk Assessment Standards Key Concepts Deficiencies in Design & Operation Evaluating Deficiencies Communication & Responsibility Scenarios Presentation derived from AICPA SAS No. 115 On October 2008, ASB issued SAS No. 115. Effective for all audits of financial statements for the periods ending on or after December 15, 2009. Supersedes SAS No. 112. This statement was issued to converge definitions for the various kinds of deficiencies in internal control with PCAOB standards. 3 Key Differences: SAS No. 112 vs. SAS No. 115 A change in definitions in determining significant deficiencies, material weaknesses, AND the process for making that determination. SAS No. 112 - Auditor applies the criteria of likelihood and magnitude. SAS No. 115 - Same criteria; however more judgment is allowed in determining a significant deficiency. 4 Revised Definitions SIGNIFICANT DEFICIENCIES: SAS No. 112: A control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data in accordance with GAAP such that there is more than a REMOTE LIKELIHOOD that a MISSTATEMENT of the entity’s financial statements that is more than inconsequential will not be prevented or detected. SAS No. 115: A deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. 5 Revised Definitions MATERIAL WEAKNESS: SAS No. 112: A significant deficiency, or combination of significant deficiencies, that results in more than a REMOTE LIKELIHOOD that a material misstatement of the financial statements will not be prevented or detected. SAS No. 115: One or combination of deficiencies such that there is a reasonable possibility (reasonably possible or probable) that a material misstatement will not be PREVENTED OR DETECTED AND CORRECTED on a timely basis. 6 Other Revisions in SAS No. 115 Indicators of Material Weakness consist of: Identification of fraud, whether or not material, on the part of senior management; Restatement of previously-issued financial statements to reflect the correction of a material misstatement due to error or fraud; Identification by an auditor of a material misstatement of the financial statements, in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control; Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance; No longer includes a list of deficiencies that ordinarily would be considered at least significant deficiencies; and Contains a revised illustrative written communication to management and those charged with governance. 7 Risk Assessment Standards Risk Assessment Standards are the key to understanding SAS No.115: SAS Nos. 104-111 Effective for audits of financial statements for periods beginning on or after December 15, 2006. Establishes standards and provides guidance on planning and supervision, the nature of audit evidence, and evaluation whether the audit evidence obtained affords a reasonable basis for an option regarding the financial statements under audit. Provides guidance concerning the auditor’s assessment of the risk of MATERIAL MISSTATEMENT (whether caused by error or fraud) in a financial statement audit. Design and performance of audit procedures whose nature, timing, and extent are responsive for those assessed risks. 8 Primary Objective of Risk Assessment Standards To enhance the auditor’s application of the audit risk model in practice by specifying, among other things: More in-depth understanding of the entity and its environment, including its internal control, to identify the risks of material misstatement in the financial statements, and what the entity is doing to mitigate them. More rigorous assessment of the risks of material misstatement of the financial statements based on that understanding. Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks. 9 Key Concepts: SAS No.115 Auditors must evaluate identified deficiencies in internal control and determine individually or in combination, which are significant deficiencies or material weaknesses. Deficiencies indentified as significant deficiencies and material weaknesses must be communicated in writing to management and those charged with governance. 10 Key Definition of a Deficiency A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. 11 Key Concepts: Does Not Allow Auditors do not have to find an actual misstatement. Judged on the potential to cause misstatement. 12 Key Concepts: Management or Employees Prevention, detection & correction of misstatements are the responsibility of the company’s management, employees, and those charged with governance – not the auditor. Auditors can recommend, but we cannot implement. 13 Key Concepts: Normal Course of Performing Their Assigned Functions Day-to-Day operations. On-going activity. Internal control is a process. Ultimate Goal is “to have reliable financial statements” 14 Key Concepts: Timely Basis Before the release of financial statements, including their disclosures. 15 Types of Deficiencies Deficiency in Design. Deficiency in Operation. 16 Deficiency in Design Deficiency in Design A deficiency in design exists when: a. a control necessary to meet the control objective is missing or; b. an existing control is not properly designed, so that even if the control operates as designed, the control objective is not always met. 17 Examples of Deficiencies in Design Inadequate design of controls over the preparation of financial statements. Inadequate design of controls over a significant account or process. Insufficient control consciousness (tone at the top). Inadequate segregation of duties. Inadequate controls over the safeguarding of assets. Inadequate design of IT general and application controls. Employees or management who lack the qualification and training to fulfill their assigned functions. Inadequate monitoring of controls. 18 Deficiency in Operation Deficiency in Operation A deficiency in operation exists when: a. a properly designed control does not operate as designed; or b. when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. 19 Examples of Deficiencies in Operation Failure in the operation of controls over a significant account or process. (i.e., dual authorization for significant purchases) Failure of the information and communication component of internal control (not receiving accurate or timely information for remote locations in order to prepare financial statements). Failure to perform reconciliations of significant accounts. Undue bias or lack of objectivity of those responsible for accounting decisions. Misrepresentation by entity personnel to auditor. Failure of an application control caused by a deficiency in the design or operation of an IT general control. 20 Where Are They? In the five interrelated components of internal control (COSO). At the financial statement level. On the level of relevant assertions. In areas of significant risks. In areas of risk for which substantive procedures alone do not provide sufficient appropriate audit evidence. 21 Evaluating Deficiencies Evaluate the severity of the deficiency. Severity depends on: a. Magnitude of potential misstatement; and b. Whether there is a reasonable possibility that the controls will fail to prevent, or detect and correct a misstatement of an account balance or disclosure. NOTE: The severity does not depend on whether a misstatement actually occurred. 22 Evaluating Deficiencies (cont.) Factors that affect the magnitude: Amounts or total of transactions. Generally the maximum amount of an account balance or total of transactions that can be overstated is the recorded amount (understatements could be larger). The volume of activity. Risk factors that affect whether there is a reasonable possibility of a misstatement include: The nature of the accounts. The susceptibility of the asset or liability to loss or fraud. The extent of judgment in determining the amount. 23 Evaluating Deficiencies (cont.) Materiality Matter of professional judgment. Influenced by the auditor’s perception of the needs of users of the financial statements. Two levels of materiality. a. Financial statement level; and b. Particular items in (or based upon) the financial statements. 24 Evaluating Deficiencies (cont.) If the auditor determines that a deficiency is not a material weakness, the auditor should consider whether a prudent official would agree with the auditor’s conclusion. Because a prudent official is cautious, this test is used to increase the severity, not to justify a decrease in severity. 25 Evaluating the Severity of a Deficiency Magnitude of Misstatement that Occurred Or Could Have Occurred Probability of Misstatement Reasonably Possible Remote Quantitatively Or Qualitatively Material Material Weakness Deficiency in internal control that could be a significant deficiency but not a material weakness Less Than Material Deficiency in internal control that could be a significant deficiency, but not a material weakness Deficiency in internal control that could be a significant deficiency but not a material weakness 26 Communication Communication should be in writing. Best if made by report release date, but no later than 60 days following release date. Can be communicated earlier if warranted. Must be communicated even if management has accepted the risk associated with the deficiency. Auditor cannot issue written communication that no significant deficiencies were identified during the audit. 27 What Are Your Responsibilities? Evaluate financial statement risks. Evaluate whether internal controls are adequate. 28 Scenario One A small nonprofit organization has only one person in charge of the accounting and reporting function. The processing, recording, and implementation of accounting transactions is preformed by this employee. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? 29 Scenario One: Additional Facts The employee sends the Treasurer the checks and related invoices for review. Through discussions with the Treasurer, he/she only reviews checks over $2,000. The Treasurer sends all documents back to the accounting professional. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? 30 Scenario One: Additional Facts (cont.) The Treasurer receives the bank statement directly from the bank. The Treasurer reviews all transactions, including those below $2,000, for reasonableness. Then, he/she gives the bank statement to the employee for reconciliation. The Treasurer also reviews the bank reconciliation when complete. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? 31 Scenario Two An auditor is auditing a small Association that has only one person in charge of the accounting and reporting function. The bookkeeper has been with the company for many years and it is common for the Executive Director to leave signed, blank checks with the bookkeeper in case of an emergency. The Executive Director or Treasurer does not perform any oversight. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? 32 Scenario Two: Additional Facts The Executive Director hired the auditor to perform quarterly interim procedures. The Executive Director believes the auditor is a substitution for his/her lack of oversight. One of the auditor’s quarterly procedures is to review the bank reconciliation, which is prepared by the bookkeeper, as well as propose adjusting journal entries for other account reconciliations. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? 33 Scenario Three At the end of audit, the auditor always prepares the financial statements and required disclosures because the Association’s Controller is unable to do so. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? 34 Scenario Three: Additional Facts Prior to signing the representation letter, the Controller: Obtains the financial statement grouping schedules. Obtains the schedules documenting the calculation of amounts included in the notes. Reviews and approves these schedules. In addition, the Controller obtains a current disclosure checklist from the AICPA; Reviews and answers the checklist to ensure propriety and completeness of the footnotes. Reads, revises and approves financial statements with the Executive Director. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? 35 Gelman Rosenberg & Freedman, CPAs 4550 Montgomery Avenue, Suite 650 N Bethesda, MD 20814 Ms. Terri McKnight, CPA, Director Mr. Jim Larson, CPA, Director Phone: 301-951-9090 E-mail: tmcknight@grfcpa.com jlarson@grfcpa.com Websites: www.asaecenter.org www.grfcpa.com Connecting Great Ideas and Great People