Finance and Business Operations Symposium
Understanding SAS No. 115:
“Communicating Internal Control Related Matters Identified in an Audit”
Gelman, Rosenberg & Freedman, CPAs
Ms. Terri McKnight, CPA, Director
Mr. Jim Larson, CPA, Director
Connecting Great Ideas and Great People
May 6, 2010
Agenda







Topic
Topic
Topic
Topic
Topic
Topic
Topic
12–
3–
4–
5–
6–
7-
Definitions
Risk Assessment Standards
Key Concepts
Deficiencies in Design & Operation
Evaluating Deficiencies
Communication & Responsibility
Scenarios
Presentation
derived from
AICPA
SAS No. 115
 On October 2008, ASB issued SAS No. 115.
 Effective for all audits of financial statements for the
periods ending on or after December 15, 2009.
 Supersedes SAS No. 112.
 This statement was issued to converge definitions for
the various kinds of deficiencies in internal control with
PCAOB standards.
3
Key Differences:
SAS No. 112 vs. SAS No. 115

A change in definitions in determining significant
deficiencies, material weaknesses, AND the process for
making that determination.

SAS No. 112 - Auditor applies the criteria of likelihood
and magnitude.

SAS No. 115 - Same criteria; however more judgment
is allowed in determining a significant deficiency.
4
Revised Definitions
SIGNIFICANT DEFICIENCIES:
SAS No. 112:
A control deficiency, or combination of control deficiencies, that
adversely affects the entity’s ability to initiate, authorize, record,
process, or report financial data in accordance with GAAP such that
there is more than a REMOTE LIKELIHOOD that a MISSTATEMENT
of the entity’s financial statements that is more than inconsequential
will not be prevented or detected.
SAS No. 115:
A deficiency or a combination of deficiencies in internal control that is
less severe than a material weakness yet important enough to merit
attention by those charged with governance.
5
Revised Definitions
MATERIAL WEAKNESS:
SAS No. 112:
A significant deficiency, or combination of significant deficiencies, that
results in more than a REMOTE LIKELIHOOD that a material
misstatement of the financial statements will not be prevented or
detected.
SAS No. 115:
One or combination of deficiencies such that there is a reasonable
possibility (reasonably possible or probable) that a material
misstatement will not be PREVENTED OR DETECTED AND
CORRECTED on a timely basis.
6
Other Revisions in SAS No. 115

Indicators of Material Weakness consist of:
 Identification of fraud, whether or not material, on the part of senior
management;
 Restatement of previously-issued financial statements to reflect the correction
of a material misstatement due to error or fraud;
 Identification by an auditor of a material misstatement of the financial
statements, in circumstances that indicate that the misstatement would not
have been detected by the entity’s internal control;
 Ineffective oversight of the entity’s financial reporting and internal control by
those charged with governance;
 No longer includes a list of deficiencies that ordinarily would be
considered at least significant deficiencies; and
 Contains a revised illustrative written communication to management and
those charged with governance.
7
Risk Assessment Standards
Risk Assessment Standards are the key to understanding SAS No.115:

SAS Nos. 104-111
 Effective for audits of financial statements for periods beginning on or after
December 15, 2006.
 Establishes standards and provides guidance on planning and supervision, the
nature of audit evidence, and evaluation whether the audit evidence obtained
affords a reasonable basis for an option regarding the financial statements
under audit.
 Provides guidance concerning the auditor’s assessment of the risk of MATERIAL
MISSTATEMENT (whether caused by error or fraud) in a financial statement
audit.
 Design and performance of audit procedures whose nature, timing,
and extent are responsive for those assessed risks.
8
Primary Objective of Risk
Assessment Standards
To enhance the auditor’s application of the audit risk
model in practice by specifying, among other things:
 More in-depth understanding of the entity and its environment,
including its internal control, to identify the risks of material
misstatement in the financial statements, and what the entity is doing
to mitigate them.
 More rigorous assessment of the risks of material misstatement of the
financial statements based on that understanding.
 Improved linkage between the assessed risks and the nature,
timing, and extent of audit procedures performed in response to
those risks.
9
Key Concepts: SAS No.115

Auditors must evaluate identified deficiencies in
internal control and determine individually or in
combination, which are significant deficiencies or
material weaknesses.

Deficiencies indentified as significant deficiencies and
material weaknesses must be communicated in writing
to management and those charged with governance.
10
Key Definition of a Deficiency
A deficiency in internal control exists when the
design or operation of a control does not allow
management or employees, in the normal course of
performing their assigned functions, to prevent or
detect and correct misstatements on a timely basis.
11
Key Concepts: Does Not Allow
 Auditors do not have to find an actual misstatement.
 Judged on the potential to cause misstatement.
12
Key Concepts: Management
or Employees
 Prevention, detection & correction of misstatements are
the responsibility of the company’s management,
employees, and those charged with governance – not
the auditor.
 Auditors can recommend, but we cannot implement.
13
Key Concepts: Normal Course of
Performing Their Assigned Functions
 Day-to-Day operations.
 On-going activity.
 Internal control is a process.
Ultimate Goal is “to have reliable financial statements”
14
Key Concepts: Timely Basis
 Before the release of financial statements, including their
disclosures.
15
Types of Deficiencies
 Deficiency in Design.
 Deficiency in Operation.
16
Deficiency in Design
Deficiency in Design
A deficiency in design exists when:
a.
a control necessary to meet the control objective is
missing or;
b.
an existing control is not properly designed, so that even if
the control operates as designed, the control objective is
not always met.
17
Examples of Deficiencies in Design

Inadequate design of controls over the preparation of financial statements.

Inadequate design of controls over a significant account or process.

Insufficient control consciousness (tone at the top).

Inadequate segregation of duties.

Inadequate controls over the safeguarding of assets.

Inadequate design of IT general and application controls.

Employees or management who lack the qualification and training to fulfill their
assigned functions.

Inadequate monitoring of controls.
18
Deficiency in Operation
Deficiency in Operation
A deficiency in operation exists when:
a.
a properly designed control does not operate as
designed; or
b.
when the person performing the control does not
possess the necessary authority or qualifications to
perform the control effectively.
19
Examples of Deficiencies in Operation

Failure in the operation of controls over a significant account or process.

(i.e., dual authorization for significant purchases)

Failure of the information and communication component of internal control (not
receiving accurate or timely information for remote locations in order to prepare
financial statements).

Failure to perform reconciliations of significant accounts.

Undue bias or lack of objectivity of those responsible for accounting decisions.

Misrepresentation by entity personnel to auditor.

Failure of an application control caused by a deficiency in the design or
operation of an IT general control.
20
Where Are They?
 In the five interrelated components of internal control
(COSO).
 At the financial statement level.
 On the level of relevant assertions.
 In areas of significant risks.
 In areas of risk for which substantive procedures
alone do not provide sufficient appropriate audit
evidence.
21
Evaluating Deficiencies
 Evaluate the severity of the deficiency.
 Severity depends on:
a. Magnitude of potential misstatement; and
b. Whether there is a reasonable possibility that the
controls will fail to prevent, or detect and correct
a misstatement of an account balance or
disclosure.
NOTE: The severity does not depend on whether a
misstatement actually occurred.
22
Evaluating Deficiencies (cont.)
 Factors that affect the magnitude:
 Amounts or total of transactions.
 Generally the maximum amount of an account balance or total of
transactions that can be overstated is the recorded amount
(understatements could be larger).
 The volume of activity.
 Risk factors that affect whether there is a reasonable
possibility of a misstatement include:
 The nature of the accounts.
 The susceptibility of the asset or liability to loss or fraud.
 The extent of judgment in determining the amount.
23
Evaluating Deficiencies (cont.)
 Materiality
 Matter of professional judgment.
 Influenced by the auditor’s perception of the needs of users of
the financial statements.
 Two levels of materiality.
a.
Financial statement level; and
b.
Particular items in (or based upon) the financial statements.
24
Evaluating Deficiencies (cont.)
 If the auditor determines that a deficiency is not a
material weakness, the auditor should consider
whether a prudent official would agree with the
auditor’s conclusion.
 Because a prudent official is cautious, this test is used
to increase the severity, not to justify a decrease in
severity.
25
Evaluating the Severity of a Deficiency
Magnitude of
Misstatement that
Occurred Or Could Have
Occurred
Probability of Misstatement
Reasonably
Possible
Remote
Quantitatively Or
Qualitatively Material
Material Weakness
Deficiency in
internal control that
could be a
significant
deficiency but not a
material weakness
Less Than Material
Deficiency in
internal control that
could be a significant
deficiency, but not a
material weakness
Deficiency in
internal control that
could be a
significant
deficiency but not a
material weakness
26
Communication
 Communication should be in writing.
 Best if made by report release date, but no later than
60 days following release date.
 Can be communicated earlier if warranted.
 Must be communicated even if management has
accepted the risk associated with the deficiency.
 Auditor cannot issue written communication
that no significant deficiencies were identified
during the audit.
27
What Are Your Responsibilities?
 Evaluate financial statement risks.
 Evaluate whether internal controls are adequate.
28
Scenario One
 A small nonprofit organization has only one person in
charge of the accounting and reporting function. The
processing, recording, and implementation of
accounting transactions is preformed by this employee.
Questions
 Is this a deficiency?
 Is this a significant deficiency?
 Is this a material weakness?
29
Scenario One: Additional Facts
 The employee sends the Treasurer the checks and
related invoices for review.
 Through discussions with the Treasurer, he/she only
reviews checks over $2,000.
 The Treasurer sends all documents back to the
accounting professional.
Questions
 Is this a deficiency?
 Is this a significant deficiency?
 Is this a material weakness?
30
Scenario One: Additional Facts
(cont.)
 The Treasurer receives the bank statement directly
from the bank.
 The Treasurer reviews all transactions, including those
below $2,000, for reasonableness. Then, he/she gives
the bank statement to the employee for reconciliation.
 The Treasurer also reviews the bank reconciliation
when complete.
Questions
 Is this a deficiency?
 Is this a significant deficiency?
 Is this a material weakness?
31
Scenario Two
 An auditor is auditing a small Association that has only
one person in charge of the accounting and reporting
function. The bookkeeper has been with the company
for many years and it is common for the Executive
Director to leave signed, blank checks with the
bookkeeper in case of an emergency.
 The Executive Director or Treasurer does not perform
any oversight.
Questions
 Is this a deficiency?
 Is this a significant deficiency?
 Is this a material weakness?
32
Scenario Two: Additional Facts
 The Executive Director hired the auditor to perform
quarterly interim procedures. The Executive Director
believes the auditor is a substitution for his/her lack of
oversight. One of the auditor’s quarterly procedures is to
review the bank reconciliation, which is prepared by the
bookkeeper, as well as propose adjusting journal entries for
other account reconciliations.
Questions
 Is this a deficiency?
 Is this a significant deficiency?
 Is this a material weakness?
33
Scenario Three
 At the end of audit, the auditor always prepares the
financial statements and required disclosures because
the Association’s Controller is unable to do so.
Questions
 Is this a deficiency?
 Is this a significant deficiency?
 Is this a material weakness?
34
Scenario Three: Additional Facts


Prior to signing the representation letter, the Controller:

Obtains the financial statement grouping schedules.

Obtains the schedules documenting the calculation of amounts included in the
notes.

Reviews and approves these schedules.
In addition, the Controller obtains a current disclosure checklist from the
AICPA;

Reviews and answers the checklist to ensure propriety and completeness of the
footnotes.

Reads, revises and approves financial statements with the Executive Director.
Questions
 Is this a deficiency?
 Is this a significant deficiency?
 Is this a material weakness?
35
Gelman Rosenberg & Freedman, CPAs
4550 Montgomery Avenue, Suite 650 N
Bethesda, MD 20814
Ms. Terri McKnight, CPA, Director
Mr. Jim Larson, CPA, Director
Phone: 301-951-9090
E-mail: tmcknight@grfcpa.com
jlarson@grfcpa.com
Websites: www.asaecenter.org
www.grfcpa.com
Connecting Great Ideas and Great People