Red River TASBO Internal Control as it Relates to the School District Audit Presented by: Michael D. Edgin, CPA Edgin, Parkman, Fleming & Fleming, PC 1 Overview We are going to review: • History of the Auditor’s role regarding internal control • Changes to that role relative to the Statement on Auditing Standards 2 Historically Speaking Obviously, Auditors have dealt with internal control for years. However, there may be a misconception of the Auditor’s actual role. Historically, we will look at: – Government Auditing Standards (GAS) – Single Audit Act 3 Government Auditing Standards (GAS) • Management is responsible for establishing and maintaining effective internal controls over financial reporting. • The Auditor must consider internal control over financial reporting. • The consideration is for planning and performing the audit only. • The consideration is not for expressing an opinion on the effectiveness of the internal control. 4 Government Auditing Standards (GAS) • The Auditor will not necessarily identify all deficiencies in internal control. • The Auditor is required to report reportable conditions (now significant deficiencies) and material weaknesses that come to their attention only. 5 Single Audit • A Single Audit is required if an entity expends $500,000 or more in a fiscal year in federal programs – not every school district is required to have a Single Audit. • Management is responsible for establishing and maintaining effective internal controls over compliance with the requirements of laws, regulations, contracts, and grants applicable to federal programs. • The Auditor’s focus is only on those grants being tested (the major programs). 6 Single Audit (Cont’d) • The Auditor is only required to test those areas that could have a direct and material effect on the major federal programs being tested. • The tests of internal control are made only to determine the Auditor’s audit procedures for expressing an opinion of compliance only (not on internal controls). • No opinion is expressed on the effectiveness of internal control on compliance. 7 Summary • The Auditor is not required to test internal controls over financial reporting in a GAS audit. • In the past, most Auditors considered the audit risk at maximum and just performed substantive tests. • Only in a Single Audit was it required to test internal controls, but it was limited to compliance with major federal programs. However, it is up to the Auditor’s professional judgment on what to test or not. • However, in all cases the Auditor does not express an opinion on the internal controls of the District. However, if the Auditor discovers a weakness in internal control, the firm must report it. 8 Changes to the Auditing Standards Effective in fiscal year ended August 31, 2007 and 2008, there are new Statements on Auditing Standards (SAS) that dramatically impact the audit as follows: – SAS No. 112 – SAS Nos. 104-111 – SAS No. 114 9 SAS No. 112 • This new SAS titled ‘Communicating Internal Control Related Matters Identified in an Audit’ was effective for the 2006-07 audits. • It changed the wording and definitions previously used. • Reportable Conditions changed to Significant Deficiencies. • The terminology for Material Weakness did not change, only the definition. 10 SAS No. 112 (Cont’d) • However, the definitions of each changed lowering the thresholds making lesser items significant deficiencies and material weaknesses. • For example, if a material audit adjustment is made, by definition, this has to be reported as a material weakness in internal control over financial reporting. • This was mostly a communication requirement. It did not change the audit approach or process. 11 Risk Assessment Standards • The new SAS Nos. 104 to 111 are collectively called the Risk Assessment Standards. • They are effective for the 2007-08 audits. • In summary, they require the Auditor to evaluate and perform audit procedures where there is more audit risk. • Consequently, there is more emphasis on the planning process and the District’s internal control. • The better the entity’s internal control, the less risk, and visa-versa. • The Auditor is still not expressing an opinion on internal control over financial reporting under GAS or internal control over compliance in a Single Audit. 12 Risk Assessment Standards (Cont’d) • However, the Auditor will focus more on internal control and perform additional procedures compared to the prior year. • The most notable procedure required is called a ‘walkthrough’. • Walk-throughs are required for each major transaction cycle. • The Auditor will select an actual transaction and walk it through the accounting process to ensure the entity is doing what it says it is doing. For example, if a District’s policy is to vouch the quantities received to the quantities invoiced by the vendor, then the Auditor should be able to see the documentation of the procedure in the accounting records. 13 Risk Assessment Standards (Cont’d) • Consequently, the Auditor will spend more time in the audit planning phase getting more specifics on the procedures in place and testing them through the walk throughs. • What could happen this year is more findings relative to internal control since more procedures are being performed. 14 SAS No. 114 • This Auditing Standard is labeled ‘The Auditor’s Communication with Those Charged with Governance’. It is effective for the 2007-08 audits. • For school districts, those charged with governance would be the District’s Board of Trustees. • Its goal is to create a better working relationship between the Auditor and the Board of Trustees. • It requires the communication of the following: – Auditor’s responsibilities under generally accepted auditing standards, – Overview of the planned scope and timing of the audit, and 15 – Significant findings from the audit. SAS No. 114 (Cont’d) • Significant findings from the audit include: – Significant difficulties encountered during the audit. – Uncorrected misstatements. – Disagreements with management. – Other findings on issues arising from the audit that are, in the professional judgment of the Auditor, significant and relevant to the Board of Trustees regarding their oversight of the financial reporting process. 16 SAS No. 114 (Cont’d) • What all of this means is that some things that have historically only been discussed with District management will be required to be communicated to the Board of Trustees in writing. • EPFF actually implemented this SAS last year to coincide with SAS 112. 17 Summary • There are no new requirements to express an opinion on internal control. • However, the Auditor will be spending more time understanding and possibly testing internal control. • More findings and/or comments may result from the increased procedures. • In my opinion, internal control is a process, and changes from time-to-time. That is why we performed interim audit procedures on all of our audits last year. If something surfaced at interim, we encouraged action to be taken by year-end to avoid any findings, significant deficiencies, and/or material weaknesses. 18 What Can Your District Do? • Review the District’s procedures manual and determine if you are really doing what your documentation states. • If your procedures are not in writing, consider doing so. Therefore, regardless of personnel changes, training, etc., there is a single resource that clearly documents what should be done. • Make sure the procedures performed are clearly documented for a third party to see. • If your auditor does not perform interim audit procedures at your district, you may consider it. It will help identify any potential concerns so actions can be taken to correct them prior to the year-end audit procedures. 19 Questions? Thank you!! 20