STATEMENT OF AUDITING STANDARDS 112 (SAS112)
Communicating Internal Control Matters Identified in an Audit
UC Riverside June 2007
" Today's audit environment
encourages transparency and accountability.
Therefore, an integrated campuswide effort
is needed to effectively steward
the funds entrusted to UCR.”
Chancellor Córdova
AGENDA
1- Why SAS112
2- What is SAS112
3- Impact of
SAS112
4- Internal Control
5- Minimizing risk in
dept. operations
6- What to do?
- United States Federal Law and SEC
For Public Companies
-Sarbanes–Oxley (SOX):
Requires conducting an
assessment of the effectiveness of
internal controls by management,
to be audited and approved by the
company’s independent
accountants
WorldCom
Enron
Why SAS112?
SAS112 is our SOX
- American Institute of Certified
Public Accountants
For non-profit organizations
(UCR)
- SAS 112
Non-Compliance Fine$ - Contract & Grants
University of California (2002). Fine =$1.8 m
Northwestern University (2003). Fine = $5.5m
Harvard University (2004). Fine = $2.6m
Mayo Foundation (Mayo Clinics). Fine = $6.5m
Florida International University (2005). Fine= $11.5m
University of Alabama Birmingham (2005). Fine =$3.4 m
What is SAS112?
Establishes standards for communicating internal
control issues relating to:
-integrity of financial reporting
-compliance with applicable laws and regulation
Establishes standards that classifies
communicated control issues as:
- control deficiencies
- significant deficiencies
- material weaknesses
SAS112 standards have been adopted
by the federal agencies and the
Government Audit Standards has been
updated to incorporate SAS112
Impact of SAS 112 on UCR
Due to significant changes in the
evaluation of control exceptions
and more stringent audit standards,
UCR is more likely to encounter
control issues being identified and
reported
- Increased scrutiny
- Larger audit samples
- More evidence and documentation
required during audits
- Lower audit materiality thresholds
Impact of SAS 112 on UCR
SAS 112 requires UCR to disclose
deficiencies to 3rd parties:
Regents
Sponsors (Federal, State &
Private)
3rd party creditors
Accrediting agencies
Rating agencies
Insurers
Impacts of deficiencies and weaknesses disclosures:
-negative impact on reputation for UC, UCR, VCA, and
Department
-increased internal and external audits
-audit disallowances, fines and penalties
-potential negative impact on resource allocation
Generally, internal controls
at UCR are in order and adequate,
but there are departments,
functions and areas where
we noted….
Control Issues with
- Ledger reconciliation & review
- Budget variance analysis
- Revenue monitoring
- Cash handling
- Payroll processing
- Timekeeping & billing
- Cost Transfers
- Fiscal Year End Processes
- PAN Reviews
The campus goals, related to SAS112, are to:
- Enhance understanding of Internal Controls
- Minimize Control Issues
Internal Control
Internal control is broadly defined as
a process, effected by the UC
Regents, management and other
personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the
following categories:
•Effectiveness and efficiency of
operations.
•Reliability of financial reporting.
•Compliance with applicable laws and
regulations.
Who is responsible for
implementing internal controls?
PARTNERSHIP
Central
Offices
Executive
Management
Control Units
(Deans/VC
& CFAO)
(Accounting, Audit &
Departments
(Chair/
Director,
MSO, Staff)
Advisory Services,
AP&B, OR,
etc.)
Minimizing the Risks

Department Head:




Oversees and is integrated into the financial
management process
Ensures proper controls and monitoring procedures are
in place
Ensures financial reports are accurate and meaningful
Ensure SAAs, transactors and reviewers are
appropriately trained and supported in their key
business process roles
Minimizing the Risks

Timely reconciliation and review of monthly
ledgers




Budget to Actual review
 Analysis of causes for variances
Review of payroll transactions by financial staff
and responsible manager
Regular review of financial reports by
department manager and business officer
Evidence of ledger reconciliation and review

New Ledger Recon Tool-coming soon
Minimizing the Risk

Timely resolution of errors


Frequent and late cost transfers can be a symptom of
a deficiency
Ensure sufficient segregation of duties


No one person should have complete control over the
key processing functions for financial transactions
Provides for prevention and detection



Errors
Inappropriate activities
Post Audit Notification (PAN) Reviews



Payroll/Personnel System and UCRFS transactions
Timely
Adequate
What to do:
•Control Assessment
•Training
When issues are identified:
1- Self-report
2-Assistance
3-Escalate/Remediate
4-Proactive Approach
Everyone is responsible
When control issues
or policy non-compliance
are recurring and systemic:
It will be transparent
and there will be consequences
Contacts






Gretchen Bolar, Vice Chancellor-Academic Planning &
Budget gretchen.bolar@ucr.edu
Bobbi McCracken, Asst. Vice Chancellor-Financial
Services bobbi.mccracken@ucr.edu
Mike Jenson, Director-Audit & Advisory Services
michael.jenson@ucr.edu
Bruce Morgan, Asst. Vice Chancellor-Office of
Research bruce.morgan@ucr.edu
Toffee Jeturian, Asst. Director-Audit & Advisory
Services rodolfo.jeturian@ucr.edu
Marc Guerra, Director-Financial Control &
Accountability marc.guerra@ucr.edu