Finance and Business Operations Symposium

Connecting Great Ideas and Great People

Finance and Business Operations Symposium

Gelman, Rosenberg & Freedman, CPAs Ms. Terri McKnight, CPA, DirectorMr. Jim Larson, CPA, Director

Understanding SAS No. 115: “Communicating Internal Control Related Matters Identified in an Audit”

May 6, 2010

Agenda Topic 1 - Definitions Topic 2 – Risk Assessment Standards Topic 3 – Key Concepts Topic 4 – Deficiencies in Design &

Operation Topic 5 – Evaluating Deficiencies Topic 6 – Communication & Responsibility Topic 7 - Scenarios

Presentation derived from AICPA

On October 2008, ASB issued SAS No. 115. Effective for all audits of financial statements for

the periods ending on or after December 15, 2009.

Supersedes SAS No. 112. This statement was issued to converge definitions

for the various kinds of deficiencies in internal control with PCAOB standards.

3

SAS No. 115

Key Differences: SAS No. 112 vs. SAS No. 115

A change in definitions in determining significant deficiencies, material weaknesses, AND the process for making that determination.

SAS No. 112 - Auditor applies the criteria of likelihood and magnitude.

SAS No. 115 - Same criteria; however more judgment is allowed in determining a significant deficiency.

4

Revised Definitions

5

A control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data in accordance with GAAP such that there is more than a REMOTE LIKELIHOOD that a MISSTATEMENT of the entity’s financial statements that is more than inconsequential will not be prevented or detected.

SIGNIFICANT DEFICIENCIES:

SAS No. 112:

SAS No. 115:

A deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

Revised Definitions

6

MATERIAL WEAKNESS:

SAS No. 112:

SAS No. 115: One or combination of deficiencies such that there is a reasonable possibility (reasonably possible or probable) that a material misstatement will not be PREVENTED OR DETECTED AND CORRECTED on a timely basis.

A significant deficiency, or combination of significant deficiencies, that results in more than a REMOTE LIKELIHOOD that a material misstatement of the financial statements will not be prevented or detected.

Other Revisions in SAS No. 115 Indicators of Material Weakness consist of:

Identification of fraud, whether or not material, on the part of senior management;

Restatement of previously-issued financial statements to reflect the correction of a material misstatement due to error or fraud;

Identification by an auditor of a material misstatement of the financial statements, in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control;

Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance;

No longer includes a list of deficiencies that ordinarily would be considered at least significant deficiencies; and

Contains a revised illustrative written communication to management and those charged with governance.

7

Risk Assessment StandardsRisk Assessment Standards are the key to understanding SAS No.115:

SAS Nos. 104-111

Effective for audits of financial statements for periods beginning on or after December 15, 2006.

Establishes standards and provides guidance on planning and supervision, the nature of audit evidence, and evaluation whether the audit evidence obtained affords a reasonable basis for an option regarding the financial statements under audit.

Provides guidance concerning the auditor’s assessment of the risk of MATERIAL MISSTATEMENT (whether caused by error or fraud) in a financial statement audit.

Design and performance of audit procedures whose nature, timing, and extent are responsive for those assessed risks.

8

Primary Objective of Risk Assessment Standards

To enhance the auditor’s application of the audit risk model in practice by specifying, among other things:

More in-depth understanding of the entity and its environment, including its internal control, to identify the risks of material misstatement in the financial statements, and what the entity is doing to mitigate them.

More rigorous assessment of the risks of material misstatement of the financial statements based on that understanding.

Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks.

9

Key Concepts: SAS No.115 Auditors must evaluate identified deficiencies in

internal control and determine individually or in combination, which are significant deficiencies or material weaknesses.

Deficiencies indentified as significant deficiencies and material weaknesses must be communicated in writing to management and those charged with governance.

10

Key Definition of a Deficiency

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis.

11

Key Concepts: Does Not Allow

12

Auditors do not have to find an actual misstatement.

Judged on the potential to cause misstatement.

Key Concepts: Management or Employees

13

Prevention, detection & correction of misstatements are the responsibility of the company’s management, employees, and those charged with governance – not the auditor.

Auditors can recommend, but we cannot implement.

Key Concepts: Normal Course of Performing Their Assigned

Functions

14

Day-to-Day operations.

On-going activity.

Internal control is a process.

Ultimate Goal is “to have reliable financial statements”

Key Concepts: Timely Basis

15

Before the release of financial statements, including their disclosures.

Types of Deficiencies

16

Deficiency in Design.

Deficiency in Operation.

Deficiency in Design

17

A deficiency in design exists when:

a. a control necessary to meet the control objective is missing or;

b. an existing control is not properly designed, so that even if the control operates as designed, the control objective is not always met.

Deficiency in Design

Examples of Deficiencies in Design

Inadequate design of controls over the preparation of financial statements. Inadequate design of controls over a significant account or process. Insufficient control consciousness (tone at the top). Inadequate segregation of duties. Inadequate controls over the safeguarding of assets. Inadequate design of IT general and application controls. Employees or management who lack the qualification and training to fulfill

their assigned functions. Inadequate monitoring of controls.

18

Deficiency in Operation

19

A deficiency in operation exists when:

a. a properly designed control does not operate as designed; or

b. when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

Deficiency in Operation

Examples of Deficiencies in Operation

Failure in the operation of controls over a significant account or process. (i.e., dual authorization for significant purchases)

Failure of the information and communication component of internal control (not receiving accurate or timely information for remote locations in order to prepare financial statements).

Failure to perform reconciliations of significant accounts.

Undue bias or lack of objectivity of those responsible for accounting decisions.

Misrepresentation by entity personnel to auditor. Failure of an application control caused by a deficiency in the design or

operation of an IT general control.

20

Where Are They?

21

In the five interrelated components of internal control (COSO).

At the financial statement level.

On the level of relevant assertions.

In areas of significant risks.

In areas of risk for which substantive procedures alone do not provide sufficient appropriate audit evidence.

Evaluating Deficiencies Evaluate the severity of the deficiency. Severity depends on:

a. Magnitude of potential misstatement; and

b. Whether there is a reasonable possibility that the controls will fail to prevent, or detect and correct a misstatement of an account balance or disclosure.

22

NOTE: The severity does not depend on whether a misstatement actually occurred.

Evaluating Deficiencies (cont.)

Factors that affect the magnitude: Amounts or total of transactions.

Generally the maximum amount of an account balance or total of transactions that can be overstated is the recorded amount (understatements could be larger).

The volume of activity.

Risk factors that affect whether there is a reasonable possibility of a misstatement include:

The nature of the accounts. The susceptibility of the asset or liability to loss or fraud. The extent of judgment in determining the amount.

23


Materiality Matter of professional judgment.

Influenced by the auditor’s perception of the needs of users of the financial statements.

Two levels of materiality.

a. Financial statement level; and

b. Particular items in (or based upon) the financial statements.

24


If the auditor determines that a deficiency is not a material weakness, the auditor should consider whether a prudent official would agree with the auditor’s conclusion.

Because a prudent official is cautious, this test is used to increase the severity, not to justify a decrease in severity.

25

Evaluating the Severity of a Deficiency

Magnitude of Misstatement that Occurred Or Could Have Occurred

Probability of Misstatement

Reasonably Possible

Remote

Quantitatively Or Qualitatively Material

Material Weakness

Deficiency in internal control that could be a significant deficiency but not a material weakness

Less Than Material Deficiency in internal control that could be a significant deficiency, but not a material weakness

Deficiency in internal control that could be a significant deficiency but not a material weakness 26

Communication Communication should be in writing. Best if made by report release date, but no later than

60 days following release date. Can be communicated earlier if warranted. Must be communicated even if management has

accepted the risk associated with the deficiency. Auditor cannot issue written communication

that no significant deficiencies were identified during the audit.

27

What Are Your Responsibilities?

Evaluate financial statement risks. Evaluate whether internal controls are

adequate.

28

Scenario One A small nonprofit organization has only one

person in charge of the accounting and reporting function. The processing, recording, and implementation of accounting transactions is preformed by this employee.

Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness?

29

Scenario One: Additional Facts The employee sends the Treasurer the checks and

related invoices for review. Through discussions with the Treasurer, he/she only

reviews checks over $2,000. The Treasurer sends all documents back to the

accounting professional.


30

Scenario One: Additional Facts (cont.)

The Treasurer receives the bank statement directly from the bank.

The Treasurer reviews all transactions, including those below $2,000, for reasonableness. Then, he/she gives the bank statement to the employee for reconciliation.

The Treasurer also reviews the bank reconciliation when complete.


31

Scenario Two An auditor is auditing a small Association that has only one

person in charge of the accounting and reporting function. The bookkeeper has been with the company for many years and it is common for the Executive Director to leave signed, blank checks with the bookkeeper in case of an emergency.

The Executive Director or Treasurer does not perform any oversight.


32

Scenario Two: Additional Facts The Executive Director hired the auditor to perform

quarterly interim procedures. The Executive Director believes the auditor is a substitution for his/her lack of oversight. One of the auditor’s quarterly procedures is to review the bank reconciliation, which is prepared by the bookkeeper, as well as propose adjusting journal entries for other account reconciliations.


33

Scenario Three At the end of audit, the auditor always prepares

the financial statements and required disclosures because the Association’s Controller is unable to do so.


34

Scenario Three: Additional Facts Prior to signing the representation letter, the Controller:

Obtains the financial statement grouping schedules.

Obtains the schedules documenting the calculation of amounts included in the notes.

Reviews and approves these schedules. In addition, the Controller obtains a current disclosure checklist from the AICPA;

Reviews and answers the checklist to ensure propriety and completeness of the footnotes.

Reads, revises and approves financial statements with the Executive Director.


35

Connecting Great Ideas and Great People

Gelman Rosenberg & Freedman, CPAs

4550 Montgomery Avenue, Suite 650 NBethesda, MD 20814

Ms. Terri McKnight, CPA, DirectorMr. Jim Larson, CPA, DirectorPhone: 301-951-9090E-mail: [email protected]

[email protected]: www.asaecenter.org

www.grfcpa.com

Documents

Finance and Business Operations Symposium