1 / 36

Finance and Business Operations Symposium

Finance and Business Operations Symposium. Understanding SAS No. 115: “Communicating Internal Control Related Matters Identified in an Audit”. Gelman, Rosenberg & Freedman, CPAs Ms. Terri McKnight, CPA, Director Mr. Jim Larson, CPA, Director. Connecting Great Ideas and Great People.

tocho
Download Presentation

Finance and Business Operations Symposium

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Finance and Business Operations Symposium Understanding SAS No. 115: “Communicating Internal Control Related Matters Identified in an Audit” Gelman, Rosenberg & Freedman, CPAs Ms. Terri McKnight, CPA, Director Mr. Jim Larson, CPA, Director Connecting Great Ideas and Great People May 6, 2010

  2. Agenda • Topic 1 - Definitions • Topic 2 – Risk Assessment Standards • Topic 3 – Key Concepts • Topic 4 – Deficiencies in Design & Operation • Topic 5 – Evaluating Deficiencies • Topic 6 – Communication & Responsibility • Topic 7 - Scenarios Presentation derived from AICPA

  3. On October 2008, ASB issued SAS No. 115. Effective for all audits of financial statements for the periods ending on or after December 15, 2009. Supersedes SAS No. 112. This statement was issued to converge definitions for the various kinds of deficiencies in internal control with PCAOB standards. SAS No. 115

  4. A change in definitions in determining significant deficiencies, material weaknesses, AND the process for making that determination. SAS No. 112 - Auditor applies the criteria of likelihoodand magnitude. SAS No. 115 - Same criteria; however more judgment is allowed in determining a significant deficiency. Key Differences: SAS No. 112 vs. SAS No. 115

  5. Revised Definitions SIGNIFICANT DEFICIENCIES: SAS No. 112: A control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data in accordance with GAAP such that there is more than a REMOTE LIKELIHOOD that aMISSTATEMENTof the entity’s financial statements that is more than inconsequential will not be prevented or detected. SAS No. 115: A deficiency or a combination of deficiencies in internal controlthat is less severethan a material weakness yet important enough to merit attention by those charged with governance.

  6. Revised Definitions MATERIAL WEAKNESS: SAS No. 112: A significant deficiency, or combination of significant deficiencies, that results in more than a REMOTE LIKELIHOOD that a material misstatement of the financial statements will not be prevented or detected. SAS No. 115: • One or combination of deficiencies such that there is a reasonable possibility (reasonably possible or probable) that a material misstatement will not be PREVENTED OR DETECTED AND CORRECTEDon a timely basis.

  7. Indicators of Material Weakness consist of: Identification of fraud, whether or not material, on the part of senior management; Restatement of previously-issued financial statements to reflect the correction of a material misstatement due to error or fraud; Identification by an auditor of a material misstatement of the financial statements, in circumstances that indicate that the misstatement would not have been detected by the entity’s internal control; Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance; No longer includes a list of deficiencies that ordinarily would be considered at least significant deficiencies; and Contains a revised illustrative written communication to management and those charged with governance. Other Revisions in SAS No. 115

  8. Risk Assessment Standards are the key to understanding SAS No.115: SAS Nos. 104-111 Effective for audits of financial statements for periods beginning on or after December 15, 2006. Establishes standards and provides guidance on planning and supervision, the nature of audit evidence, and evaluation whether the audit evidence obtained affords a reasonable basis for an option regarding the financial statements under audit. Provides guidance concerning the auditor’s assessment of the risk of MATERIAL MISSTATEMENT (whether caused by error or fraud) in a financial statement audit. Design and performance of audit procedures whose nature, timing, and extent are responsive for those assessed risks. Risk Assessment Standards

  9. To enhance the auditor’s application of the audit risk model in practice by specifying, among other things: More in-depth understanding of the entity and its environment, including its internal control, to identify the risks of material misstatement in the financial statements, and what the entity is doing to mitigate them. More rigorous assessment of the risks of material misstatement of the financial statements based on that understanding. Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in response to those risks. Primary Objective of Risk Assessment Standards

  10. Auditors must evaluate identified deficiencies in internal control anddetermine individually or in combination, which are significant deficiencies or material weaknesses. Deficiencies indentified as significant deficiencies and material weaknesses must be communicated in writing to management and those charged with governance. Key Concepts: SAS No.115

  11. A deficiency in internal control exists when the design or operation of a control does not allowmanagement or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. Key Definition of a Deficiency

  12. Key Concepts: Does Not Allow • Auditors do not have to find an actual misstatement. • Judged on the potentialto cause misstatement.

  13. Key Concepts: Management or Employees • Prevention, detection & correction of misstatements are the responsibility of the company’s management, employees, and those charged with governance – not the auditor. • Auditors can recommend, but we cannot implement.

  14. Key Concepts: Normal Course of Performing Their Assigned Functions • Day-to-Day operations. • On-going activity. • Internal control is a process. Ultimate Goal is “to have reliable financial statements”

  15. Key Concepts: Timely Basis • Before the release of financial statements, including their disclosures.

  16. Types of Deficiencies • Deficiency in Design. • Deficiency in Operation.

  17. Deficiency in Design • Deficiency in Design • A deficiency in design exists when: • a control necessary to meet the control objective is missing or; • an existing control is not properly designed, so that even if the control operates as designed, the control objective is not always met.

  18. Examples of Deficiencies in Design • Inadequate design of controls over the preparation of financial statements. • Inadequate design of controls over a significant account or process. • Insufficient control consciousness (tone at the top). • Inadequate segregation of duties. • Inadequate controls over the safeguarding of assets. • Inadequate design of IT general and application controls. • Employees or management who lack the qualification and training to fulfill their assigned functions. • Inadequate monitoring of controls. 18

  19. Deficiency in Operation • Deficiency in Operation • A deficiency in operation exists when: • a properly designed control does not operate as designed; or • when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

  20. Examples of Deficiencies in Operation • Failure in the operation of controls over a significant account or process. • (i.e., dual authorization for significant purchases) • Failure of the information and communication component of internal control (not receiving accurate or timely information for remote locations in order to prepare financial statements). • Failure to perform reconciliations of significant accounts. • Undue bias or lack of objectivity of those responsible for accounting decisions. • Misrepresentation by entity personnel to auditor. • Failure of an application control caused by a deficiency in the design or operation of an IT general control. 20

  21. Where Are They? • In the five interrelated components of internal control (COSO). • At the financial statement level. • On the level of relevant assertions. • In areas of significant risks. • In areas of risk for which substantive procedures • alone do not provide sufficient appropriate audit evidence.

  22. Evaluate the severity of the deficiency. Severity depends on: Magnitude of potential misstatement; and Whether there is a reasonable possibility that the controls will fail to prevent, or detect and correct a misstatement of an account balance or disclosure. Evaluating Deficiencies NOTE: The severity does not depend on whether a misstatement actually occurred.

  23. Factors that affect the magnitude: Amounts or total of transactions. Generally the maximum amount of an account balance or total of transactions that can be overstated is the recorded amount (understatements could be larger). The volume of activity. Risk factors that affect whether there is a reasonable possibility of a misstatement include: The nature of the accounts. The susceptibility of the asset or liability to loss or fraud. The extent of judgment in determining the amount. Evaluating Deficiencies (cont.)

  24. Materiality Matter of professional judgment. Influenced by the auditor’s perception of the needs of users of the financial statements. Two levels of materiality. Financial statement level; and Particular items in (or based upon) the financial statements. Evaluating Deficiencies (cont.)

  25. If the auditor determines that a deficiency is not a material weakness, the auditor should consider whether a prudent official would agree with the auditor’s conclusion. Because a prudent official is cautious, this test is used to increase the severity, not to justify a decrease in severity. Evaluating Deficiencies (cont.)

  26. Communication should be in writing. Best if made by report release date, but no later than 60 days following release date. Can be communicated earlier if warranted. Must be communicated even if management has accepted the risk associated with the deficiency. Auditor cannot issue written communication that no significant deficiencies were identified during the audit. Communication

  27. Evaluate financial statement risks. Evaluate whether internal controls are adequate. What Are Your Responsibilities?

  28. A small nonprofit organization has only one person in charge of the accounting and reporting function. The processing, recording, and implementation of accounting transactions is preformed by this employee. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? Scenario One

  29. The employee sends the Treasurer the checks and related invoices for review. Through discussions with the Treasurer, he/she only reviews checks over $2,000. The Treasurer sends all documents back to the accounting professional. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? Scenario One: Additional Facts

  30. The Treasurer receives the bank statement directly from the bank. The Treasurer reviews all transactions, including those below $2,000, for reasonableness. Then, he/she gives the bank statement to the employee for reconciliation. The Treasurer also reviews the bank reconciliation when complete. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? Scenario One: Additional Facts (cont.)

  31. An auditor is auditing a small Association that has only one person in charge of the accounting and reporting function. The bookkeeper has been with the company for many years and it is common for the Executive Director to leave signed, blank checks with the bookkeeper in case of an emergency. The Executive Director or Treasurer does not perform any oversight. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? Scenario Two

  32. The Executive Director hired the auditor to perform quarterly interim procedures. The Executive Director believes the auditor is a substitution for his/her lack of oversight. One of the auditor’s quarterly procedures is to review the bank reconciliation, which is prepared by the bookkeeper, as well as propose adjusting journal entries for other account reconciliations. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? Scenario Two: Additional Facts

  33. At the end of audit, the auditor always prepares the financial statements and required disclosures because the Association’s Controller is unable to do so. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? Scenario Three

  34. Prior to signing the representation letter, the Controller: Obtains the financial statement grouping schedules. Obtains the schedules documenting the calculation of amounts included in the notes. Reviews and approves these schedules. In addition, the Controller obtains a current disclosure checklist from the AICPA; Reviews and answers the checklist to ensure propriety and completeness of the footnotes. Reads, revises and approves financial statements with the Executive Director. Questions Is this a deficiency? Is this a significant deficiency? Is this a material weakness? Scenario Three: Additional Facts

  35. Gelman Rosenberg & Freedman, CPAs 4550 Montgomery Avenue, Suite 650 N Bethesda, MD 20814 • Ms. Terri McKnight, CPA, Director • Mr. Jim Larson, CPA, Director Phone: 301-951-9090 E-mail: tmcknight@grfcpa.com jlarson@grfcpa.com Websites:www.asaecenter.org www.grfcpa.com Connecting Great Ideas and Great People

More Related