Northwestern State University

NSU
Home 
Page

About
Internal
Audit

FAQ

Internal
Audit
Charter

Rules of
the Board

Internal
Controls

Control
Self-
Assessment

Audit
Alerts!

Internal
Audit
Related
Websites

Research
Links 

Office of
Legislative
Auditor

Internal
Auditing
Terms

Statement on Auditing Standards No. 112

(SAS 112)

SAS 112 (Communicating Internal Control Related Matters Identified in an Audit) is expected to greatly impact the upcoming external audit (by the Office of the Legislative Auditor).  SAS 112 establishes standards and provides guidance on communicating matters related to an entity's internal control over financial reporting identified in an audit of financial statements.

SAS 112 will effect the manner in which our external auditors will assess the University for fiscal year ending June 30, 2007, as SAS 112 became effective for audits of financial statements for periods ending on or after December 15, 2006. 

Specifically, SAS 112 ...

·            Defines the terms significant deficiency, material weakness, and control deficiency.

·            Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements

·            Requires the [external] auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit

In applying the SAS 112, the [external] auditor must evaluate identified control deficiencies and determine whether these deficiencies, individually or in combination, are significant deficiencies or material weaknesses.

Accordingly, the absence of identified misstatement [actual] does not provide evidence that identified control deficiencies are not significant deficiencies or material weaknesses.  When evaluating whether control deficiencies, individually or in combination, are significant deficiencies or material weaknesses, the [external] auditor should consider the likelihood and magnitude of misstatement.

Simply stated, many accounting and audit professionals expect to see an increase in external audit findings and/or management comments, as a result of SAS 112.  This expectation is based, in part, on the new definitions within the Standard, which some believe will lower the threshold for reporting control deficiencies.  In addition, external auditors will consider the potential magnitude of a control deficiency (as opposed to the actual magnitude) in their reporting.

Examples

Significant Deficiencies in Internal Control

·        Controls over the selection and application of accounting principles that are in conformity with GAAP (generally accepted accounting principles)

o      Having sufficient expertise in selecting and applying accounting principles is an aspect of such controls

·        Antifraud programs and controls

·        Controls over non-routine and non-systematic transactions

·        Controls over the period-end financial reporting process, including controls over procedures used to...

o      Enter transaction totals into the general ledger;

o      Initiate, authorize, record and process journal entries into the general ledger; and,

o      Record recurring and nonrecurring adjustments to the financial statements

Source:  SAS 112 (AU Section 325.18)

In addition, SAS 112 provides a list of indicators of the presence of a control deficiency that should be regarded, at least, as a significant deficiency and a strong indicator of a material weakness in internal control (shown below).

Examples

Indicators of a Control Deficiency

Each of the following is an indicator of a control deficiency that should be regarded as (1) at least a significant deficiency and (2) a strong indicator of a material weakness in internal control:

·        Ineffective oversight of the organization's financial  reporting

·        Ineffective internal control by those charged with governance

·        Restatement of previously issued financial statements to reflect the correction of a material misstatement (includes misstatements due to error or fraud)

·        Identification by the [external] auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the organization's internal control

o          Includes misstatements involving estimation and judgment for which the auditor identifies likely material adjustments and corrections of recorded amounts

o          Is a strong indicator of a material weakness, even if management subsequently corrects the misstatement

·        Ineffective internal audit function

·        Ineffective risk management function

·        Ineffective regulatory compliance function

o          This relates solely to those aspects of the ineffective regulatory compliance function for which associated violations of laws and regulations could have a material effect on the reliability of the financial statements

·        Identification of fraud of any magnitude on the part of senior management

·        Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected

·         Ineffective control environment

o          Control deficiencies in various other components of internal control could lead the auditor to conclude that a significant deficiency or material weakness exists in the control environment

Control Deficiencies, Significant Deficiencies, or Material Weaknesses

Deficiency in Control Design - Exists when (1) a control necessary to meet the control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective is not always met.

·        Inadequate design of internal control over the preparation of the financial statements being audited

·        Inadequate design of internal control over a significant account or process

·        Inadequate documentation of the components of internal control

·        Insufficient control consciousness within the organization

o       For example, the tone at the top and the control environment

·        Absent or inadequate segregation of duties within a significant account or process

·        Absent or inadequate controls over the safeguarding of assets (this applies to controls that the auditor determines would be necessary for effective internal control over financial reporting)

·        Inadequate design of information technology (IT) general and application controls that prevent the information system from providing complete and accurate information consistent with financial reporting objectives and current needs

·        Employees or management who lack the qualifications and training to fulfill their assigned functions

o       For example, in an entity that prepares financial statements in accordance with generally accepted accounting principles, the person responsible for the accounting and reporting function lacks the skills and knowledge to apply generally accepted accounting principles in recording the entity's financial transactions or preparing its financial statements

·        Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity's internal control over time

·        The absence of an internal process to report deficiencies in internal control to management on a timely basis

 

Failures in the Operation of Internal Control

Deficiency in Control Operation - Exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. 

·        Failure in the operation of effectively designed controls over a significant account or process

o      For example, the failure of a control such as dual authorization for significant disbursements within the purchasing process

·        Failure of the information and communication component of internal control to provide complete and accurate output because of deficiencies in timeliness, completeness, or accuracy

o      For example, the failure to obtain timely and accurate consolidating information from remote locations that is needed to prepare the financial statements

·        Failure of controls designed to safeguard assets from loss, damage, or misappropriation

o      This circumstance may need careful consideration before it is evaluated as a significant deficiency or material weakness

For example, assume that a company uses security devices to safeguard its inventory (preventive controls) and also performs periodic physical inventory counts (detective control) timely in relation to its financial reporting.

Although the physical inventory count does not safeguard the inventory from theft or loss, it prevents a material misstatement of the financial statements if performed effectively and timely.

Therefore, given that the definitions of material weakness and significant deficiency relate to likelihood of misstatement of the financial statements, the failure of a preventive control such as inventory tags will not result in a significant deficiency or material weakness if the detective control (physical inventory) prevents a misstatement of the financial statements.  

Material weaknesses relating to controls over the safeguarding of assets would only exist if the company does not have effective controls (considering both safeguarding and other controls) to prevent or detect a material misstatement of the financial statements.

·        Failure to perform reconciliations of significant accounts

o      For example, accounts receivable subsidiary ledgers are not reconciled to the general ledger account in a timely or accurate manner

·        Undue bias or lack of objectivity by those responsible for accounting decisions

o       For example, consistent understatement of expenses or overstatement of allowances at the direction of management

·        Misrepresentation by client personnel to the [external] auditor (an indicator of fraud)

·        Management override of controls

·        Failure of an application control caused by a deficiency in the design or operation of an IT general control

Definitions

Control Deficiency - Exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Control deficiencies may involve one or more of the five interrelated components of internal control.

 

Deficiency in Design - Exists when (1) a control necessary to meet the control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective is not always met.

 

Deficiency in Operation - Exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. 

Material Weakness - A significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

More than a remote likelihood - When the likelihood of occurrence of a future event or events is at least reasonably possible. Such likelihood of occurrence  be stated within a range, as follows:

Probable - The future event or events are likely to occur.

Reasonably possible -The chance of the future event or events occurring is more than remote but less than likely.

Remote - The chance of the future events or events occurring is slight.

Therefore, the likelihood of an event is "more than remote" when it is at least reasonably possible.

More than inconsequential - Describes the magnitude of potential misstatement that could occur as a result of a significant deficiency and serves as a threshold for evaluating whether a control deficiency or combination of control deficiencies is a significant deficiency. A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements.  If a reasonable person would not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential.

Significant Deficiency - A control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected.

Those charged with governance - The person or persons with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting and disclosure process. 

In most entities, governance is a collective responsibility that may be carried out by a board of directors, a committee of the board of directors (for example, an audit or legislative oversight committee), a committee of management (for example, a finance, budget, or governmental agency executive committee), or some combination of these parties.