SAS 112 ImplementationSAS 112 ImplementationPresentation to Toys-r-UsPresentation to Toys-r-UsSouthern Europe DivisionSouthern Europe Division

James GremillionJames GremillionJanuary, 2006January, 2006

Objectives• Provisions of SAS 112• How SAS 112 changed the

landscape• Legislative Auditor’s expectations• Resources

Provisions of SAS 112• Communicating Internal Control

Related Matters Identified in An Audit• Provides guidance on evaluating control

deficiencies• Requires auditor to communicate

significant deficiencies and material weaknesses in writing

• Supersedes SAS 60

Provisions of SAS 112• Why—Sarbannes Oxley Act of 2002• Issuance of PCAOB Audit Standard

No. 2• ASB decides to eliminate the

auditor’s option to communicate significant internal control issues in writing

Provisions of SAS 112• Definition of internal control per SAS 112• Process effected by management to

provide reasonable assurance about the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

Provisions of SAS 112• Internal control over assets• Generally, controls that are

relevant to an audit of the financial statements are those that pertain to the entity’s objective of reliable financial reporting.

Provisions of SAS 112• Auditor is not required to perform procedures

to identify deficiencies in internal control or to express an opinion on the effectiveness of internal control

• However, auditor must obtain an understanding of the entity’s internal control. If he becomes aware of significant deficiencies or material weaknesses while obtaining this understanding, they must be reported to management.

Provisions of SAS 112• New terminology—• Control deficiency• Significant deficiency/material

weakness• Remote likelihood• More than inconsequential

Provisions of SAS 112• A control deficiency exists when

the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Provisions of SAS 112• Deficiency in design

• Deficiency in operation

Provisions of SAS 112• A significant deficiency is a control deficiency,

or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process or report financial data reliability in accordance with GAAP, such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.

Provisions of SAS 112• A material weakness is a significant

deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

Provisions of SAS 112• Remote likelihood—has the same

meaning as the term “remote” in FASB No. 5, Accounting for Contingencies—probable, reasonably possible, and remote. “Remote” means the chance of the future event or events occurring is slight.

Provisions of SAS 112• More than inconsequential—a

misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or aggregated with other misstatements, would clearly be immaterial to the financial statements.

Provisions of SAS 112• In determining whether a potential

misstatement would be more than inconsequential, the auditor should consider qualitative and quantitative factors.

Provisions of SAS 112• REQUIREMENTS• --The auditor must evaluate internal control• --The auditor must evaluate identified control

deficiencies and determine whether they are significant deficiencies or material weaknesses.

• --If significant deficiencies or material weaknesses are identified, they must be reported in writing to management.

Provisions of SAS 112• The significance of a control

deficiency depends on the POTENTIAL for misstatement, not whether a misstatement has actually occurred

Provisions of SAS 112• Section 11 of the statement gives examples of

factors that may affect the likelihood that a control, or combination of controls, could fail to prevent or detect a misstatement.

• Section 12—the maximum amount by which an account balance or total of transactions can be overstated is generally the recorded amount. However, because of the potential for unrecorded amounts, the recorded amount is not the limit of the amount of potential understatement.

Provisions of SAS 112• Multiple control deficiencies that

affect the same financial statement amount increase the likelihood of misstatement and may, in combination, constitute a significant or material weakness, even though such deficiencies are individually insignificant.

Provisions of SAS 112• Auditor should consider the mitigating

effects of compensating controls that have been tested as part of the audit. Compensating controls may mitigate, but they cannot eliminate, a control deficiency.

• A control that has an observed nonnegligible deviation rate is a deficiency regardless of the reason for the deviation, even if only one deviation was observed.

Provisions of SAS 112• Section 18 of the statement gives examples of

deficiencies that are ordinarily at least significant deficiencies in internal control. Includes—

• Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.

Provisions of SAS 112• Section 19 of the statement gives examples of

deficiencies that are strong indicators of material weaknesses. Includes—

• Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance.

• Identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the entity’s internal control, even if subsequently corrected by management.

• Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected.

Provisions of SAS 112• Communication—form, content,

and timing• Written communication—

preferably by report release date, but no later than 60 days following the report release date.

Provisions of SAS 112• Early communication—not required to be in

writing, However, final communication must be in writing.

• Auditor should not issue a written communication stating that no significant deficiencies were identified during the audit (because of the potential for misinterpretation of the limited degree of assurance provided by such a communication).

• Effective date—for periods ending on or after December 15, 2006.

How SAS 112 changed the landscape

• --The communication to management must be in writing

• --Even if the auditor communicated significant deficiencies and material weaknesses in previous years, as long as those deficiencies continue to exist, the auditor must continue to communicate them.

• --Provides guidance in evaluating the severity of control deficiencies

How SAS 112 changed the landscape

• Government auditors have been doing this for years

• Yellow Book Report• OMB A-133 Report

How SAS 112 changed the landscape

• Audit Risk Alert provides guidance for identifying control deficiencies, factors to consider, and how the revisions will affect practice.

• The term reportable condition is no longer used. Now—significant deficiency and material weakness are used to describe control weaknesses that must be communicated to management.

• The auditor cannot be part of an entity’s internal control. However, a CPA firm other than the auditor can.

How SAS 112 changed the landscape

• Changes brought about by SAS 112 will need to be explained to management, especially new terminology.

• Clean opinion but material weaknesses? • Appendix to Risk Alert includes case

studies of control deficiencies identified during the audits of specific entities, including smaller entities

Legislative Auditor’s Expectations

• Form of reports—• --Sample Yellow Book report available

on AICPA’s website• --Very late breaking news—draft

sample OMB A-133 reports are now available on AICPA’s website

• http://gaqc.aicpa.org:80/Resources/Illustrative+Auditors+Reports/

Legislative Auditor’s Expectations

• Expect more findings

• Expect findings to be repeated every year until they are corrected.

• More opinion modifications?

Legislative Auditor’s Expectations

• Preparation of financial statements• Generally, not a control deficiency if agency

hires a contract CPA (not their auditor) to prepare their financial statements.

• If agency contracts with their auditor to prepare the financial statements, auditor should consider a finding. It is up to the judgment of the CPA performing the audit as to whether the condition is a control deficiency, significant deficiency, or material weakness.

Legislative Auditor’s Expectations

• GAO—next project is revising independence Q&A, especially question of whether preparation of financial statements by the auditor impairs the auditor’s independence.

• AICPA is considering SAS 112 because much of the terminology in SAS 112 is modeled on the PCAOB standard, and PCAOB is considering revising their terminology.

• Segregation of duties findings

Resources• Statement on Auditing Standards 112, “Communicating

Internal Control Related Matters Identified in an Audit.” issued by the Auditing Standards Board of the American Institute of Certified Public Accountants

• Audit Risk Alert—Understanding SAS 112 and Evaluating Control Deficiencies, issued by the American Institute of Certified Public Accountants

• Illustrative auditor’s reports may be found at http://gaqc.aicpa.org/Resources/Illustrative+Auditors+Reports/