My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business Officer Magazine

SAS 112: New Requirements for Control Deficiencies

A new auditing standard, SAS 112, impacts FY07 audits for colleges and universities. It stems from one of the most controversial outcomes of the Sarbanes-Oxley Act (SOX): determining the effectiveness of internal controls over financial reporting. 

Section 404 of SOX requires publicly-held companies to document, evaluate, and test internal controls for processes that impact financial reporting. Management is required to make an assertion on the adequacy of internal controls, and the external auditor must issue a certification as well. At the time that SOX was enacted, there was not a clear standard for analyzing control deficiencies. In late 2003, the Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard 2 for reporting on control deficiencies, which has been used for public companies that must comply with SOX. The American Institute of Certified Public Accountants (AICPA) then decided to use the same standards for all entities in reporting on internal control deficiencies. This new standard, SAS 112, "Communicating Internal Control Related Matters Identified in an Audit," becomes effective for fiscal years ending after December 15, 2006. While this standard does not mandate Section 404 for nonpublic entities, it affects the FY07 audits of most higher education institutions.

SAS 112 does not change the scope of what must be audited; it provides communication requirements for internal control deficiencies that are detected in financial statement audits. The focus of SAS 112 is on the internal controls over financial reporting; SAS 112 does not address other internal control components, such as effectiveness and efficiency of operations or compliance with laws and regulations.  SAS 112 defines control deficiency, significant deficiency, and material weakness  and provides guidelines on evaluating the severity of such control deficiencies in financial statement audits. 

SAS 112 Definitions

SAS 112 requires the auditor to communicate control deficiencies that are significant deficiencies or material weaknesses in internal control. The standard defines these terms as follows:

  • Control deficiency: "A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis." The significance of a control deficiency depends on the potential for a misstatement, not whether a misstatement actually has occurred.
  • Significant deficiency: A significant deficiency is "a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected."
  • Material weakness:  A material weakness is "a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected."

These definitions focus on the prevention or detection of financial statement misstatements. Criteria referenced in the definitions require discussion and analysis, such as the following:

  • "More than a remote likelihood" is subjective but underscores a key concept: Would the impact on the financial statements have been prevented or detected?
  • Other key qualifiers--"more than inconsequential" and "material"--relate to the financial statement impact of potential misstatements; this analysis is based upon the external auditor’s materiality threshold.

One of the most important aspects of the SAS 112 guidance is that any audit adjustments will need to be analyzed to see if the underlying cause (why the error was not prevented or detected) represents a serious control weakness. Consequently, all audit adjustments will be considered significant deficiencies and possibly material weaknesses. (Note: On December 19, 2006, PCAOB issued an exposure draft that would change some of the terminology, such as, 'more than remote" and "more than inconsequential." This may ultimately change the SAS 112 guidance).
Specifying Control Deficiencies
SAS 112 also outlines conditions that would be considered at least significant deficiencies--and possibly material weaknesses--in internal control.

Significant deficiencies.
Control deficiencies considered to be significant  include deficiencies over:

  • selection and application of accounting principles in accordance with GAAP;
  • antifraud programs and controls;
  • nonroutine and nonsystematic transactions; and
  • period-end financial reporting process, including journal entries and recurring and nonrecurring adjustments to the financial statements.

Significant deficiencies and possible material weaknesses.
Indicators of deficiencies that should be at least significant deficiencies and possibly material weaknesses include:

  •  ineffective oversight of financial reporting;
  • restatement of previously issued financial statements to reflect the correction of a material misstatement;
  • identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially identified by the entity;
  • an ineffective internal audit function or risk assessment function at an entity where such functions are important to internal control monitoring;
  • an ineffective regulatory compliance function at highly regulated entities;
  • identification of fraud--of any magnitude--by senior management;
  • failure by management to assess the effect of a significant deficiency that was previously communicated; and
  • an ineffective control environment.

Significant deficiencies or material weaknesses must be communicated in writing  to management and those in charge of governance--for example, to the audit committee of the board--no later than 60 days following the report release date.

Impact on Audit Coverage
It is important to communicate with the external auditors to understand their audit approach. External auditors have latitude in planning their audits and may choose to test and rely on internal controls or choose a more substantive testing approach. Substantive testing generally means validation of account balances. If the audit is heavily oriented toward substantive testing, the auditor will be less likely to test internal controls and may identify fewer control deficiencies. However the external auditors may find control deficiencies through substantive tests.

Alternatively, if the audit approach is heavily oriented toward testing and relying on internal controls, the controls will be scrutinized and held to a higher level--and organizations will be expected to have more explicit documentation that the controls are operating.

Assessing Readiness for SAS 112
The SAS 112 criteria "lower the bar" for reporting internal control weaknesses. Consequently, many organizations may receive significant deficiencies and even material weaknesses in their 2007 audits.
 We suggest three actions that may help you assess your situation:

  1. Review the last few years’ management letters. Discuss with your external auditor how those findings would be interpreted using the SAS 112 criteria.
  2. Review audit adjustments or unadjusted differences from recent audits. Discuss with your external auditors whether any of these imply weaknesses in internal control structure and, thus, could result in reporting under SAS 112.
  3. Review your documentation of internal controls, especially related to financial reporting.

It is also important to review the extent of reliance on external auditors, for example, to draft footnotes to the financial statements. Discuss with your external auditors how reliance on them may reflect on the control system over financial reporting. The external auditor may not be considered part of the entity’s internal control system.

Impact on A-133 Audits
Two aspects of SAS 112 carry implications related to the A-133 audit. The first is the financial statement audit performed in accordance with Government Auditing Standards (GAGAS) issued by the Government Accountability Office. In February 2007, the GAO issued the 2007 revision of the Government Auditing Standards (commonly known as the Yellow Book), indicating, among other things, that for financial statement audits performed under GAGAS, the effective dates of all new AICPA auditing standards will apply. In other words, the GAO has indicated that the auditor should use SAS 112 in the auditors Report on Compliance and Internal Control over Financial Reporting at the time that SAS 112 becomes effective. The information in that report becomes public information when filed as part of A-133.

The second aspect of A-133 is the Report on Compliance with Requirements Applicable to Each Major Program and on Internal Control Over Compliance in Accordance with OMB Circular A-133.  Sometime in the future it is expected that the Office of Management and Budget will update A-133 with the new terminology. OMB is currently working with an AICPA task force to develop internal control deficiency definitions parallel to those in SAS 112 to be used to describe internal control deficiencies over compliance. However, as of this writing the draft of OMB Compliance Supplement for 2007 does not address SAS 112 

SUBMITTED BY Frank Bossle, executive director of internal auditing, Johns Hopkins University, Baltimore; and Amy Barrett, assistant director, systems audit office, University of Texas System, Austin.
NACUBO CONTACT Sue Menditto, director, accounting policy, 202.861.2542,