SAS 112 out to make privately held companies act like publicly held companies.
You are out of control—or at least that is what your auditor just told your company. But why? And why now? For those organizations that had their financial statements audited in 2007, you may have just heard this for the first time. For those organizations preparing to have their financial statements audited this year, get ready, because odds are you will hear that your company is out of control too.
In what is one of the latest steps in imputing upon non-publicly held companies the requirements of the Sarbanes-Oxley Act (“SOX”), a new auditing standard, effective for audits completed in 2007, was issued by the American Institute of Certified Public Accountants (AICPA). This new standard, Statement of Auditing Standard No. 112 (SAS 112), “Communicating Internal Control Related Matters Identif ied in an Audit” has caused much concern and surprise over the past year. SAS 112 stems from highly debated § 404 of SOX, which focuses on determining the effectiveness of internal controls over financial reporting. Section 404 requires publicly-held companies to document, evaluate, and test internal controls for processes that impact f inancial reporting.
SAS 112 does not change the scope of what must be audited but simply provides communication requirements for internal control deficiencies that are detected in audits of financial statements. It does not address other internal control components, like the effectiveness or efficiency of operations or compliance with laws and regulations. However, if your auditor identifies control deficiencies or a material weakness, the auditor is required to communicate these findings in writing to management and those charged with governance.
So what does all of this mean? To understand what an auditor is now looking for, you first need to understand what an internal control is. An internal control by definition is a method or process put in place by a company to ensure the integrity of financial and accounting information, meet operational and profitability targets, and transmit management policies throughout the organization. The chart below helps illustrate some examples of controls in your individual life and examples of similar company controls:
SAS 112 requires the auditor to communicate control deficiencies that are significant deficiencies or material weaknesses in internal control. The standard defines these terms as follows:
- Control deficiency: “A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.” The significance of a control deficiency depends on the potential for a misstatement, not whether a misstatement actually has occurred.
- Significant deficiency: A significant deficiency is “a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.”
- Material weakness: A material weakness is “a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.”
These definitions focus on the prevention or detection of financial statement misstatements. Criteria referenced in the definitions require discussion and analysis, such as the following:
- “More than a remote likelihood” is subjective but underscores a key concept: Would the impact on the financial statements have been prevented or detected?
- Other key qualifiers—“more than inconsequential” and “material”—relate to the financial statement impact of potential misstatements; this analysis is based upon the external auditor’s materiality threshold.
Visually, the diagram (see right) helps illustrate the interplay amongst the levels of deficiencies in internal controls.
Control deficiencies that are either significant deficiencies or a material weakness must be reported to management and those charged with governance within 60 days following the release date of the auditor’s report. The written communication to management and those charged with governance should:
- State that the purpose of the audit was to express an opinion on the financial statements, but not to express an opinion on the effectiveness of the entity’s internal control over financial reporting;
- State that the auditor is not expressing an opinion on the effectiveness of internal control;
- Include the definition of the terms significant deficiency and, where relevant, material weakness;
- Identify the matters that are considered to be significant deficiencies and, if applicable, those that are considered to be material weaknesses; and
- State that the communication is intended solely for the information and use of management, those charged with governance and others within the organization, and is not intended to be and should not be used by anyone other than these specified parties. However, your particular company’s industry may even dictate that such communication be forwarded to third parties.
It is this communication, typically in the form of a management letter, that has surprised companies this past year. Especially those companies that did not change any accounting processes or procedures over the past year and had never received a management letter from their outside auditors.
SAS 112 is intended to provide guidance to auditors but impacts some commercial entities and how they handle the financial reporting process. In doing so it has “lowered the bar” for reporting control weaknesses. As such, many organizations can expect to receive a management letter identifying significant deficiencies and material weaknesses in future audits.
To help prepare for the auditing process, and avoid any potential surprises, organizations should consider the following:
- Review prior year audits and identify internal controls and areas of risk
- Find out how to improve the control environment in your office
- Risk assessment – Identify where your weaknesses are
- Implement staff training on control processes/procedures
- Document controls – Do you have written policies & procedures?
While considering the above steps may not ward off your adviser from claiming your organization is “out of control,” it will help prepare the board and management for such a result.