The Auditing Standards Board has issued a statement on Auditing Standards (SAS) No. 115, 'Communicating Internal Control Related Matters Identified in an Audit.' SAS No. 115 supersedes SAS No.112 of the same title and was issued to eliminate differences within AICPA’s Audit and Attest Standards resulting from the issuance of Statement on Standards for Attestation Engagements (SSAE) No. 15.
Statement on Auditing Standards No. 115 (SAS 115)
"Communicating Internal Control Related Matters Identified in an Audit," is an accounting standard that establishes guidelines for determining the seriousness of internal control issues. SAS 115 is applied to UCSB's external financial audit conducted by PricewaterhouseCoopers (PwC).
SAS 115 establishes standards and provides guidance on communicating matters related to an entity's internal control over financial reporting identified in an audit of financial statements. It is applicable whenever an auditor expresses an opinion on financial statements (including a disclaimer of opinion).
Why is SAS 115 considered significant?
SAS 115 changes the process for evaluating deficiencies that come to the attention of auditors and brings the thresholds for reporting control deficiencies in line with the thresholds required for public companies. As these revised thresholds effectively lower the bar, it is expected that the reporting of what are now defined as either significant deficiencies or material weaknesses will become increasingly prevalent.
There is a possibility that items not previously identified as control deficiencies could rise to what has now been defined as a significant deficiency or a material weakness simply as a result of imposing a new definition on the auditor, not as a result of any deterioration in the university's system of internal control. The materiality of the control deficiency is determined based on what potentially could go wrong, not just on the number of actual misstatements.
In particular, SAS 115:
- Defines the terms "significant deficiencies" and "material weakness," incorporating the definitions already in use for public companies
- Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements
- Requires the auditor to communicate in writing, to management and those charged with governance such as the University Board of Regents, significant deficiencies and material weaknesses identified in an audit
SAS 115 has important implications for all campus departments, not just those in the central offices. Departments are responsible for identifying, implementing, and documenting key controls and taking corrective action for deficiencies or weaknesses.
What does this mean to UCSB?
SAS 115 requires a lower threshold for reporting internal control deficiencies to the chancellor and the regents. This closer scrutiny of controls and reporting of matters not previously considered significant could concern the university and its stakeholders unnecessarily.
The Controller's Office works in collaboration with campus external auditors to identify existing internal controls that support the financial reporting process. The goal is to ensure that existing key controls are in place and that UCSB can demonstrate, through documentation, that they are operating as intended. Consequently, stringent requirements for internal control documentation are required for identified key areas.
- UCSB Key control areas include:
- General Ledger Reconciliation and Approval
- Distribution of Payroll Expense Review
- Effort Reporting (ERS)
- Physical Inventory
- Purchasing and Payables Invoices
Key Controls identified for the preparation of the financial statements are not the only controls that need to be monitored. Other controls exist for governance and regulatory compliance, and they also must be followed. Consequently, SAS 115 has important implications for all campus departments, not just those in the central business offices.
We highly recommend departments:
- Identify and document departmental key control processes and ensure the control is working
- Document evidence of review at all levels of review. A review is NOT considered a key control unless it has been signed and dated.
- Fix and follow-up when a control deficiency or weakness is identified
- Document corrective action.