Statement of Auditing Standards No. 112 (SAS 112), "Communicating Internal Control Related Matters Identified in an Audit," is an accounting standard that establishes guidelines for determining the seriousness of internal control issues. Effective July 1, 2007, SAS 112 was incorporated into UCSD's external financial audit conducted by PricewaterhouseCoopers (PwC).
SAS 112 establishes standards and provides guidance on communicating matters related to an entity's internal control over financial reporting identified in an audit of financial statements. It is applicable whenever an auditor expresses an opinion on financial statements (including a disclaimer of opinion).
In particular, SAS 112:
- Defines the terms "significant deficiency" and "material weakness," incorporating the definitions already in use for public companies
- Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements
- Requires the auditor to communicate in writing, to management and those charged with governance such as the University Board of Regents, significant deficiencies and material weaknesses identified in an audit
Why is SAS 112 considered significant?
SAS 112 changes the process for evaluating deficiencies that come to the attention of auditors and brings the thresholds for reporting control deficiencies in line with the thresholds required for public companies. As these revised thresholds effectively lower the bar, it is expected that the reporting of what are now defined as either significant deficiencies or material weaknesses will be become increasingly prevalent.
There is a possibility that items not previously identified as control deficiencies could rise to what has now been defined as a significant deficiency or a material weakness simply as a result of imposing a new definition on the auditor, not as a result of any deterioration in the university's system of internal control. The materiality of the control deficiency is determined based on what potentially could go wrong, not just on the number of actual misstatements.
What does this mean to UCSD?
SAS 112 requires a lower threshold for reporting internal control deficiencies to the chancellor and the regents. This closer scrutiny of controls and reporting of matters not previously considered significant could concern the university and its stakeholders unnecessarily.
The Controller's Office has worked with campus external auditors to identify existing internal controls that support the financial reporting process. The goal is to ensure that existing key controls are in place and that UCSD can demonstrate, through documentation, that they are operating as intended. Consequently, new and more stringent requirements for internal control documentation will impact all campus departments.
Key controls currently identified for the preparation of the financial statements are not the only controls that need to be monitored. Other controls exist for governance and regulatory compliance, and they also must be followed. Consequently, SAS 112 has important implications for all campus departments, not just those in the central business offices.
We highly recommend departments to:
- Implement departmental key controls, and ensure the control is working.
- Document evidence of review for all levels (signature, e-mail, and/ or sign checklist).
- Fix and follow-up when a control deficiency or weakness is identified.
- Document corrective action.
Key control areas include:
- Ledger verification (all funds)
- Overdraft funds
- Payroll expense verification
- Effort reports (PARS)
- Physical inventory
- Purchasing and payables invoices
- Cash and cash equivalent handling
- Security of assets and personal information
The Controller's office will continue to act as a liaison between the external auditors and the departments, providing guidance, key controls framework, and communication for SAS 112 implementation.
To learn more about SAS 112, see:
- Categories of Control Deficiencies
- Frequently Asked Questions
- SAS 112 Presentation (PPT)
- Documenting Your Department's Key Controls
- How to Complete Key Control Documentation
* SAS115-The Auditing Standards Board has issued a statement on Auditing Standards (SAS) No. 115, 'Communicating Internal Control Related Matters Identified in an Audit.' SAS No. 115 supersedes SAS No.112 of the same title and was issued to eliminate differences within AICPA’s Audit and Attest Standards resulting from the issuance of Statement on Standards for Attestation Engagements (SSAE) No. 15.