SAS 115 FAQ

SAS 115 (Statement of Auditing Standards 115) establishes standards, responsibilities and guidance for external auditors for identifying and evaluating internal control over financial reporting. Specifically, this standard requires communicating certain internal control deficiencies identified in an audit. See the SAS 115 Overview for more information.

See the SAS 115 Overview Blink page for more information.

The existence, application, and evidence of key controls at the departmental level has always been a strong component of an effective control environment. This is now more true than ever because our external auditors will rely on the strength provided by such an environment as a mitigating control when a particular instance of a control failure is detected.

No. The concept of internal control applies to virtually everything in a department, including instruction, research, other scholarly activities, and student and employee relations. The integrity and effectiveness of all such activities depends on the knowledge and ability of each individual to do the right thing, and the willingness to do so every time.

To fulfill documentation requirements, departments should review their control activities and identify key controls. See Documenting Your Department's Key Controls for more information.

Department leaders are responsible for communicating an expectation of ethical conduct to all employees, and for assuring that the proper checks and balances (i.e., control activities) are performed and documented on a regular and periodic basis. Department leaders should also ensure that documentation noting these checks is maintained and available for auditors if requested.

For specific control activities and their schedule, see Documenting Your Department's Key Controls for more information.

No. Other controls exist for governance and to comply with University policy, laws, and regulations. The controls identified in the Department Key Controls Documentation relate to the preparation of the financial statements and are subject to review under SAS 115.

No. When it created the Department Key Controls Documentation, the Controller's Office determined the key controls that should already be in place within each department.

No. You do not need to specifically use the Department Key Controls Documentation document. However, it is recommended. If you do create your own form, then it must ensure that the proper checks and balances are performed and documented on a regular and periodic basis, and that documentation noting the exercise of these controls is maintained and available for auditors, if requested.

All that is required is Documenting Your Department’s Key Controls with appropriate signatures (or e-mails) indicating performance and certification of control activities. Additional documents that demonstrate performance or certification of a control activity can be kept at the discretion of the department.

If a control deficiency or weakness is found, corrective action should also be documented and filed with the Department Key Controls Documentation.

Business officers and department heads must certify that key control functions are performed. A good rule of thumb is to look for the person responsible for overseeing the performance of University business activities within your department or division. See Documenting Your Department’s Key Controls for more information.

Key control activity should be performed by individuals who can attest that all key processes and controls within their area of responsibility are working properly. Key control performance and certification levels can be determined by each Vice Chancellor area.

No. Effective internal control activity includes the proper separation of duties. See Documenting Your Department’s Key Controls for more information.

Administrative officials responsible for overseeing the performance of University business activities within their department or division must develop an appropriate structure for handling University resources. It may be appropriate or necessary to delegate certification, but department heads are still responsible for ensuring it is completed. Contact the Controller's Office if you have questions about delegation.

Your department needs to perform and certify key controls on a regular and periodic basis to demonstrate that the controls are working properly. See Documenting Your Department’s Key Controls for specific guidelines.

One benefit of key controls is that they can uncover issues or problems. If this occurs, work with your business officer to determine the problem's source and identify a solution. If you need guidance, contact the Controller's Office. It may be appropriate to review internal business processes and training to mitigate further risks.

It depends on the severity of the error or the control lapse. It may prompt additional reviews and audits from the campus Audit and Management Advisory Services (AMAS) group or the Office of the Controller. In addition, external auditors could initiate random audits of campus departments.

It's important to remember that key control activities are our "check and balance" to ensure our internal control environment is effective. As you are performing these control activities, you may find breakdowns in the process. An issue with how a process is working may arise, or because internal control is affected by people, someone may not perform an activity correctly. Internal control is a process. It is a means to an end, not an end in itself.

If documentation cannot be provided to the auditor that control activities have been performed, it is as if it hasn’t been done. This may result in an audit deficiency reportable to the Regents. Departments need to ensure that they maintain sufficient documentation to support the performance of these activities.

No. The purpose of the control activity is to determine that the control exists and is working. The limited number of transactions or lack of activity in a control area does not address whether the control is working. As an example, although you may have minimal transactions recorded in your ledgers during particular months, it only takes one large dollar value transaction that was incorrectly posted to a fund to create a problem.

It depends. If the non-performance of the control activity results in a deficiency that is noted by our auditors and is material, it may be reported to the UC Regents. Adverse audit opinions resulting from SAS 115 findings could also subject the University to greater scrutiny by other agencies and may impact the University’s ability to attract research funding.

Key controls exist within central unit processes and/or within department activities. The key controls listed on the Department Key Controls Documentation are those specifically associated with a department.

During our annual financial statement audit, our external auditors will test our key controls in order to give an opinion on our University financial statements. If deficiencies are found within a key control, then this may lead to reportable audit findings to the Regents.