Statement of Auditing Standards No. 115 (SAS 115)

SAS 115 (Statement of Auditing Standards 115) establishes standards, responsibilities, and guidance for external auditors for identifying and evaluating internal control over financial reporting. Specifically, this standard requires communicating certain internal control deficiencies identified in an audit. See the SAS 115 Overview Blink page for more information.

See the SAS 115 Overview Blink page for more information.

The existence, application, and evidence of key controls at the departmental level has always been a strong component of an effective control environment. This is now more true than ever because our external auditors will rely on the strength provided by such an environment as a mitigating control when a particular instance of a control failure is detected.

No. The concept of internal control applies to virtually everything in a department, including instruction, research, other scholarly activities, and student and employee relations. The integrity and effectiveness of all such activities depends on the knowledge and ability of each individual to do the right thing, and the willingness to do so every time.

Departments should review their control activities and identify key controls to fulfill documentation requirements. For more information, see the Best Practices in Internal Controls Blink page.

Department leaders are responsible for communicating an expectation of ethical conduct to all employees and assuring that the proper checks and balances (i.e., control activities) are performed and documented regularly and periodically. Department leaders should also ensure that documentation noting these checks is maintained and available for auditors if requested.

For specific control activities, see the Best Practices in Internal Controls Blink page for more information.

No. Other controls exist for governance and to comply with University policy, laws, and regulations. The controls identified in the Best Practices in Internal Controls Blink page relate to the preparation of the University's financial statements and are subject to review under SAS 115 by external auditors.

Business officers and department heads must certify that key control functions are performed. A good rule of thumb is to look for the person responsible for overseeing the performance of University business activities within your department or division. See the Best Practices in Internal Controls Blink page for more information.

Key control activity should be performed by individuals who can attest that all key processes and controls within their area of responsibility are working properly. Key control performance and certification levels can be determined by each Vice Chancellor area.

No. Effective internal control activity includes the proper separation of duties. See the Best Practices in Internal Controls Blink page for more information.

Administrative officials responsible for overseeing the performance of University business activities within their department or division (i.e., administrative unit) must develop an appropriate structure for handling internal controls matters.

One benefit of key controls is that they can uncover issues or problems. If this occurs, work with your department's leadership to determine the problem's source and identify a solution. It may be appropriate to review and update internal business processes and internal controls to mitigate further risks.

It depends on the severity of the error or the control lapse. It may prompt additional reviews and audits from the campus Audit and Management Advisory Services (AMAS) group or the Office of the Controller. In addition, external auditors could initiate random audits of campus departments.

It's important to remember that key control activities are our "check and balance" to ensure our internal control environment is effective. As you are performing these control activities, you may find breakdowns in the process. An issue with how a process is working may arise, or because internal control is affected by people, someone may not perform an activity correctly. Internal control is a process. It is a means to an end, not an end in itself.

If documentation cannot be provided to the auditor that control activities have been performed, it is as if it hasn’t been done. This may result in an audit deficiency reportable to the Regents and award sponsors. Departments need to ensure that they maintain sufficient documentation to support the performance of these activities.

If the non-performance of the control activity results in a deficiency that is noted by our auditors and is material, it may be reported to the UC Regents. Adverse audit opinions resulting from SAS 115 findings could also subject the University to greater scrutiny by other agencies and may impact the University’s ability to obtain research funding.

Key controls exist within central unit processes and/or within department activities. Key controls are listed on the Best Practices in Internal Controls Blink page.

During our annual financial statement audit, our external auditors will test our key controls. If deficiencies are found within a key control, this may lead to reportable audit findings to the Regents.