Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application of SAS 112 in a Single Audit

Published byArlene Helena Walker Modified over 5 years ago

Similar presentations

Presentation on theme: "Application of SAS 112 in a Single Audit"— Presentation transcript:

1 Application of SAS 112 in a Single Audit
GAQC Member Conference Call January 15, 2008 Presented by Mandy Nelson, CPA George Rippey, CPA

2 What We Will Cover SAS 112 Background
Refresher on SAS 112 Impact on Yellow Book Financial Statement Audits Implications of SAS 112 on Single Audits Evaluating Control Deficiencies in a Single Audit Updated Circular A-133 Illustrative Auditor's Reports

3 What We Will Not Cover? SAS 112 implications in a financial statement audit  Covered in a previous Center member-only call titled, “Impact of SAS 112 on Governmental Financial Audits” To access that call visit: Call is open to the general public so that your staff and clients can listen

4 SAS 112 Background In May 2006, the AICPA Auditing Standards Board (ASB) issued SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit Conformed definitions of control deficiency, significant deficiency, and material weakness to those in PCAOB AS#2. The term significant deficiency replaced the term reportable condition Written from the perspective of internal control over financial reporting Was effective for audits of periods ending on or after December 15, 2006 Note: PCAOB has updated the language in Auditing Standard No. 5 and the GAO and AICPA-ASB will be reviewing the new language. Recognizes that body to whom communication is made may take different forms, such as: Board of Directors Committee of management Single owner Those charged with governance = the persons with responsibility for overseeing the strategic direction of the entity and the entity’s financial reporting and disclosure process. Requires written communication of significant deficiencies and material weaknesses to management and those charged with governance. Should be communicated even if they were communicated in connection with previous audits and is best made by the report release date, but should be made no later than 60 days following the report release date.

5 Refresher: SAS 112 Impact on Yellow Book Financial Statement Audit
2007 Revision to the Government Auditing Standards (Yellow Book) adopted SAS 112 terminology and definitions Consistent with effective date of SAS 112, auditors should: Report all significant deficiencies and material weaknesses in the Yellow Book report In December 2007 the GAO issued Guidance on Complying with Government Auditing Standards Reporting Requirements for the Report on Internal Control for Audits of Certain Entities Subject to the Requirements of the Sarbanes-Oxley Act of 2002 and Government Auditing Standards, to learn more read GAQC Alert #65.

6 Implications of SAS 112 on Single Audits
Circular A-133, Audits of States, Local Governments and Non-Profit Organizations, previously required the auditor to report reportable conditions and material weaknesses in internal control over compliance Determination had to be made of whether and how the SAS would impact reporting on internal control over compliance Task force of CPA firm members, state auditors, federal agency representatives, and GAQC staff established; George Rippey chaired the effort and Mandy Nelson served as a member

7 Implications of SAS 112 on Single Audits
Overall response: OMB Notice in the Federal Register revised Circular A-133 to require internal control terminology consistent with SAS 112 The ASB issued an auditing interpretation which defines the terms control deficiency, significant deficiency, and material weakness from the perspective of reporting on internal control over compliance in a Circular A-133 audit Updated illustrative Circular A-133 auditor reports that reflect the new terminology and definitions were issued Other interpretive guidance relating to the evaluation of control deficiencies relating to internal control over compliance was developed

8 OMB Circular A-133 Amendment
Terminology updates relating to internal control over financial reporting: Circular A-133 references "reportable conditions" and "material weaknesses" in the Circular are replaced with the terms "significant deficiency" and "material weakness" as those terms are defined in SAS 112 and the 2007 revision to Government Auditing Standards

9 OMB Circular A-133 Amendment
Terminology updates relating to internal control over compliance: Amendment states that the terms "reportable condition" and "material weakness" are replaced with the updated terminology and definitions in the AICPA SAS 112 auditing interpretation issued concurrently with the amendment to Circular A-133 These changes are effective for single audits of periods ending on or after December 15, 2006

10 OMB Acknowledges Changes in terminology and definitions could affect the scope of future single audits in that under the Circular: Type A program can not be considered low-risk if it had a significant deficiency An entity is not able to be a low-risk auditee if it had deficiencies in I/C over financial reporting that would be considered material weaknesses or if any of the federal programs (that were classified as Type A programs) had material weaknesses (in either of the 2 preceding years)

11 FYI: Other Changes Made in Circular A-133 Amendment
Instructions for Data Collection Form provided Changes to an auditee’s submission of the reporting package to the Clearinghouse Instructions for DCF For single audits of periods ending December 15, 2006, through December 31, 2006, the approved Data Collection Form (Form SF-SAC) for fiscal years ending 2004, 2005 and 2006 should be used when filing with the Federal Audit Clearinghouse (FAC). However, it goes on to say that since Form SF-SAC has not yet been updated for the new internal control terminology, any "significant deficiency" should be recorded under the term "reportable condition" on the following items: Part II - items 3 and 4, Part III - items 4 and 5, and Part 3, item 10 (a). All submissions with fiscal period end dates in 2007 must use the version of Form SF-SAC. The Form SF-SAC terminology will be updated in an upcoming revision to the form scheduled for January 1, 2008. Unrelated Note The OMB Notice also communicates a change relating to an auditee's submission of the reporting package to the FAC. Due to technology advances, starting January 1, 2007, the auditee is no longer required to submit multiple copies of the reporting package to the FAC, in accordance with Section 320(d) of Circular A Instead, only one copy of the reporting package is necessary. However, Part III, item 8, of the Form SF-SAC should continue to be completed noting all agencies required to receive a copy of the reporting package.

12 AICPA's Auditing Interpretation
Establishes definitions for the terms control deficiency, significant deficiency, and material weakness when the auditor is reporting control deficiencies that relate to internal control over compliance in a Circular A-133 audit

13 Single Audit Definitions
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect on a timely basis noncompliance with a type of compliance requirement of a federal program

14 Single Audit Definitions
A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to administer a federal program such that there is more than a remote likelihood that noncompliance with a type of compliance requirement of a federal program that is more than inconsequential will not be prevented or detected

15 Single Audit Definitions
A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that material noncompliance with a type of compliance requirement of a federal program will not be prevented or detected

16 Evaluating Control Deficiencies in a Single Audit
AICPA task force also looked at SAS 112 evaluation guidance to see how it could be applied when evaluating deficiencies in internal control over compliance in a single audit Developed evaluation guidance that was published in the 2007 AICPA Audit Risk Alert (ARA), Government Auditing Standards and Circular A-133 Audits (GAS-A133 Alert) and made available to GAQC members in GAQC Alert 62 You may also want to refer to the handout material as we go through the next slides Handout Materials include: Evaluation Guidance for Control Deficiencies in a Single Audit in PDF format. SAS 112- Communicating Internal Control Related Matters Identified in an Audit in PDF format.

17 Single Audit Evaluation Guidance
In a single audit The significance of a control deficiency depends on the potential for noncompliance and not on whether noncompliance actually has occurred The absence of identified noncompliance does not provide evidence that identified control deficiencies are not significant deficiencies or material weaknesses The auditor should consider the likelihood and magnitude of actual or potential noncompliance when evaluating whether control deficiencies, individually or in combination, are significant deficiencies or material weaknesses

18 Single Audit Evaluation Guidance
Factors that may affect the likelihood that a control, or combination of controls, could fail to prevent or detect noncompliance: The nature of the type of compliance requirement involved (e.g., special tests and provisions may be higher risk) The susceptibility to fraud The subjectivity and complexity, and the extent of judgment allowed The cause and frequency The interaction or relationship of the control with other controls The interaction of the control deficiency with other control deficiencies The possible future consequences of the deficiency

19 Single Audit Evaluation Guidance
Factors that may affect the magnitude of noncompliance when evaluating control deficiencies include, but are not limited to, the following: The program amounts or total of transactions exposed to the deficiency The volume of activity exposed to the deficiency in the current period or expected in future periods Adverse publicity or other qualitative factors Multiple individually insignificant control deficiencies That affect the same type of compliance requirement increase the likelihood of noncompliance and may, in combination, constitute a significant deficiency or material weakness. The auditor should evaluate individual control deficiencies that affect the same type of compliance requirement, or component of internal control, to determine whether they collectively result in a significant deficiency or material weakness.

20 Single Audit Evaluation Guidance
The following guidance/concepts in SAS 112 also apply in a single audit: Compensating controls Deviations in the operating effectiveness of controls Prudent official test Compensating Controls A compensating control is a control that limits the severity of a control deficiency and prevents it from rising to the level of a significant deficiency or, in some cases, a material weakness Compensating controls operate at a level of precision, considering the possibility of further undetected noncompliance, which would result in the prevention or detection of noncompliance that is more than inconsequential or material to the type of compliance requirement. Although compensating controls mitigate the effects of a control deficiency, they do not eliminate the control deficiency The auditor should evaluate the possible mitigating effects of effective compensating controls that have been tested and evaluated as part of the audit of the major program The auditor could evaluate and test the effectiveness of a compensating control and determine whether it operates effectively for the purpose of mitigating the effects of the control deficiency in the type of compliance requirement Deviations in the operating effectiveness of controls. A control that has an observed non-negligible deviation rate is at least a control deficiency regardless of the reason for the deviation, and could be, based upon further evaluation, a significant deficiency or material weakness. For example, if the auditor designs a test in which he or she selects a sample and expects no deviations, the finding of one deviation is a non-negligible deviation rate because, based on the results of the auditor’s test of the sample, the desired level of confidence was not obtained. Prudent Official Test The auditor should conclude whether prudent officials, having knowledge of the same facts and circumstances, would agree with the auditor’s classification of the deficiency Although the term prudent official is not defined in the standard, the concept is that an auditor should “stand back” and take another objective look at the severity of the deficiency much as would a regulator or someone from an oversight agency

21 Examples of Significant Deficiencies in Internal Control Over Compliance
For purposes of deficiencies in a single audit the following areas ordinarily are at least significant deficiencies in internal control: Policies and procedures which are incomplete, inadequate, or outdated for the activities subject to a type of compliance requirement Inadequate segregation of duties over a type of compliance requirement Controls over complex types of compliance requirements IT controls relating to the activity subject to the type of compliance

22 At Least a SD and a Strong Indicator of a MW in Internal Control Over Compliance
Lack of operating policies and procedures for the activities subject to a type of compliance requirement Ineffective oversight of a major federal program by those charged with governance over compliance with those program requirements where the activity is subject to the type of compliance requirement, e.g., lack of adequate review of federal financial reports prior to submission to the grantor Identification by the auditor of material noncompliance for the period under audit that was not initially identified by the entity’s internal control. (This is a strong indicator of a material weakness even if management subsequently corrects the noncompliance.)

23 At Least a SD and a Strong Indicator of a MW in Internal Control Over Compliance
An ineffective internal audit function or risk assessment function for a major program for which such functions are important to the monitoring or risk assessment component of internal control for a type of compliance requirement Identification of fraud in the major program of any magnitude on the part of senior program management. For the purposes of evaluating and communicating deficiencies in internal control, the auditor should evaluate fraud of any magnitude—including fraud resulting in immaterial noncompliance—on the part of senior program management, of which he or she is aware

24 At Least a SD and a Strong Indicator of a MW in Internal Control Over Compliance
Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected An ineffective control environment. Control deficiencies in various other components of internal control could lead the auditor to conclude that a significant deficiency or material weakness exists in the control environment over compliance with major program requirements

25 Circular A-133 Illustrative Auditor's Reports
The AICPA Audit Guide, Government Auditing Standards and Circular A-133 Audits, with conforming changes as of May 1, 2007, includes Government Auditing Standards and Circular A-133 illustrative reports updated for SAS 112 Reports excerpted from the Guide can also be found at GAQC Web site at: for your convenience

26 Other Federal Agencies
The U.S. Department of Housing and Urban Development (HUD) issued an update to its Consolidated Audit Guide (the HUD Guide) to provide users with illustrative internal control reports that contain SAS 112 language HUD posted links to the reports on its web site at It is anticipated that other Federal agencies will update audit guides to incorporate SAS 112 language.

27 Questions ?????

Download ppt "Application of SAS 112 in a Single Audit"

Similar presentations

Arizona’s First Year SAS 112 Experience from the Audit Side

Arizona’s First Year SAS 112 Experience from the Audit Side
AICPA SAS 112: Case studies and Intermediate Reporting Issues Presented by Frank Crawford, CPA Crawford & Associates, P.C.

AICPA SAS 112: Case studies and Intermediate Reporting Issues Presented by Frank Crawford, CPA Crawford & Associates, P.C.
Intermediate Single Audit Issues: Planning, Performing and Reporting NASACT Audio Conference April 2, 2008 Presented by Frank Crawford, CPA Crawford &

Intermediate Single Audit Issues: Planning, Performing and Reporting NASACT Audio Conference April 2, 2008 Presented by Frank Crawford, CPA Crawford &
Implementing SAS 112 Thomas H. McTavish, C.P.A. Auditor General State of Michigan.

Implementing SAS 112 Thomas H. McTavish, C.P.A. Auditor General State of Michigan.
OMB Circular A133 Audits of States, Local Governments, and Non-Profit Organizations 1 Departmental Research Administrators Training Track.

OMB Circular A133 Audits of States, Local Governments, and Non-Profit Organizations 1 Departmental Research Administrators Training Track.
Presented by YOUR NAME THE DATE

Presented by YOUR NAME THE DATE
G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.

G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.
OMB Circular A-133 (Single Audit) Heather Perry, CPA Amy Ring,

OMB Circular A-133 (Single Audit) Heather Perry, CPA Amy Ring,
Dionysios Karamalikis November 9, 2010 1.  Award Identification—At the time of the award, identifying to the sub-recipient the federal award information.

Dionysios Karamalikis November 9,  Award Identification—At the time of the award, identifying to the sub-recipient the federal award information.
Auditing Concepts.

Auditing Concepts.
Internal Control Chapter 7 covers two distinct, but related topics:

Internal Control Chapter 7 covers two distinct, but related topics:
Breach of a Requirement of the Code Marisa Orbea New York 19 June 2012.

Breach of a Requirement of the Code Marisa Orbea New York 19 June 2012.
Audit Documentation PCAOB Auditing Standard no.3.

Audit Documentation PCAOB Auditing Standard no.3.
New Audit Risk Standards Are You Ready? John P. Langan, CPA Principal in Charge Public Service Group Metro, DC Office LarsonAllen LLP.

New Audit Risk Standards Are You Ready? John P. Langan, CPA Principal in Charge Public Service Group Metro, DC Office LarsonAllen LLP.
SAS 112 – The Year After Presented by Chris Ray Partner - KPMG LLP KPMG LLP.

SAS 112 – The Year After Presented by Chris Ray Partner - KPMG LLP KPMG LLP.
Review of Introduction to Auditing

Review of Introduction to Auditing
SAS 112 Update Chapter 9 Presented by Chris Ray, Partner KPMG LLP KPMG LLP.

SAS 112 Update Chapter 9 Presented by Chris Ray, Partner KPMG LLP KPMG LLP.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Nature of an Integrated Audit

Nature of an Integrated Audit

Similar presentations

Ads by Google