Background
As you perform single audits for periods ending on or after December 15, 2006, SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (AICPA, Professional Standards, AU sec. 325), must be applied. As noted in SAS No. 112, the auditor must evaluate identified control deficiencies and determine whether those deficiencies, individually or in combination, are significant deficiencies or material weaknesses. However, the guidance in SAS No. 112 for evaluating control deficiencies is written from the perspective of internal control over financial reporting in a financial statement audit.
Over the last year, GAQC has received numerous inquiries about how the guidance in SAS No. 112, paragraphs 325.09 – 325.19, on evaluating control deficiencies could be applied in a single audit when the auditor is communicating deficiencies relating to internal control over compliance (see GAQC Alert #53). The same AICPA task force that assisted with the development of internal control terminology and definitions as they relate to internal control over compliance also looked at the SAS No. 112 evaluation guidance to see how it could be applied to a single audit. As a result, the evaluation guidance below was developed and will be published in the upcoming 2007 AICPA Audit Risk Alert (ARA), Government Auditing Standards and Circular A-133 Audits (GAS-A133 Alert). Given the delay of that ARA (it is due to be available on November 1); we are providing it to you through this Alert. The GAS-A133 Alert will be available through CPA2BIZ and we will notify you when it is available.
Evaluation Guidance
The following guidance is intended to emulate the guidance in SAS No. 112 for your consideration when evaluating control deficiencies in a single audit. Using it will help you meet the requirements of SAS No. 112 and promote consistency in practice.
In a single audit, the significance of a control deficiency depends on the potential for noncompliance, not on whether noncompliance actually has occurred. Accordingly, the absence of identified noncompliance does not provide evidence that identified control deficiencies are not significant deficiencies or material weaknesses. When evaluating whether control deficiencies, individually or in combination, are significant deficiencies or material weaknesses, the auditor should consider the likelihood and magnitude of actual or potential noncompliance.
The following are examples of factors that may affect the likelihood that a control, or combination of controls, could fail to prevent or detect noncompliance:
· The nature of the type of compliance requirement involved. For example, a specific special test or provision may involve greater risk because it is unique to the program and may require unique controls.
· The susceptibility of the program and related types of compliance requirements to fraud.
· The subjectivity and complexity involved in meeting the compliance requirement, and the extent of judgment allowed.
· The cause and frequency of any known or detected exceptions related to the operating effectiveness of a control.
· The interaction or relationship of the control with other controls.
· The interaction of the control deficiency with other control deficiencies.
· The possible future consequences of the deficiency.
The evaluation of control deficiencies includes the magnitude of noncompliance. Several factors affect the magnitude of noncompliance that could result from a deficiency or deficiencies in controls. The factors may include, but are not limited to, the following:
· The program amounts or total of transactions exposed to the deficiency, in relation to the type of compliance requirement.
· The volume of activity related to the compliance requirement exposed to the deficiency in the current period or expected in future periods.
· Adverse publicity or other qualitative factors
Multiple control deficiencies that affect the same type of compliance requirement increase the likelihood of noncompliance and may, in combination, constitute a significant deficiency or material weakness, even though such deficiencies are individually insignificant. Therefore, the auditor should evaluate individual control deficiencies that affect the type of compliance requirement, or component of internal control, to determine whether they collectively result in a significant deficiency or material weakness.
In determining whether a control deficiency or combination of control deficiencies is a significant deficiency or material weakness, the auditor also should evaluate the possible mitigating effects of effective compensating controls that have been tested and evaluated as part of the audit of the major program. A compensating control is a control that limits the severity of a control deficiency and prevents it from rising to the level of a significant deficiency or, in some cases, a material weakness. Compensating controls operate at a level of precision, considering the possibility of further undetected noncompliance, which would result in the prevention or detection of noncompliance that is more than inconsequential or material to the type of compliance requirement. Although compensating controls mitigate the effects of a control deficiency, they do not eliminate the control deficiency. The auditor could evaluate and test the effectiveness of a compensating control and determine whether it operates effectively for the purpose of mitigating the effects of the control deficiency in the type of compliance requirement.
The auditor may encounter deviations in the operating effectiveness of controls. A control that has an observed nonnegligible deviation rate is at least a control deficiency regardless of the reason for the deviation, and could be, based upon further evaluation, a significant deficiency or material weakness. For example, if the auditor designs a test in which he or she selects a sample and expects no deviations, the finding of one deviation is a nonnegligible deviation rate because, based on the results of the auditor's test of the sample, the desired level of confidence was not obtained.
The auditor should conclude whether prudent officials, having knowledge of the same facts and circumstances, would agree with the auditor's classification of the deficiency. Although the term prudent official is not defined in the standard, the concept is that an auditor should "stand back" and take another objective look at the severity of the deficiency much as would a regulator or someone from an oversight agency.
For purposes of deficiencies in a single audit the following areas ordinarily are at least significant deficiencies in internal control:
· Policies and procedures that is incomplete, inadequate, or outdated for the activities subject to a type of compliance requirement.
· Inadequate segregation of duties over a type of compliance requirement.
· Controls over complex types of compliance requirements.
· IT controls relating to the activity subject to the type of compliance requirement.
Each of the following is an indicator of a control deficiency that should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control:
· Lack of operating policies and procedures for the activities subject to a type of compliance requirement.
· Ineffective oversight of a major federal program by those charged with governance over compliance with those program requirements where the activity is subject to the type of compliance requirement, e.g., lack of adequate review of federal financial reports prior to submission to the grantor.
· Identification by the auditor of material noncompliance for the period under audit that was not initially identified by the entity's internal control. (This is a strong indicator of a material weakness even if management subsequently corrects the noncompliance.)
· An ineffective internal audit function or risk assessment function for a major program for which such functions are important to the monitoring or risk assessment component of internal control for a type of compliance requirement.
· Identification of fraud in the major program of any magnitude on the part of senior program management. For the purposes of evaluating and communicating deficiencies in internal control, the auditor should evaluate fraud of any magnitude—including fraud resulting in immaterial noncompliance—on the part of senior program management, of which he or she is aware.
· Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected.
· An ineffective control environment. Control deficiencies in various other components of internal control could lead the auditor to conclude that a significant deficiency or material weakness exists in the control environment over compliance with major program requirements.
Other GAQC SAS No. 112 Resources
Remember that if you or your clients feel you need additional assistance in applying SAS No. 112 to governmental financial statement audit engagements, please listen to the archived GAQC conference call titled, Impact of SAS 112 on Governmental Financial Audits, presented by Chuck Landes, Vice President of Professional Standards and Services Group for the AICPA. This call is open to the public and we encourage you to share it with whomever you feel would benefit. There are also a number of questions and responses in the GAQC Forum on SAS No. 112. Please visit the Forum and search for SAS 112.
You can also access a recently issued Auditing Standards Board interpretation titled, AICPA Auditing Interpretation No. 1, "Communicating Deficiencies in Internal Control Over Compliance in and Office of Management and Budget Circular A-133 Audit" of SAS No. 112 (AICPA, Professional Standards, vol. 1, AU sec. 9325.01 - .02) that establishes definitions for the terms control deficiency, significant deficiency, and material weakness when the auditor is reporting control deficiencies that relate to internal control over compliance in a Circular A-133 audit. Finally, you can access SAS No. 112 updated auditor report illustrations for both Government Auditing Standards and Circular A-133 audits by clicking here.