SAS 112:SAS 112:The New Auditing StandardThe New Auditing Standard

Jim CorkillControllerAccounting Services & Controls

AgendaAgenda

Background What is SAS 112 Impacts on UC and the Campus Key Controls Roles & Responsibilities Q & A

BackgroundBackground

Sarbanes-Oxley Act of 2002 Stronger Controls for Public Companies Created a new federal oversight board, the Public

Company Accounting Oversight Board (PCAOB)

In May 2006, AICPA issued SAS 112 which substantially incorporates the PCAOB’s AS 2.

What is SAS 112What is SAS 112?

Statement on Auditing Standard 112 (SAS 112):“Communicating Internal Control Related Matters Identified in an Audit” – Effective May 2006

SAS 112 develops a framework for reporting control weaknesses over financial reporting, not designed to address other controls, such as operational controls.

Purpose of SAS 112Purpose of SAS 112

Ensure effectiveness of internal controls that impact financial statements

Establish a standard for determining seriousness of a control issue and classifying it into three categories: Control Deficiency Significant Deficiency Material Weakness

Examples of Control Examples of Control DeficienciesDeficiencies

Lack of review and reconciliation of departmental expenditures

Lack of overdraft funds monitoring Lack of physical inventory Lack of timeliness of cash deposit and

account reconciliation

Significant Deficiency and Significant Deficiency and Material WeaknessMaterial Weakness

A control deficiency, or combination of control deficiencies with more than a remote chance of not preventing or detecting:

An inconsequential misstatement of the financial statements = Significant Deficiency

A material misstatement of the campus financial statements = Material Weakness

The materiality of the control deficiency is determined based on what potentially could go wrong, not just on the amount of actual misstatements.

What does this mean for UC?What does this mean for UC?

The new definitions lower the bar for reporting internal control deficiencies to the Chancellor and the Regents

In addition, SAS 112 requires UC to disclose deficiencies to 3rd parties such as: Federal sponsors 3rd party creditors Accrediting agencies, Rating agencies Insurers

Additional Impacts of SAS 112Additional Impacts of SAS 112

Negative impact on sponsored project funding Negative impact on credit rating Additional federal audits Negative impact on reputation

Any findings could result in increased review by the federal government and/or impact the University’s ability to obtain research funding

How to Reduce Potential FindingsHow to Reduce Potential Findings

Place “key controls” in our operation to minimize control deficiency and risk by preventing or detecting errors and frauds in a timely manner

UC Response to SAS 112UC Response to SAS 112

Identify financial key controls. Controls must be documented or they are not

considered controls. Some of these key controls reside in

departments. UC Website with documentation of all of our

key controls: http://www.ucop.edu/SAS112

UCSB Response to SAS 112UCSB Response to SAS 112

Work with Accounting and central departments to identify key controls for our financial processes

Describe & document key controls Identify Roles, Responsibility, and

Accountability

Identify sufficient evidence of review Discussions with Campus

Key ControlsKey Controls

What is a Key Control?

A set of critical processes to prevent or detect errors and frauds in the financial statements

Department Key ControlsDepartment Key Controls

Examples General Ledger Reconciliation – Each month

actual revenues and expenses are reviewed and reconciled to supporting documentation.

Overdraft Funds – Department reviews funds in overdraft status and takes follow-up action.

Distribution of Payroll Expense Reconciliation – Detailed payroll expenses reviewed each month by the department for general propriety and to validate the accuracy of the charges.

Department Key ControlsDepartment Key Controls

Examples

Purchasing and Accounts Payable Invoices – Requisitions, Purchase Orders, and Invoices are reviewed and approved at the department level. Invoices must be approved by the person with signature authorization.

Effort reports ( PARS) – PAR reports are approved each quarter by responsible official with first hand knowledge of the work performed. PARS are certified for employees who are paid directly from a federal or federal flow through award.

Department Key ControlsDepartment Key ControlsExamples

Physical Inventory – Physical Inventory is conducted by the department custodian/PI every two years. Equipment Management ensures the inventory is conducted every two years. Records are reconciled to the physical inventory results.

Key Control Process Key Control Process Example: Example:

General Ledger ReconciliationGeneral Ledger ReconciliationKey Control: Department Reconciles their General Ledger

Monthly

Process: Departments review and reconcile, annotate exceptions, and

follow-up with corrective actions, i.e, submitting a journal entry, contacting a recharge unit or other dept. as appropriate, or submitting a transfer of expense.

Maintain evidence of review and reconciliation that is easily accessible for audit, i.e. use On-Line General Ledger approval function that records user, time, date stamp

Role and Responsibilities of Role and Responsibilities of the Departmentthe Department

Implement departmental key controls Ensure the key controls are in place

Document evidence of review for all levels (signature, email and/or sign checklist)

Correct and follow-up timely, when control deficiency or weakness is identified

Document evidence of corrective action taken

Role and Responsibilities of theRole and Responsibilities of the Office of the Controller Office of the Controller

Update university procedures and best practices for Key Controls

Act as a liaison between external auditors and departments

Provide guidance, key controls framework, and communication for SAS-112 implementation

Serve as a resource for campus departments

Tools for DepartmentsTools for Departments

UCSB SAS 112 Web Site –http://www.controller.ucsb.edu/SAS112

UC Web Site – http://www.ucop.edu/sas112/index.php

Department Checklist

Other ControlsOther Controls

These key controls are not the only controls that departments need to monitor.

Other controls exist for governance and to comply with University Policy, Laws and Regulations.

Departments should not eliminate existing controls based on SAS 112.

Important NotesImportant Notes SAS 112 Effective Date – May 1, 2006

Entire Fiscal Year (2007-08) is subject to review and testing

DO NOT go back and create documents or back date reviews

BEGIN documenting key control processes (if you are not already) effective immediately

ResourcesResources

Sandra FeathersonAssociate Director of Controlsx7667Sandra.featherson@accounting.ucsb.edu

Jim CorkillControllerx5882Jim.Corkill@accounting.ucsb.edu

Questions?Questions?