Office of the Controller

Frequently Asked Questions (SAS)

Statement on Auditing Standards No. 115 (formerly SAS 112) “Communicating Internal Control Related Matters Identified in an Audit” establishes standards and provides guidance on communicating matters related to an entity’s internal control over financial reporting identified in an audit of financial statements. It is applicable whenever an auditor expresses an opinion on financial statements (including a disclaimer of opinion). In particular, this SAS:

  • defines the terms "significant deficiency" and "material weakness", incorporating the definitions already in use for public companies;
  • provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements; and
  • requires the auditor to communicate, in writing, to management and those charged with governance (e.g., Board of Regents), significant deficiencies and material weaknesses identified in an audit.

SAS 115 (formerly SAS 112) changes the process for evaluating deficiencies that come to auditors’ attention and brings the thresholds for reporting control deficiencies in line with the thresholds required for public companies. As these revised thresholds effectively lower the bar, it is expected that the reporting of what are now defined as either significant deficiencies or material weaknesses will be become increasingly more prevalent. There is a possibility that items not previously identified as control deficiencies could rise to what has now been defined as a significant deficiency or a material weakness simply as a result of imposing a new definition on the auditor, not as a result of any deterioration in the University’s system of internal control. The materiality of the control deficiency is determined based on what potentially could go wrong, not just on the amount of actual misstatements.

Departments should review the key processes and controls within their organization, the amount of existing documentation and training, and the steps that might be taken to improve the control environment in their area. Departments should already have the key processes and controls in place. However, they may not document that they are following these controls. For example, departments may review their general ledger activity, but may not retain any documentation noting that this occurred. Departments need to ensure that they maintain sufficient documentation for these key controls, possibly through a checklist, because if the documentation cannot be provided to the auditors it is as if it hasn’t been done.

No. Departments should have the key processes and controls in place within their organization. Departments will need to ensure that they maintain sufficient evidence of review for the key controls, which has not been required prior to SAS 115 (formerly SAS 112).

SAS 115 (formerly SAS 112) is effective for fiscal year 2006/07. Although effective for this fiscal year, departments should not go back and create documents. Going forward, departments should be document all reviews as suggested in the checklist, if they haven’t been already.

SAS115-The Auditing Standards Board has issued a statement on Auditing Standards (SAS) No. 115, 'Communicating Internal Control Related Matters Identified in an Audit.' SAS No. 115 supersedes SAS No.112 of the same title and was issued to eliminate differences within AICPA’s Audit and Attest Standards resulting from the issuance of Statement on Standards for Attestation Engagements (SSAE) No. 15.

  • General Ledger Reconciliation – Each month actual revenues and expenses are monitored against budgets General Ledger is reconciled by the department.
    • Actual revenues and expenses are monitored against budgets. Department reviews reports monthly for general propriety and accuracy. On comparison reports (monthly or annual), unexplained variances based on expectations (e.g. budget or prior period) are investigated to ensure accuracy.
    • Department reconciles the General Ledger for accuracy. Department verifies amounts to supporting documentation and resolves exceptions.
    • Overdraft Funds – Department reviews funds in overdraft status and takes follow-up action.
  • Distribution of Payroll Expense Reconciliation – Detailed payroll expenses are reviewed each month by the department for general propriety and to validate the accuracy of the charges. For example, departments review the accuracy of employee names and pay rates, and/or for possible other key entry errors.
  • Effort reports – Personnel Activity Reports (PARS) are certified each quarter by a responsible official with first hand knowledge of the work performed. Departments are responsible for maintaining these records in accordance with campus retention policy.
  • Physical Inventory – Physical Inventory is conducted by the department every two years. After the inventory is performed, the EQ920 is signed and returned to Equipment Management.
  • Purchase Orders and Accounts Payable Invoices – Requisitions, Purchase Orders, and Invoices are reviewed and approved at the department level. Invoices must be approved by the department responsible for the purchase.

No. These key controls are not the only controls that departments need to monitor. Other controls exist for governance and to comply with University Policy, Laws and Regulations. These are the key controls identified for the preparation of the financial statements and are subject to review under SAS 115 (formerly SAS 112). Departments should not eliminate existing controls based on SAS 115 (formerly SAS 112).