Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | samantha-lester |
View: | 212 times |
Download: | 0 times |
1
Commercial Sector Applications of Internal Controls and SAS No. 112
NASC Annual Conference
March 22, 2007
Andrew F. GottschalkPartner
KPMG’s Government Practice KPMG LLP
Andrew F. GottschalkPartner
KPMG’s Government Practice KPMG LLP
2
Agenda Agenda
Internal Controls – A PrimerInternal Controls – A Primer
Is Sarbanes-Oxley (S-O) applicable to GovernmentIs Sarbanes-Oxley (S-O) applicable to Government
Lessons Learned from Corporate EnterprisesLessons Learned from Corporate Enterprises
Common Weaknesses IdentifiedCommon Weaknesses Identified
Emerging InsightsEmerging Insights
Next Steps for GovernmentsNext Steps for Governments
SAS No. 112SAS No. 112
3
““internal control(s)internal control(s)” = “internal controls over financial reporting” (ICFR) ” = “internal controls over financial reporting” (ICFR)
unless otherwise stated - ICFR is a subset of management controls unless otherwise stated - ICFR is a subset of management controls
All areas of management impactedAll areas of management impacted
Management controls must provide reasonable assurance that assets are Management controls must provide reasonable assurance that assets are
safeguarded against waste, loss, unauthorized use, and misappropriation safeguarded against waste, loss, unauthorized use, and misappropriation
Management controls should be logical, applicable, reasonably complete, Management controls should be logical, applicable, reasonably complete,
effective and efficient in accomplishing management objectiveseffective and efficient in accomplishing management objectives
Internal Controls – A PrimerInternal Controls – A Primer
© 2006 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved.
4
Sarbanes-Oxley (S-O) takes its definition of internal control from the Sarbanes-Oxley (S-O) takes its definition of internal control from the
SEC’s working definition on ICFR:SEC’s working definition on ICFR:
a process providing reasonable assurance regarding reliability of a process providing reasonable assurance regarding reliability of
financial reporting and preparation of financial statements for external financial reporting and preparation of financial statements for external
purposes in accordance w/ GAAP, including various purposes in accordance w/ GAAP, including various
policies/procedurespolicies/procedures
Internal Controls – A PrimerInternal Controls – A Primer
5
Applicability of S-O in SLGsApplicability of S-O in SLGs
S-O legislation applicable only to publicly traded companies - but impact of its
provisions now cascading to public institutions, including NFPs
Pressures from bond ratings agencies, the Federal government, and board members at state authorities have prompted some government officials to consider using S-O as a model for improving internal controls w/in public agencies (long-term benefits may outweigh short term costs)
Some agencies in a handful of states already have used the S-O legislation as a basis for bringing more rigor to their agencies’ control environment
SLG entities well served by planning for an internal controls process assessment b/c regulations similar to those of S-O could be adopted, as done by the Federal government with OMB’s revised Circular A-123
6
Is Sarbanes-Oxley Applicable to Government?
Is Sarbanes-Oxley Applicable to Government?
7
Entities not subject to S-O adopting the rulesEntities not subject to S-O adopting the rules
Increasing number of closely held companies Increasing number of closely held companies complying with parts of the corporate-reform law – complying with parts of the corporate-reform law – although not required toalthough not required to
Accounting experts offer these reasons why Accounting experts offer these reasons why companies choose to follow the law: companies choose to follow the law:
Owners hope to sell the company or take it public Owners hope to sell the company or take it public
Directors who sit on public-company boards see laws’ benefits Directors who sit on public-company boards see laws’ benefits
Executives believe strong internal controls improves efficiency Executives believe strong internal controls improves efficiency
Customers require strong internal controls Customers require strong internal controls
Lenders are more likely to approve loans Lenders are more likely to approve loans
Source: Wall St. Journal (August 14, 2006)
8
Sarbanes-Oxley Act of 2002 Sarbanes-Oxley Act of 2002
Instituted sweeping changes for accounting Instituted sweeping changes for accounting profession and corporate governance in the profession and corporate governance in the following areas:following areas:
auditor independence auditor independence
oversight of the auditing profession (PCAOB)oversight of the auditing profession (PCAOB)
enhanced financial disclosure requirements enhanced financial disclosure requirements (including internal control reporting)(including internal control reporting)
corporate responsibility corporate responsibility
9
Lessons Learned from Corporate EnterprisesLessons Learned from Corporate Enterprises
10
Survey: Control PortfolioSurvey: Control Portfolio
28%33%
39%
51%
21%
28%
0%
10%
20%
30%
40%
50%
60%
0 - 500 Controls
501 - 1000Controls
More than 1000Controls
2004 2005
How many unique (or the number of tested) key controls How many unique (or the number of tested) key controls did your company have?did your company have?
11
Survey: Control PortfolioSurvey: Control Portfolio
How many key IT applications were selected for testing in 2005?How many key IT applications were selected for testing in 2005?
8%3%
5%
15%
19%26%
24%
0 - 10
11 - 25
26 - 50
51 - 100
101 - 150
151 - 200
More than 200
50%
12
Survey: Control PortfolioSurvey: Control Portfolio
65%
17% 19%
72%
11%17%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Highly Manual
50 / 50 HighlyAutomated
2004 2005
What is the estimated percentage of your company’s manual What is the estimated percentage of your company’s manual key controls versus automated key controls?key controls versus automated key controls?
13
Survey: Control PortfolioSurvey: Control Portfolio
52%
21%26%
0%
10%
20%
30%
40%
50%
60%
Highly Detective
50 / 50 Highly Preventive
What is the estimated percentage of detective key controls versus What is the estimated percentage of detective key controls versus preventive key controls (excluding IT controls)?preventive key controls (excluding IT controls)?
2005
14
Survey: DeficienciesSurvey: Deficiencies
10%
43%47%50% 49%
2%
91%
8%0%
0%
20%
40%
60%
80%
100%
0 1 - 25 26 or More
Deficiencies Significant Deficiencies Material Weaknesses
How many deficiencies, significant deficiencies + material weaknesses How many deficiencies, significant deficiencies + material weaknesses did your organization have at time of your 2005 certification?did your organization have at time of your 2005 certification?
15
Survey: The Cost of ComplianceSurvey: The Cost of Compliance
9%
28%
22%
14%
26%
16%
43%
22%
8%12%
0%
10%
20%
30%
40%
50%
0 - 10,000 10,001 -25,000
25,001 -50,000
50,001 -75,000
More than75,000
2004 2005
How many total hours (incl. internal hours the company spent and How many total hours (incl. internal hours the company spent and external hours spent by outside service providers) do you estimate external hours spent by outside service providers) do you estimate
were spent during your 2005 S-O 404 compliance efforts? How many were spent during your 2005 S-O 404 compliance efforts? How many hours were spent in 2004?hours were spent in 2004?
16
Survey: The Benefits of ComplianceSurvey: The Benefits of Compliance
Top benefits cited, when asked what benefits were being realized as they moved further into Top benefits cited, when asked what benefits were being realized as they moved further into S-O 404 compliance:S-O 404 compliance:
Most stated that a better assessment of business process needs gained from 404 compliance Most stated that a better assessment of business process needs gained from 404 compliance through: through:
prioritization of process controls to meet operational and compliance requirementsprioritization of process controls to meet operational and compliance requirements
cost savings provided through automation and standardization of process controlscost savings provided through automation and standardization of process controls
development and monitoring of formal policies and proceduresdevelopment and monitoring of formal policies and procedures
use of effective/sustainable controlsuse of effective/sustainable controls
Level-four is marked with a dash bullet (Arial 18pt)Level-four is marked with a dash bullet (Arial 18pt)
» Level-five is marked with a square bullet (Arial 18pt)Level-five is marked with a square bullet (Arial 18pt)
17
Survey: The Benefits of ComplianceSurvey: The Benefits of Compliance
Another benefit realized from S-O 404 compliance has Another benefit realized from S-O 404 compliance has been a clear emphasis on the assignment of been a clear emphasis on the assignment of accountability to business owners and employees accountability to business owners and employees throughout the organization throughout the organization
Some examples cited:Some examples cited:
an increased level of controls compliance awareness throughout the an increased level of controls compliance awareness throughout the organizationorganization
delegation of business responsibilitiesdelegation of business responsibilities
increased visibility and escalation of issues to senior managementincreased visibility and escalation of issues to senior management
increased oversight roles by audit committees/sr. mgmnt.increased oversight roles by audit committees/sr. mgmnt.
18
Survey: The Benefits of ComplianceSurvey: The Benefits of Compliance
Respondents also reported seeing a shift in focus from Respondents also reported seeing a shift in focus from compliance benefits to operational efficiency compliance benefits to operational efficiency opportunities identified through S-O. For example: opportunities identified through S-O. For example:
Implementation of S-O 404 controls has:Implementation of S-O 404 controls has:
reduced the financial reporting closing timereduced the financial reporting closing time
improved the accuracy of financial reporting dataimproved the accuracy of financial reporting data
helped identify process streamlining opportunities through helped identify process streamlining opportunities through centralization of process controlscentralization of process controls
enhanced management decision makingenhanced management decision making
begun the integration of overall entity risk assessmentbegun the integration of overall entity risk assessment
19
Common Weaknesses Identified
Common Weaknesses Identified
20
Year 1: Adverse Opinions*What Type of Issues Did They Have?Year 1: Adverse Opinions*What Type of Issues Did They Have?
Accounting Failure (GAAP) with respect to specific Accounting Failure (GAAP) with respect to specific accounts (98%) accounts (98%)
Income taxesIncome taxesRevenue recognitionRevenue recognitionInventoryInventory
Accounting documentation, policy andAccounting documentation, policy andprocedures (92%)procedures (92%)Material or numerous auditor/year-endMaterial or numerous auditor/year-endadjustments (55%)adjustments (55%)Accounting personnel resources, training/Accounting personnel resources, training/competency issues (50%)competency issues (50%)
* Source – Audit Analytics and SEC Presentation to Conference Board on March 28, 2006.
21
Common Weaknesses IdentifiedCommon Weaknesses Identified
Selected policies and procedures are not well Selected policies and procedures are not well
documented and/or are deficient or non-existentdocumented and/or are deficient or non-existent
Internal review or monitoring process (including, in Internal review or monitoring process (including, in
some cases, supervision) is deficient and/or not timely some cases, supervision) is deficient and/or not timely
Accounting reconciliations deficient and/or not timelyAccounting reconciliations deficient and/or not timely
Consider:Consider:
Reconciliation of subledgers to general ledgerReconciliation of subledgers to general ledger
Bank reconciliationsBank reconciliations
22
Common Weaknesses Identified (Cont’d.)Common Weaknesses Identified (Cont’d.)
Lack of requisite staff and/or expertise (typically in regard to Lack of requisite staff and/or expertise (typically in regard to
accounting/financial reporting areas) accounting/financial reporting areas)
Consider:Consider:
Significant audit adjustmentsSignificant audit adjustments
Reliance on audit firm for routine closing entriesReliance on audit firm for routine closing entries
Non-CPA’s in financial reporting positionsNon-CPA’s in financial reporting positions
23
Common Weaknesses Identified (Cont’d.)Common Weaknesses Identified (Cont’d.)
Lack of documentation for transactionsLack of documentation for transactions
Consider:Consider:
Impact of turnoverImpact of turnover
Undocumented controls (e.g., a review that is performed but not Undocumented controls (e.g., a review that is performed but not
evidenced)evidenced)
Non-routine transactionsNon-routine transactions
Support for rationale concerning judgmental areasSupport for rationale concerning judgmental areas
24
Common Weaknesses Identified (Cont’d.)Common Weaknesses Identified (Cont’d.)
Financial close process and/or related financial Financial close process and/or related financial
reporting mattersreporting matters
Consider:Consider:
Manual conversion process from accounting system to GAAP Manual conversion process from accounting system to GAAP
financial statements (GASB 34)financial statements (GASB 34)
““Topside” adjusting entries Topside” adjusting entries
Segregation of duties: who prepares financial statements and who Segregation of duties: who prepares financial statements and who
reviews them?reviews them?
25
Common Weaknesses Identified (Cont’d.)Common Weaknesses Identified (Cont’d.)
Accounting matters (e.g., revenue recognition) including Accounting matters (e.g., revenue recognition) including
technical matterstechnical matters
Consider:Consider:
Tax ReceivablesTax Receivables
Estimates for RefundsEstimates for Refunds
Reliability of EstimatesReliability of Estimates
Conversion from fund accounting to full accrualConversion from fund accounting to full accrual
Unusual investment vehiclesUnusual investment vehicles
Implementation of new accounting pronouncementsImplementation of new accounting pronouncements
26
Common Weaknesses Identified (Cont’d.)Common Weaknesses Identified (Cont’d.)
Information systems / technology Information systems / technology
Consider:Consider:Legacy systems for which documentation may be outdated/ Legacy systems for which documentation may be outdated/ non-existentnon-existent
Lack of sufficient, competent IT personnel to support systemsLack of sufficient, competent IT personnel to support systems
Controls that have been implemented “around” the system due Controls that have been implemented “around” the system due to known problemsto known problems
Weak general information technology controls that other Weak general information technology controls that other controls rely on (e.g., computerized exception reports that are controls rely on (e.g., computerized exception reports that are reviewed by management)reviewed by management)
““End user” computing— use of spreadsheets and databases End user” computing— use of spreadsheets and databases outside accounting systems not subject to internal controloutside accounting systems not subject to internal control
27
Common Weaknesses Identified (Cont’d.)Common Weaknesses Identified (Cont’d.)
Lack of segregation of duties Lack of segregation of duties
Consider:Consider:
Manual controls (same individual can initiate, process and record Manual controls (same individual can initiate, process and record
a transaction)a transaction)
Handling of cashHandling of cash
Automated controls (existence of users who can perform Automated controls (existence of users who can perform
functions in the system outside of their function).functions in the system outside of their function).
Possibility of management override of internal controlPossibility of management override of internal control
28
Common Weaknesses Identified (Cont’d.)Common Weaknesses Identified (Cont’d.)
Management estimates Management estimates
Consider:Consider:
Judgments and ClaimsJudgments and Claims
Medicaid AccrualsMedicaid Accruals
Payments to GranteePayments to Grantee
Assumptions made in the determination of actuarial liabilities (Pensions, Assumptions made in the determination of actuarial liabilities (Pensions,
Self-insurance, OPEB)Self-insurance, OPEB)
29
Common Weaknesses Identified (Cont’d.)Common Weaknesses Identified (Cont’d.)
Subsidiaries/Remote locations Subsidiaries/Remote locations
Consider:Consider:
Decentralized authority for transactions Decentralized authority for transactions
Grants managementGrants management
Component units/subsidiariesComponent units/subsidiaries
Monitoring for compliance with policies and proceduresMonitoring for compliance with policies and procedures
30
Emerging InsightsEmerging Insights
31
Year 2 – Section 404 Benefits ObservedYear 2 – Section 404 Benefits Observed
More knowledgeableMore knowledgeableAudit Committees Audit Committees
Overall positive change inOverall positive change inculture - Tone at the top control culture - Tone at the top control consciousness throughout consciousness throughout management improvedmanagement improved
More reliability and transparency More reliability and transparency for public investorsfor public investors
Companies have refined their Companies have refined their documentation and processes documentation and processes
Companies have improved their Companies have improved their accounting group competencyaccounting group competency
““Catch up” on deferredCatch up” on deferred maintenance continued – maintenance continued – additional deficiencies additional deficiencies re-mediated re-mediated
Focus in certain complex areas Focus in certain complex areas increased - income taxes, increased - income taxes, revenue recognition, othersrevenue recognition, others
Better inventory of controls, Better inventory of controls, making the impact of system making the impact of system changes clearer and assistingchanges clearer and assistingin times of staff turnoverin times of staff turnover
Emerging focus on risk Emerging focus on risk management practicesmanagement practices
32
Next Steps for GovernmentsNext Steps for Governments
33
Next Steps for GovernmentsNext Steps for Governments
Consider following examples of such states as:Consider following examples of such states as:
NY State NY State Model Governance Principles for NYS Public AuthoritiesModel Governance Principles for NYS Public Authorities
Public Accountability Act of 2005 (Act)Public Accountability Act of 2005 (Act)
New JerseyNew JerseyExecutive Order No. 122Executive Order No. 122
Executive Order No. 132Executive Order No. 132
CaliforniaCaliforniaGovernment Code Section 13400Government Code Section 13400
State Administrative Manual 20000 SectionState Administrative Manual 20000 Section
Senate Bill 1262/Charter 919 (Non-profit Integrity Act of 2004)Senate Bill 1262/Charter 919 (Non-profit Integrity Act of 2004)
34
Next Steps: Example Assessment ProcessNext Steps: Example Assessment Process
1 1 PLAN & SCOPE THE EVALUATIONPLAN & SCOPE THE EVALUATIONEstablish a sustainable process, identify resources, and define scope of assessment
Obtain an understanding of document controls and processes
Evaluate design and operating effectiveness of key controls, and document results of evaluation
Identify, accumulate, and evaluate design and operating control deficiencies; communicate findings and correct deficiencies
Prepare management’s written certification on effectiveness of ICFR
If warranted, prepare for independent auditor to conduct the internal control audit and attestation on management’s certification
22 DOCUMENT CONTROLSDOCUMENT CONTROLS
33 EVALUATE DESIGN & OPERATING EFFECTIVENESSEVALUATE DESIGN & OPERATING EFFECTIVENESS
44 IDENTIFY & CORRECT DEFICIENCIESIDENTIFY & CORRECT DEFICIENCIES
5 5 REPORT ON INTERNAL CONTROLREPORT ON INTERNAL CONTROL
6 6 INDEPENDENT AUDIT OF INTERNAL CONTROLINDEPENDENT AUDIT OF INTERNAL CONTROL
35
SAS No. 112SAS No. 112
36
SAS No. 112, Communicating Internal Control Related Matters Identified in an AuditSAS No. 112, Communicating Internal Control Related Matters Identified in an Audit
Establishes standards and provides guidance on Establishes standards and provides guidance on communicating matters related to an entity’s internal communicating matters related to an entity’s internal control over financial reporting identified in an audit of control over financial reporting identified in an audit of financial statements financial statements
Supersedes SAS No. 60, Supersedes SAS No. 60, Communication of Internal Communication of Internal Control Related Matters Noted in an Audit Control Related Matters Noted in an Audit (AU sec. 325)(AU sec. 325)
Applicable whenever an auditor expresses an opinion on Applicable whenever an auditor expresses an opinion on financial statements (including a disclaimer of opinion)financial statements (including a disclaimer of opinion)
37
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
Incorporates the definitions of the terms Incorporates the definitions of the terms control deficiency, control deficiency, significant deficiency, significant deficiency, and and material weaknessmaterial weakness used in used in PCAOB Auditing Standard No. 2, PCAOB Auditing Standard No. 2, An Audit of Internal An Audit of Internal Control Over Financial Reporting Performed in Conjunction Control Over Financial Reporting Performed in Conjunction With an Audit of Financial StatementsWith an Audit of Financial Statements..
Requires the auditor to communicate, Requires the auditor to communicate, in writingin writing, to , to management and those charged with governance, management and those charged with governance, significant deficiencies and material weaknesses identified significant deficiencies and material weaknesses identified in an audit in an audit
Provides guidance on evaluating the severity of control Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements deficiencies identified in an audit of financial statements
38
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
Establishes standards and provides guidance on communicating Establishes standards and provides guidance on communicating matters related to an entity’s internal control over financial matters related to an entity’s internal control over financial reporting identified in an audit of financial statementsreporting identified in an audit of financial statements
The term financial reporting relates to the preparation of reliable The term financial reporting relates to the preparation of reliable financial statements that are fairly presented in conformity with financial statements that are fairly presented in conformity with GAAP (includes a comprehensive basis other than GAAP)GAAP (includes a comprehensive basis other than GAAP)
The definitions of control deficiency, significant deficiency, and The definitions of control deficiency, significant deficiency, and material weakness all hinge on the prevention or detection of material weakness all hinge on the prevention or detection of financial statement misstatements.financial statement misstatements.
The significance of a control deficiency depends on the The significance of a control deficiency depends on the potentialpotential for a misstatement, not on whether a misstatement actually has for a misstatement, not on whether a misstatement actually has occurred.occurred.
39
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
Severity of control deficiencies – definitions:Severity of control deficiencies – definitions:
Control DeficiencyControl Deficiency – design or operation of a control – design or operation of a control does not allow management or employees, in the normal does not allow management or employees, in the normal course of performing their assigned functions, to prevent course of performing their assigned functions, to prevent or detect misstatements on a timely basisor detect misstatements on a timely basis
Significant DeficiencySignificant Deficiency – more than a remote likelihood – more than a remote likelihood that a misstatement that is more than inconsequential that a misstatement that is more than inconsequential will not be prevented or detectedwill not be prevented or detected
Material WeaknessMaterial Weakness – more than a remote likelihood that – more than a remote likelihood that a material misstatement will not be prevented or a material misstatement will not be prevented or detecteddetected
40
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
Deficiencies in the following areas ordinarily are at least Deficiencies in the following areas ordinarily are at least significant deficiencies in internal control.significant deficiencies in internal control.Controls over the selection and application of accounting Controls over the selection and application of accounting principles that are in conformity with GAAP. Having sufficient principles that are in conformity with GAAP. Having sufficient expertise in selecting and applying accounting principles is an expertise in selecting and applying accounting principles is an aspect of such controls.aspect of such controls.
Antifraud programs and controls.Antifraud programs and controls.
Controls over nonroutine and nonsystematic transactions.Controls over nonroutine and nonsystematic transactions.
Controls over the period-end financial reporting process, including Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.nonrecurring adjustments to the financial statements.
41
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
Each of the following is an indicator of at least a significant Each of the following is an indicator of at least a significant deficiency and a strong indicator of a material weakness deficiency and a strong indicator of a material weakness in internal control.in internal control.Ineffective oversight of the entity's financial reporting and internal Ineffective oversight of the entity's financial reporting and internal control by those charged with governancecontrol by those charged with governance
Restatement of previously issued financial statements to reflect the Restatement of previously issued financial statements to reflect the correction of a material misstatementcorrection of a material misstatement
Identification by the auditor of a material misstatement in the Identification by the auditor of a material misstatement in the financial statements for the period under audit that was not initially financial statements for the period under audit that was not initially identified by the entity's internal controlidentified by the entity's internal control
An ineffective internal audit function or risk assessment function at An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for very large risk assessment component of internal control, such as for very large or highly complex entitiesor highly complex entities
42
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
Indicators of at least a significant deficiency and a strong Indicators of at least a significant deficiency and a strong indicator of a material weakness in internal controls, indicator of a material weakness in internal controls, continued:continued:
For complex entities in highly regulated industries, an For complex entities in highly regulated industries, an ineffective regulatory compliance functionineffective regulatory compliance function
Identification of fraud of any magnitude on the part of Identification of fraud of any magnitude on the part of senior managementsenior management
Failure by management or those charged with governance Failure by management or those charged with governance to assess the effect of a significant deficiency previously to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude communicated to them and either correct it or conclude that it will not be correctedthat it will not be corrected
An ineffective control environmentAn ineffective control environment
43
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
The issues that may cause concern include:The issues that may cause concern include:
Auditor identification of misstatements including those Auditor identification of misstatements including those involving estimation and judgment – even if involving estimation and judgment – even if management corrects the misstatementmanagement corrects the misstatement
Extent of auditor involvement in drafting the entity’s Extent of auditor involvement in drafting the entity’s financial statements and footnotes (e.g. statement of financial statements and footnotes (e.g. statement of cash flows)cash flows)
Management who lack the qualifications and training to Management who lack the qualifications and training to fulfill their assigned functionsfulfill their assigned functions
Collaboration is good…but the auditor cannot be part Collaboration is good…but the auditor cannot be part of a client’s internal controls.of a client’s internal controls.
44
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit (cont’d)
Significant deficiencies or material weaknesses must Significant deficiencies or material weaknesses must be communicated in writing to management and those be communicated in writing to management and those charged with governance, no later than 60 days charged with governance, no later than 60 days following the report release date. If significant following the report release date. If significant deficiencies or material weaknesses previously deficiencies or material weaknesses previously communicated have not yet been remediated, they communicated have not yet been remediated, they must continue to be communicated.must continue to be communicated.
Auditors may communicate that no material Auditors may communicate that no material weaknesses were identified but should not state that weaknesses were identified but should not state that no significant deficiencies were identified.no significant deficiencies were identified.
45
Andrew F. Gottschalk Andrew F. Gottschalk
PartnerPartner
KPMG Government PracticeKPMG Government Practice
KPMG LLPKPMG LLP
(312) 665-2883(312) 665-2883
[email protected]@kpmg.com
www.us.kpmg.comwww.us.kpmg.com
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Presenter’s Contact Information