SAS 112 UpdateChapter 9

Presented by Chris Ray, PartnerKPMG LLP

KPMG LLP

2

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

SAS No. 112

Was implemented during the CSU’s June 30, 2007 audits

Established standards and provided guidance on communicating matters related to internal control

Defined control deficiencies as either: Control deficiencies

Significant deficiencies

Material weaknesses

3

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

“Control Deficiencies” Exist…

When the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

4

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Deficiency in Design Exist When…

A control necessary to meet the control objective is missing or

An existing control is not properly designed so that, even if it operates as designed, the control objective is not always met.

5

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

A Deficiency in Operation Exists When…

A properly designed control does not operate as designed or

When the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

6

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Unconditional Requirements

An auditor is required to evaluate whether identified control deficiencies are, individually or in combination:

significant deficiencies or

material weaknesses

Significant deficiencies and material weaknesses are required to be communicated in writing to those charged with governance.

7

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Definitions of Significant Deficiency and Material Weakness

Significant deficiency: a control deficiency, or combination of control deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles (GAAP) such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected.

Material weakness: a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.

8

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Magnitude

The magnitude of a misstatement may be:

Inconsequential

More than inconsequential but less than material

Material

Factors that may affect the magnitude of a misstatement that could result in a deficiency or deficiencies in controls include by are not limited to the following:

The financial statement amounts or total of transactions exposed to the deficiency

The volume of activity in the account balance or class of transactions exposed to the deficiency in the current period or expected in future periods.

9

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Significant Deficiency Indicators Controls over the selection and application of GAAP accounting

principles

Antifraud programs and controls

Controls over non-routine and nonsystematic transactions

Controls over period-end financial reporting process, including controls over procedures used to enter transaction totals in the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements.

10

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Significant Deficiency Indicators (Continued) Examples of situations which indicate the controls over the period-

end financial reporting process were either not designed appropriately or were not operating effectively:

When adjustments and/or financial statement reclassifications are identified by the auditor which were not originally identified by management, these represent factors that indicate the controls over the financial reporting process were either not designed appropriately or were not operating effectively.

The quantitative and qualitative nature of the adjustments and/reclassifications are then required to be evaluated to determine if the amounts are either more than inconsequential or material to the respective financial statements. In addition to the actual amounts of the adjustments or reclassifications identified, the auditor is also required to consider the potential for unrecorded amounts.

Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a significant deficiency or material weakness, even though such deficiencies are individually insignificant.

11

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Material Weakness Indicators

Ineffective oversight of the entity’s financial reporting process and internal control by those charged with governance

Restatement of previously issued financial statements Identification by the auditor of a material misstatement in the

financial statements not initially identified by the entity’s internal control

An ineffective internal audit function or risk assessment function Identification of fraud of any magnitude on the part of senior

management Failure by management or those charged with governance to

assess the effect of a significant deficiency previously communicated to them or either correct it or conclude that it will not be corrected.

12

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Magnitude/Likelihood

Magnitude of Misstatement that

Occurred, or could have occurred

More than remote Remote

Quantitatively or qualitatively material

Material weakness Control deficiency but not a significant deficiency or a material weakness

More than inconsequential but less than material

Significant deficiency but not a material weakness

Control deficiency but not a significant deficiency or a material weakness

Inconsequential (i.e., clearly immaterial)

Control deficiency but not a significant deficiency or a material weakness

Control deficiency but not a significant deficiency or a material weakness

Likelihood of misstatement

13

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

The Prudent Official Test

The last step in the evaluation is to conclude the following:

Would a prudent official consider an identified control deficiency to be at least a significant deficiency? If yes, would the prudent official consider the same to be a material weakness?

The prudent official test is used only to increase the severity of a control deficiency and NOT to justify a decrease in the severity.

14

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Examples of Significant Deficiencies and Material Weaknesses noted during CSU’s June 30, 2007 Audits

Financial Reporting Issues were noted related to the conversion of legal basis accounting

records to the accrual basis of accounting in accordance with U.S. generally accepted accounting principles (GAAP).

The following are examples of the issues noted: Incomplete account reconciliations Lack of support of components comprising financial statement

amounts Detailed listings and support ledgers that do not support amounts

reflected in the financial statements Inaccurate completion of the required financial reporting packages

requiring various audit adjustments and reclassification entries not initially identified by management

Inaccurate completion of the respective entities financial statements requiring various audit adjustments and reclassification entries not initially identified by management

15

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Examples of Other Significant Deficiencies Noted During CSU’s June 30, 2007 Audits

Information Technology – Segregation of Duties

At one of the campuses, we noted that all payroll department employees have access to both Personal Information Management System (PIMS) and Common Management System (CMS)/Financial Reporting System (FRS). Thus all employees can add/delete/change employee pay, while also submitting changed files to State Controller's Office. We noted overall that campus management (IT or Business Process Management) does not perform a periodic review to help ensure proper segregation of duties exists among critical business functions within the PeopleSoft Finance and HR modules.

16

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Examples of Other Significant Deficiencies noted during CSU’s June 30, 2007 Audits

Information Technology – User Access Based on our review of security and access privileges in-scope

applications and systems at the campuses, we observed that certain obsolete, inactive, or otherwise inappropriate user profiles have not been disabled. Below is the list of the issues we encountered during our review which were present in varying degrees at each of the campuses tested in the current year:

Users have inappropriate system administrative access to the PeopleSoft Finance and HCM applications and the PeopleSoft database,

Users had inappropriate access to override the matching rules within the PeopleSoft Finance application.

Users had inappropriate access to enter and modify grades within PeopleSoft application.

Users with system administrative access to PeopleSoft FIN application had inappropriate access rights.

17

May 2008 GAAP Reporting Workshop

© 2

00

8 K

PM

G L

LP,

the U

.S.

mem

ber

firm

of

KPM

G In

tern

ati

on

al, a

Sw

iss

coop

era

tive.

All

rig

hts

rese

rved

. Pri

nte

d in

U.S

.A.

KPM

G a

nd

th

e K

PM

G log

o a

re r

eg

iste

red

tra

dem

ark

s of

KPM

G In

tern

ati

on

al.

Questions?