The Statement of Auditing Standards (SAS 115) provides guidance to external auditors on how they should communicate internal control related matters identified in their audit of an organization's financial statements. SAS 115, which was issued by the American Institute of Certified Public Accountants (AICPA) in October 2008, supersedes SAS 112. SAS 115 is effective for audits of financial statements for periods ending on or after December 15, 2009.
Changes as a result of SAS 115
The key differences between SAS 115 and SAS 112 are in the definitions of material weaknesses and significant deficiencies so they are aligned with the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5, with the most significant change being to the definition of significant deficiencies.
The definition of material weakness includes the term 'correct,' and has deleted the phrase 'more that a remote likelihood' and replaced it with the 'reasonably possible' language of PCAOB No. 5. The definition of significant deficiency was revised, removing the phrases 'more than a remote likelihood' and 'more than inconsequential, and adding that a deficiency is significant if it is 'less severe than a material weakness, yet important enough to merit attention by those charged with governance.'
These changes to the definitions of the types of control deficiencies are subtle, yet they provide useful tools to the auditor. For instance, that a control must enable management or employees to be able to 'correct' identified misstatements on a timely basis, in addition to permitting them to prevent and detect material misstatements, is valuable resource in the control evaluation process.
How does SAS 115 affect the UC Irvine Campus?
The standard applies to the University's external auditor, PricewaterhouseCoopers (PwC). Because PwC is required to perform certain procedures under SAS 115 when auditing the Irvine campus, the campus has elected to undertake certain activities – specifically, the identification and monitoring of key financial controls that, if designed and carried out effectively, will reduce the likelihood of incurring a material misstatement in the campus's financial statements.
Summary of SAS 115
The standard does 3 things:
- It defines three categories of deficiencies that may be identified during the external audit of the financial statements:
- Control deficiencies
- Significant deficiencies
- Material weaknesses
- It provides guidance on evaluating the severity of the deficiencies identified.
- It requires the auditor to communicate in writing to management and those charged with governance any significant deficiencies or material weaknesses that were identified.
Definitions of Control Deficiencies
SAS 115 defines 3 categories of deficiencies as described below. The nature of the deficiency is a function of the seriousness of its potential impact on the financial statements.
- Control Deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
- Significant Deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
- Material Weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis.
Indicators of a Material Weakness
SAS 115 includes a list of deficiencies in internal control that are indicators of material weaknesses. The list of indicators are:
- Identification of fraud, whether or not material, on the part of senior management;
- Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud;
- Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity's internal control; and
- Ineffective oversight of the entity's financial reporting and internal control by those charged with governance