|EXECUTIVE SUMMARY |
Statement on Auditing Standards no. 112, Communicating Internal Control Related Matters Identified in an Audit , introduced terms, definitions and guidance for identifying and evaluating control deficiencies and communicating significant deficiencies and material weaknesses. It requires an auditor to communicate in writing to a client’s management and members of governing bodies any significant deficiencies and material weaknesses in internal control over financial reporting identified during an audit.
Since the AICPA issued SAS no. 112 in May 2006, practitioners have asked a series of questions about the new standard’s effect on nonattest services, internal control over financial reporting and auditor independence.
A practitioner’s performance of nonattest services such as bookkeeping or drafting financial statements does not constitute a “de facto” material weakness in internal control over financial reporting under SAS no. 112. A deficiency only exists if the client does not have effective controls to prevent, detect and correct misstatements in the financial statements, not because the practitioner performed services to assist the client.
As part of the audit, the practitioner may provide advice, research materials and recommendations to the client to assist management in making decisions about how to improve ICFR. Or, subject to meeting the requirements of Interpretation 101-3, practitioners may assist audit clients that want to improve their ICFR through a separate nonattest services engagement. Such opportunities may increase as a result of the heightened focus on controls in the audit process due in part to SAS no. 112 and the audit risk assessment standards contained in SAS nos. 104 through 111.
Catherine Allen , CPA, writes, teaches and consults on auditor independence, professional ethics and related compliance matters through her consulting firm, Audit Conduct. Her e-mail address is email@example.com .
Charles E. Landes , CPA, is vice president–AICPA Professional Standards and Services. His e-mail address is firstname.lastname@example.org .
Lisa A. Snyder , CPA, is director–AICPA Professional Ethics Division. Her e-mail address is email@example.com .
Since the AICPA’s Auditing Standards Board issued Statement on Auditing Standards no. 112 in May 2006, practitioners have asked questions about the new standard’s effect on nonattest services, internal control over financial reporting and auditor independence.
SAS no. 112, Communicating Internal Control Related Matters Identified in an Audit , introduced terms, definitions and guidance for evaluating control deficiencies. It requires an auditor to communicate in writing to a client’s management and members of governing bodies any significant deficiencies and material weaknesses in internal control over financial reporting identified during an audit.
The brief fictional case studies that follow attempt to answer important questions related to the guidance, which is effective for audits of financial statements for periods ending on or after Dec. 15, 2006. The studies include explanations of the relevant requirements of SAS no. 112 and Interpretation 101-3, Performance of Nonattest Services . In all instances, “practitioner” means a member of the accounting firm who provides audit or nonattest services to an audit client of the firm.
CASE NO. 1: TXA SOFTWARE
TXA Software is a small, privately held software developer in Alexandria, Va. Most of the company’s 15 employees develop and customize software applications for medical practices. The company does not engage in complex business transactions although the accounting standards it must apply as a software developer can be complex.
To keep its shareholders and lenders informed of its financial performance under GAAP, the company engages its practitioner—an outside auditor—to assist with the monthly and year-end closing processes. TXA’s president designates Marion, an employee, to oversee the service. Marion has helped manage TXA for several years, keeping the books and handling the company’s financial decisions. She knows the industry well, can understand how accounting entries affect financial statements and is capable of making management decisions related to the monthly and year-end closing activities. However, she needs help adjusting and closing the books each month and at the end of the year.
From information Marion provides, the practitioner proposes month-end adjustments to the general ledger for her review and approval. During the process, the practitioner discusses with Marion any matters that require her judgment, such as accounting estimates, or her input, such as factors that would affect when to recognize revenue.
Marion also asks the practitioner to explain any entries that, based on her knowledge of the company, appear to be incorrect or inconsistent. Once Marion approves the adjustments and posts them to the general ledger, the practitioner uses that information to draft the financial statements. For the annual financial statements, the practitioner also drafts the footnote disclosures. In all cases, Marion reviews, approves and accepts full responsibility for the practitioner’s work product.
If the practitioner performs bookkeeping services or drafts financial statements as part of an audit or nonattest services engagement, does this constitute a “de facto” material weakness in internal control over financial reporting (ICFR) under SAS no. 112?
This is one of the most frequently asked questions related to the new standard. The answer is no; such activities don’t automatically signify a material weakness. In some audit engagements the practitioner may identify a control deficiency and, after further evaluation, conclude that a material weakness or significant deficiency in ICFR exists. In other engagements the practitioner may identify no control deficiencies.
What the practitioner does or does not do—either as part of the audit or a separate nonattest services engagement—is not directly relevant to whether a control deficiency exists. The relevant factors are the effectiveness of the controls that the client designs and implements to prevent, detect and correct material misstatements in the financial statements under audit.
Clients hire practitioners for different reasons. They may request a practitioner’s help at year-end because they lack the skills or the resources to prepare financial statements without assistance. This might signal a potential control deficiency; however, such a deficiency only exists if the client does not have effective controls to prevent, detect and correct misstatements in the financial statements, not because the practitioner performs services to assist the client.
For instance, if the client requests assistance from the practitioner purely as a matter of convenience but has effective controls in place, no control deficiency exists.
Should the practitioner consider the company’s assignment of a designee—Marion, in the case of TXA—to oversee the nonattest services a control activity?
No, assigning a person to oversee the practitioner’s nonattest services under Interpretation 101-3 is not a control activity. Rather, the control is what Marion or others at TXA do to prevent, detect and correct misstatements in the financial statements. For example, does TXA have policies and procedures that Marion follows to help ensure that the financial statements are complete and accurate, or that the accounting applied was proper? If policies and procedures are in place, are they being performed by duly authorized people who are capable of performing the activities effectively?
Based on the facts provided, it appears that Marion is capable of reviewing and approving the practitioner’s work product in a manner that is sufficient to allow her to evaluate the adequacy and results of the work and accept responsibility for the work product. However, if neither Marion nor anyone else reviews the year-end adjustments and drafts of the financial statements in sufficient detail to prevent, detect and correct a material misstatement, a control deficiency in internal control over financial reporting exists.
Are the thresholds for client competency under the two standards different?
Under Interpretation 101-3 and SAS no. 112, the required level of competence for the client designee depends on the circumstances. Under Interpretation 101-3, a client designee must have suitable skill, knowledge and/or experience to oversee the practitioner’s nonattest services (See Exhibit 1 ). Generally, the designee must be able to understand the nature, objective and scope of the services, make informed decisions on the results of the practitioner’s service, and make any necessary management decisions.
The designee is not required to possess the technical expertise of the practitioner or be able to perform or re-perform the nonattest services in order to provide oversight. In the TXA example, Marion was capable of overseeing the practitioner’s monthly and year-end closing activities even though she was unable to perform those activities herself.
However, in order to have effective ICFR, Marion or others would need to perform control activities that would detect and prevent material misstatements in the financial statements. This may require a higher level of competence than is required under Interpretation 101-3. For example, certain controls may require an individual to analyze information while others may only require the individual to compare one number to another to verify they are the same.
|AICPA Guidance in Understanding General Requirement no. 2 of Interpretation 101-3: Client Responsibilities
In 2005, the AICPA Professional Ethics Executive Committee released AICPA Interpretation 101-3, Performance of Nonattest Services—Guidance in Understanding General Requirement no. 2: Client Responsibilities . This guidance was intended to help practitioners understand one of the key requirements of Interpretation 101-3, specifically, how to evaluate whether a person designated by your attest client has the necessary skill, knowledge and/or experience to oversee your nonattest services. Here are some highlights of the guidance:
The individual should be able to understand the nature, objective and scope of the services.
The skill, knowledge and/or experience needed will depend on the nature of the service and degree of complexity. Some factors to consider are an individual’s general business knowledge; position with the client and understanding of the nature of the service and the client’s business; and the individual’s education (level of education should not be a prevailing consideration).
In the smallest companies, often the designee will be the owner of the business, but in larger organizations it could be a bookkeeper, controller, or even a third party contracted by the client—provided the third party has authority to make decisions on the client’s behalf.
The individual is not required to possess the technical expertise that the member possesses or the ability to perform, or re-perform, the services.
Oversight does not mean that the individual supervises the practitioner on a day-to-day basis; however, he or she should, where appropriate, receive periodic reports on the status of the engagement.
CASE NO. 2: CONSTRUCT INC.
Construct Inc. is a small, family-owned-and-managed construction company that provides services to residential and commercial customers. The company employs George, an accountant who maintains the books and records, is familiar with GAAP and can prepare the financial statements. Because of a shortage of internal resources to do the work, Construct engaged its practitioner to help process the company’s payroll. George oversaw the services in which the practitioner:
Used approved timecards and other client records to calculate the payroll and generate unsigned checks for the client’s signature.
Transmitted payroll data to the client’s financial institution (pre-authorized by the client).
Submitted electronic payroll tax payments in accordance with U.S. Treasury Department and other relevant jurisdictions’ guidelines under arrangements made with the client and its financial institution.
In accordance with Interpretation 101-3, George assumed all management responsibilities for the practitioner’s services. He also performed control activities related to payroll. These duties included spot-checking the payroll for accuracy by recalculating the payroll for select employees and comparing his amounts to those the practitioner calculated, reviewing disbursements to gauge consistency with prior periods and investigating any inconsistencies. The practitioner considered George capable of overseeing the payroll work for independence purposes.
However, during the audit, the practitioner identified a significant deficiency in internal control over financial reporting. He learned that George misclassified payroll expense between contracts when posting the job cost ledger. This would have caused a misstatement in the financial statements.
Does the practitioner’s identification of a significant deficiency or material weakness in internal control over financial reporting in an area in which he or she previously performed nonattest services impair independence?
The test for independence when the practitioner performs nonattest services is whether he or she complied with Interpretation 101-3. Under that rule, Construct Inc. and the practitioner agreed to the responsibilities that each would undertake in connection with the payroll services engagement. This ensured that the practitioner would not assume management’s responsibilities for the payroll process. Therefore, the fact that the practitioner concluded during the audit that a significant deficiency (or even a material weakness) in ICFR existed does not mean that independence was impaired when the payroll services were performed.
|Nonattest Services Activities vs. Control Activities
Note: It is important to differentiate nonattest services “activities”—that is, the activities underlying the services that a practitioner renders to the client (such as proposing journal entries or preparing a tax return)—from “control activities,” which are defined in the internal control literature.
||Nonattest Services Activities
||Control Activities |
|What they are:
||Activities performed by a practitioner when performing nonattest services (that is, tax, accounting or consulting) for a client
- Control activities are the policies and procedures that help ensure management directives for internal control are carried out.
- Control activities include a range of activities such as approvals, authorizations, verifications, review of account reconciliations, review of operating performance, security of assets and segregation of duties.
Source: Committee of Sponsoring Organizations of the Treadway Commission, Internal Control—Integrated Framework.
- Prepare journal entries
- Record cash receipts in the cash receipts journal
- Post amounts in the journals to the general ledger (G/L)
- Review and approve the reconciliation of the accounts receivable subsidiary ledger to the general ledger
- Review the G/L and financial statements for consistency, reasonableness and accuracy (for example, checking for unusual or incorrect items or reviewing a financial statement disclosure checklist)
- Application of controls over the company’s financial reporting software that ensure accuracy and completeness of financial statements
CASE NO. 3: TZR
TZR is a privately owned clothing manufacturer located in North Carolina and South Carolina with three owners/shareholders who operate the business. The company makes one line of clothing and employs approximately 50 people, mostly machine operators and other factory workers.
TZR’s owners engage the company’s practitioner to maintain the fixed-asset ledger and prepare monthly depreciation adjustments. TZR has no full-time accounting personnel but has contracted the services of a controller, Sunil, on a part-time basis for the past three years. Sunil worked as a controller for a large manufacturing company for many years and therefore is well-versed in the applicable accounting principles and practices. From his association with TZR, he has become knowledgeable about its business. The practitioner concludes that Sunil is capable of overseeing the services.
Can the client engage someone other than an owner or employee of the company to oversee the practitioner’s nonattest services?
Yes. Interpretation 101-3 does not require that the individual overseeing the practitioner’s service be an owner or employee of the client if the individual has suitable skill, knowledge or experience to oversee the services and the authority to make necessary management decisions.
The practitioner should use the same criteria in evaluating Sunil’s skills, knowledge and experience as if he were an employee. If Sunil performs control activities related to the services that are both appropriate and effective, the practitioner could consider his activities to be a control for purposes of evaluating ICFR.
But the client could not engage the practitioner or his or her firm to perform control activities. Control activities constitute management responsibilities that, if performed by the practitioner, impair independence.
Does the practitioner’s performance of nonattest services in compliance with Interpretation 101-3 constitute control activities?
No. Management is responsible for the design and execution of ICFR. As one of the five components identified in the Internal Control—Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (the “COSO Framework”), control activities are the policies and procedures that help ensure management’s directives for internal control are effectively carried out (see Exhibit 2 ).
By barring management functions, Interpretation 101-3 precludes the practitioner from performing control activities and becoming part of the client’s internal control structure. It specifies that establishing or maintaining controls, including performing ongoing monitoring activities, for a client would impair independence.
Likewise, attest procedures performed by the practitioner cannot be considered control activities or compensating controls. For example, if TZR’s practitioner identifies certain control deficiencies and expands the scope of the audit by performing additional audit procedures, these additional procedures do not mitigate the severity of TZR’s control deficiencies in any way.
Can the client engage the practitioner to help remediate control deficiencies or otherwise improve its ICFR?
Yes. As part of the audit, the practitioner may provide advice, research materials and recommendations to the client to assist management in making decisions about how to improve its ICFR.
Or, subject to meeting the requirements of Interpretation 101-3, practitioners may assist audit clients that want to improve their ICFR via a separate nonattest services engagement. Such opportunities may become more commonplace as a result of the heightened focus on controls in the audit process due in part to SAS no. 112 and the audit risk assessment standards contained in SAS nos. 104 through 111.
When performing services as part of a nonattest services engagement, practitioners should carefully examine the scope of work related to internal control. Clearly, it is management’s responsibility to design, operate and monitor a client’s ICFR. Practitioners are barred, for example, from remediating control gaps on behalf of client management. However,
if the practitioner meets all the requirements of Interpretation 101-3, he or she may
provide recommendations, advice and assistance to companies seeking to enhance internal controls.
Internal Control Deficiencies: Assessment and Reporting Under SAS 112 , a CPE self-study course (#183290)
Understanding SAS no. 112 and Evaluating Control Deficiencies—Audit Risk Alert (#022536)
Communicating Internal Control Related Matters Identified in an Audit—SAS no. 112 (#060707)
For more information or to make a purchase, go to www.cpa2biz.com or call the Institute at 888-777-7077.