EXECUTIVE SUMMARY
|
Statement on Auditing
Standards no. 112, Communicating
Internal Control Related Matters
Identified in an Audit ,
introduced terms, definitions and guidance
for identifying and evaluating control
deficiencies and communicating significant
deficiencies and material weaknesses. It
requires an auditor to communicate in
writing to a client’s management and
members of governing bodies any
significant deficiencies and material
weaknesses in internal control over
financial reporting identified during an
audit.
Since the AICPA
issued SAS no. 112 in May 2006,
practitioners have asked a series of
questions about the new standard’s effect
on nonattest services, internal control
over financial reporting and auditor
independence.
A practitioner’s
performance of nonattest services such
as bookkeeping or drafting financial
statements does not constitute
a “de facto” material weakness in internal
control over financial reporting under SAS
no. 112. A deficiency only exists if the
client does not have effective controls to
prevent, detect and correct misstatements
in the financial statements, not because
the practitioner performed services to
assist the client.
As part of the audit,
the practitioner may provide advice,
research materials and recommendations
to the client to assist
management in making decisions about how
to improve ICFR. Or, subject to meeting
the requirements of Interpretation 101-3,
practitioners may assist audit clients
that want to improve their ICFR through a
separate nonattest services engagement.
Such opportunities may increase as a
result of the heightened focus on controls
in the audit process due in part to SAS
no. 112 and the audit risk assessment
standards contained in SAS nos. 104
through 111.
Catherine Allen , CPA,
writes, teaches and consults on auditor
independence, professional ethics and
related compliance matters through her
consulting firm, Audit Conduct. Her
e-mail address is
callen@auditconduct.com .
Charles E. Landes ,
CPA, is vice president–AICPA
Professional Standards and Services. His
e-mail address is
clandes@aicpa.org .
Lisa A. Snyder , CPA,
is director–AICPA Professional Ethics
Division. Her e-mail address is
lsnyder@aicpa.org . |
Since the AICPA’s Auditing Standards Board
issued Statement on Auditing Standards no. 112 in
May 2006, practitioners have asked questions about
the new standard’s effect on nonattest services,
internal control over financial reporting and
auditor independence. SAS no. 112,
Communicating Internal Control Related
Matters Identified in an Audit , introduced
terms, definitions and guidance for evaluating
control deficiencies. It requires an auditor to
communicate in writing to a client’s management
and members of governing bodies any significant
deficiencies and material weaknesses in internal
control over financial reporting identified during
an audit. The brief fictional case studies
that follow attempt to answer important questions
related to the guidance, which is effective for
audits of financial statements for periods ending
on or after Dec. 15, 2006. The studies include
explanations of the relevant requirements of SAS
no. 112 and Interpretation 101-3, Performance
of Nonattest Services . In all instances,
“practitioner” means a member of the accounting
firm who provides audit or nonattest services to
an audit client of the firm.
CASE NO. 1: TXA SOFTWARE
TXA Software is a small, privately held
software developer in Alexandria, Va. Most of the
company’s 15 employees develop and customize
software applications for medical practices. The
company does not engage in complex business
transactions although the accounting standards it
must apply as a software developer can be complex.
To keep its shareholders and lenders
informed of its financial performance under GAAP,
the company engages its practitioner—an outside
auditor—to assist with the monthly and year-end
closing processes. TXA’s president designates
Marion, an employee, to oversee the service.
Marion has helped manage TXA for several years,
keeping the books and handling the company’s
financial decisions. She knows the industry well,
can understand how accounting entries affect
financial statements and is capable of making
management decisions related to the monthly and
year-end closing activities. However, she needs
help adjusting and closing the books each month
and at the end of the year. From
information Marion provides, the practitioner
proposes month-end adjustments to the general
ledger for her review and approval. During the
process, the practitioner discusses with Marion
any matters that require her judgment, such as
accounting estimates, or her input, such as
factors that would affect when to recognize
revenue. Marion also asks the practitioner
to explain any entries that, based on her
knowledge of the company, appear to be incorrect
or inconsistent. Once Marion approves the
adjustments and posts them to the general ledger,
the practitioner uses that information to draft
the financial statements. For the annual financial
statements, the practitioner also drafts the
footnote disclosures. In all cases, Marion
reviews, approves and accepts full responsibility
for the practitioner’s work product.
If the practitioner performs
bookkeeping services or drafts financial
statements as part of an audit or nonattest
services engagement, does this constitute a “de
facto” material weakness in internal control
over financial reporting (ICFR) under SAS no.
112? This is one of the most
frequently asked questions related to the new
standard. The answer is no; such activities don’t
automatically signify a material weakness. In some
audit engagements the practitioner may identify a
control deficiency and, after further evaluation,
conclude that a material weakness or significant
deficiency in ICFR exists. In other engagements
the practitioner may identify no control
deficiencies. What the practitioner does
or does not do—either as part of the audit or a
separate nonattest services engagement—is not
directly relevant to whether a control deficiency
exists. The relevant factors are the effectiveness
of the controls that the client designs and
implements to prevent, detect and correct material
misstatements in the financial statements under
audit. Clients hire practitioners for
different reasons. They may request a
practitioner’s help at year-end because they lack
the skills or the resources to prepare financial
statements without assistance. This might signal a
potential control deficiency; however, such a
deficiency only exists if the client does not have
effective controls to prevent, detect and correct
misstatements in the financial statements, not
because the practitioner performs services to
assist the client. For instance, if the
client requests assistance from the practitioner
purely as a matter of convenience but has
effective controls in place, no control deficiency
exists.
Should the practitioner
consider the company’s assignment of a
designee—Marion, in the case of TXA—to oversee
the nonattest services a control activity?
No, assigning a person to oversee
the practitioner’s nonattest services under
Interpretation 101-3 is not a control activity.
Rather, the control is what Marion or others at
TXA do to prevent, detect and correct
misstatements in the financial statements. For
example, does TXA have policies and procedures
that Marion follows to help ensure that the
financial statements are complete and accurate, or
that the accounting applied was proper? If
policies and procedures are in place, are they
being performed by duly authorized people who are
capable of performing the activities effectively?
Based on the facts provided, it appears that
Marion is capable of reviewing and approving the
practitioner’s work product in a manner that is
sufficient to allow her to evaluate the adequacy
and results of the work and accept responsibility
for the work product. However, if neither Marion
nor anyone else reviews the year-end adjustments
and drafts of the financial statements in
sufficient detail to prevent, detect and correct a
material misstatement, a control deficiency in
internal control over financial reporting exists.
Are the thresholds for client
competency under the two standards different?
Under Interpretation 101-3 and SAS
no. 112, the required level of competence for the
client designee depends on the circumstances.
Under Interpretation 101-3, a client designee must
have suitable skill, knowledge and/or experience
to oversee the practitioner’s nonattest services
(See Exhibit 1 ).
Generally, the designee must be able to understand
the nature, objective and scope of the services,
make informed decisions on the results of the
practitioner’s service, and make any necessary
management decisions. The designee is not
required to possess the technical expertise of the
practitioner or be able to perform or re-perform
the nonattest services in order to provide
oversight. In the TXA example, Marion was capable
of overseeing the practitioner’s monthly and
year-end closing activities even though she was
unable to perform those activities herself.
However, in order to have effective ICFR,
Marion or others would need to perform control
activities that would detect and prevent material
misstatements in the financial statements. This
may require a higher level of competence than is
required under Interpretation 101-3. For example,
certain controls may require an individual to
analyze information while others may only require
the individual to compare one number to another to
verify they are the same.
Exhibit 1 | AICPA
Guidance in Understanding General
Requirement no. 2 of Interpretation
101-3: Client Responsibilities
| | | |
In 2005, the AICPA
Professional Ethics Executive Committee
released AICPA Interpretation 101-3,
Performance of Nonattest
Services—Guidance in Understanding
General Requirement no. 2: Client
Responsibilities . This guidance
was intended to help practitioners
understand one of the key requirements of
Interpretation 101-3, specifically, how to
evaluate whether a person designated by
your attest client has the necessary
skill, knowledge and/or experience to
oversee your nonattest services. Here are
some highlights of the guidance:
The individual should be able
to understand the nature, objective and
scope of the services.
The skill, knowledge and/or
experience needed will depend on the
nature of the service and degree of
complexity. Some factors to consider are
an individual’s general business
knowledge; position with the client and
understanding of the nature of the service
and the client’s business; and the
individual’s education (level of education
should not be a prevailing consideration).
In the smallest companies,
often the designee will be the owner of
the business, but in larger organizations
it could be a bookkeeper, controller, or
even a third party contracted by the
client—provided the third party has
authority to make decisions on the
client’s behalf.
The individual is not
required to possess the technical
expertise that the member possesses or the
ability to perform, or re-perform, the
services.
Oversight does not mean that
the individual supervises the practitioner
on a day-to-day basis; however, he or she
should, where appropriate, receive
periodic reports on the status of the
engagement. | |
CASE NO. 2: CONSTRUCT INC.
Construct Inc. is a small,
family-owned-and-managed construction company that
provides services to residential and commercial
customers. The company employs George, an
accountant who maintains the books and records, is
familiar with GAAP and can prepare the financial
statements. Because of a shortage of internal
resources to do the work, Construct engaged its
practitioner to help process the company’s
payroll. George oversaw the services in which the
practitioner:
Used approved timecards and other
client records to calculate the payroll and
generate unsigned checks for the client’s
signature.
Transmitted payroll data to the
client’s financial institution (pre-authorized by
the client).
Submitted electronic payroll tax
payments in accordance with U.S. Treasury
Department and other relevant jurisdictions’
guidelines under arrangements made with the client
and its financial institution. In
accordance with Interpretation 101-3, George
assumed all management responsibilities for the
practitioner’s services. He also performed control
activities related to payroll. These duties
included spot-checking the payroll for accuracy by
recalculating the payroll for select employees and
comparing his amounts to those the practitioner
calculated, reviewing disbursements to gauge
consistency with prior periods and investigating
any inconsistencies. The practitioner considered
George capable of overseeing the payroll work for
independence purposes. However, during the
audit, the practitioner identified a significant
deficiency in internal control over financial
reporting. He learned that George misclassified
payroll expense between contracts when posting the
job cost ledger. This would have caused a
misstatement in the financial statements.
Does the practitioner’s
identification of a significant deficiency or
material weakness in internal control over
financial reporting in an area in which he or
she previously performed nonattest services
impair independence? The test
for independence when the practitioner performs
nonattest services is whether he or she complied
with Interpretation 101-3. Under that rule,
Construct Inc. and the practitioner agreed to the
responsibilities that each would undertake in
connection with the payroll services engagement.
This ensured that the practitioner would not
assume management’s responsibilities for the
payroll process. Therefore, the fact that the
practitioner concluded during the audit that a
significant deficiency (or even a material
weakness) in ICFR existed does not mean that
independence was impaired when the payroll
services were performed.
Exhibit 2 | Nonattest Services
Activities vs. Control
Activities | | | |
Note: It is important to
differentiate nonattest services
“activities”—that is, the activities
underlying the services that a
practitioner renders to the client (such
as proposing journal entries or
preparing a tax return)—from “control
activities,” which are defined in the
internal control literature. |
Nonattest Services
Activities |
Control Activities
| What they
are: | Activities
performed by a practitioner when
performing nonattest services
(that is, tax, accounting or
consulting) for a client |
- Control activities are the
policies and procedures that
help ensure management
directives for internal
control are carried out.
- Control activities include a
range of activities such as
approvals, authorizations,
verifications, review of
account reconciliations,
review of operating
performance, security of
assets and segregation of
duties.
Source:
Committee of Sponsoring
Organizations of the Treadway
Commission, Internal
Control—Integrated Framework.
|
Examples: |
- Prepare journal entries
- Record cash receipts in the
cash receipts journal
- Post amounts in the journals
to the general ledger (G/L)
|
- Review and approve the
reconciliation of the accounts
receivable subsidiary ledger
to the general ledger
- Review the G/L and financial
statements for consistency,
reasonableness and accuracy
(for example, checking for
unusual or incorrect items or
reviewing a financial
statement disclosure
checklist)
- Application of controls over
the company’s financial
reporting software that ensure
accuracy and completeness of
financial statements
| |
|
CASE NO. 3: TZR TZR is a
privately owned clothing manufacturer located in
North Carolina and South Carolina with three
owners/shareholders who operate the business.
The company makes one line of clothing and
employs approximately 50 people, mostly machine
operators and other factory workers.
TZR’s owners engage the company’s
practitioner to maintain the fixed-asset ledger
and prepare monthly depreciation adjustments.
TZR has no full-time accounting personnel but
has contracted the services of a controller,
Sunil, on a part-time basis for the past three
years. Sunil worked as a controller for a large
manufacturing company for many years and
therefore is well-versed in the applicable
accounting principles and practices. From his
association with TZR, he has become
knowledgeable about its business. The
practitioner concludes that Sunil is capable of
overseeing the services.
Can the client engage
someone other than an owner or employee of the
company to oversee the practitioner’s
nonattest services? Yes.
Interpretation 101-3 does not require that the
individual overseeing the practitioner’s service
be an owner or employee of the client if the
individual has suitable skill, knowledge or
experience to oversee the services and the
authority to make necessary management
decisions. The practitioner should use
the same criteria in evaluating Sunil’s skills,
knowledge and experience as if he were an
employee. If Sunil performs control activities
related to the services that are both
appropriate and effective, the practitioner
could consider his activities to be a control
for purposes of evaluating ICFR. But the
client could not engage the practitioner or his
or her firm to perform control activities.
Control activities constitute management
responsibilities that, if performed by the
practitioner, impair independence.
Does the practitioner’s
performance of nonattest services in
compliance with Interpretation 101-3
constitute control activities?
No. Management is responsible for the design
and execution of ICFR. As one of the five
components identified in the Internal
Control—Integrated Framework of the
Committee of Sponsoring Organizations of the
Treadway Commission (the “COSO Framework”),
control activities are the policies and
procedures that help ensure management’s
directives for internal control are effectively
carried out (see
Exhibit 2 ). By barring management
functions, Interpretation 101-3 precludes the
practitioner from performing control activities
and becoming part of the client’s internal control
structure. It specifies that establishing or
maintaining controls, including performing ongoing
monitoring activities, for a client would impair
independence. Likewise, attest procedures
performed by the practitioner cannot be considered
control activities or compensating controls. For
example, if TZR’s practitioner identifies certain
control deficiencies and expands the scope of the
audit by performing additional audit procedures,
these additional procedures do not mitigate the
severity of TZR’s control deficiencies in any way.
Can the client engage the
practitioner to help remediate control
deficiencies or otherwise improve its ICFR?
Yes. As part of the audit, the
practitioner may provide advice, research
materials and recommendations to the client to
assist management in making decisions about how to
improve its ICFR. Or, subject to meeting
the requirements of Interpretation 101-3,
practitioners may assist audit clients that want
to improve their ICFR via a separate nonattest
services engagement. Such opportunities may become
more commonplace as a result of the heightened
focus on controls in the audit process due in part
to SAS no. 112 and the audit risk assessment
standards contained in SAS nos. 104 through 111.
When performing services as part of a
nonattest services engagement, practitioners
should carefully examine the scope of work related
to internal control. Clearly, it is management’s
responsibility to design, operate and monitor a
client’s ICFR. Practitioners are barred, for
example, from remediating control gaps on behalf
of client management. However, if the
practitioner meets all the requirements of
Interpretation 101-3, he or she may provide
recommendations, advice and assistance to
companies seeking to enhance internal controls.
| AICPA
RESOURCES
CPE
Internal Control Deficiencies:
Assessment and Reporting Under SAS 112
, a CPE self-study course (#183290)
Publications
Understanding SAS no. 112
and Evaluating Control
Deficiencies—Audit Risk Alert
(#022536)
Communicating Internal
Control Related Matters Identified in an
Audit—SAS no. 112 (#060707)
For more information or to make a
purchase, go to www.cpa2biz.com
or call the Institute at 888-777-7077. | |