Accounting & Auditing
Evaluating and Communicating Internal Control Deficiencies
By Suzanne M. Holl, CPA

Confused about liability implications of SAS No. 112? Communication is key. And, small-business clients may need special attention.

SAS No. 112, Communicating Internal Control-Related Matters Identified in an Audit, supersedes SAS No. 60 and provides guidance to auditors on identifying, evaluating and communicating matters related to entities’ internal control over financial reporting.

Issued in May 2006, it is effective for audits of financial statements for periods ending on or after Dec. 15, 2006. The new auditing standard is not intended or designed to change the scope or limits of an audit of a company’s financial statements. In simple terms, the auditor is not required under SAS No. 112 to perform procedures designed to search for and identify deficiencies in internal control.

The new standard is only meant to address the deficiencies an auditor may become aware of during the course of audit procedures and, therefore, is influenced by the nature, timing and extent of the procedures performed. Consequently, it is important to have appropriate engagement letter language in place to avoid confusion or a client’s “expectation gap” with respect to the firm’s responsibilities and the inherent limitations of the audit engagement.

SAS No. 112 has two significant requirements:

  1. The auditor must evaluate the control deficiencies that he or she has become aware of to determine whether those deficiencies, individually or in combination, are significant deficiencies or material weaknesses.
  2. The auditor must communicate in writing significant deficiencies and material weaknesses to management and those who are charged with governance.

Regarding the second requirement, for some smaller clients, or in the case of an owner-managed client, management and those who are charged with governance may be the same people. However, in larger organizations, governance is broader than just the management component and is considered the collective responsibility of the board of directors, an audit committee, partners and anyone else designated by the organization as having responsibility for governance. Clearly, in order to comply with the requirements of SAS No. 112, it is important that the CPA uses appropriate judgment when determining the “who” in the definition of those who are charged with governance.

The standard does attempt to define certain key terminology. However, it is very apparent that a great deal of professional skepticism and judgment is required when applying this guidance to “real-world” scenarios. CPAs need to exercise their own good judgment in assessing and concluding “whether prudent officials, having knowledge of the same facts and circumstances, would agree with the classification of the deficiencies.”

“Prudent” in this context means that CPAs will need to be careful or diligent in performing their duties. From a liability perspective, the requirement to communicate in writing certainly appears to be a strong loss-prevention tool. CAMICO has long advocated that CPAs put all significant communications in writing and that these communications be directed at management and those charged with governance.

In our experience, a defense is almost always more successful when based on documentation rather than memory. Also, the contents of the written communication can be expanded beyond the required elements specified in the new standard to include other matters that may be of potential benefit to the client, as well as other items that may help to avoid the client “expectation gap.” This approach is simply good client service.

Small-Business Clients

CPAs also should give special attention to the implications of SAS No. 112 as it relates to small-business clients. Typically, there are many inherent limitations in the accounting procedures of small businesses that may cause control deficiencies. Probably the most common internal-control shortcoming in small businesses is an inability to segregate duties.

For example, if your client is a small business, and the owner relies on a long-time employee to handle all the bookkeeping, payroll and banking responsibilities, the owner might spend little to no time reviewing the bookkeeper’s work. If your firm has been engaged to quarterly review certain procedures performed by the bookkeeper, including bank reconciliations, would the work performed by your firm be viewed as compensating controls and an adequate substitute for the owner’s lack of oversight? As clarified under SAS No. 112, the answer is no, as only the controls that the client has in place can be considered when evaluating compensating controls. In this scenario, the lack of appropriate segregation of duties and management oversight would be considered a material weakness and would need to be communicated in writing to the owner.

Professional skepticism is important when focusing on the consideration of compensating controls to determine if they appropriately mitigate the significance of a control deficiency.

Jury Standards

Even the more restrictive requirements under SAS No. 112 as it relates to identifying, evaluating and communicating significant deficiencies in internal control are still below the expectation level and responsibilities jurors often place on CPAs. CAMICO claims experience shows that the public expects CPAs to follow the professional standards and to “get it right.”

Consequently, CPAs who focus only on professional standards to the exclusion of jury standards will be treading on thin ice. From our experience, the key to “getting it right” is to follow professional standards, meet client expectations, and adhere to the public’s perception of CPAs’ responsibilities. This formula is clearly the best loss-prevention technique for protecting the public interest.

Remember, communicating internal-control matters in writing to clients offers CPAs an opportunity to better serve their clients, to better protect themselves, and to enhance existing client relationships.

About the Author
Suzanne M. Holl, CPA, is vice president of loss-prevention services with CAMICO. She provides CAMICO’s member-owners with information on a wide variety of loss prevention and accounting issues.

Reprinted with permission from CAMICO. Ó All rights are reserved.