Evaluating and Communicating Internal
By Suzanne M. Holl, CPA
Confused about liability implications of SAS No. 112? Communication is key.
And, small-business clients may need special attention.
SAS No. 112, Communicating Internal Control-Related Matters Identified in
an Audit, supersedes SAS No. 60 and provides guidance to auditors on
identifying, evaluating and communicating matters related to entities’
internal control over financial reporting.
Issued in May 2006, it is effective for audits of financial statements for
periods ending on or after Dec. 15, 2006. The new auditing standard is not
intended or designed to change the scope or limits of an audit of a
company’s financial statements. In simple terms, the auditor is not
required under SAS No. 112 to perform procedures designed to search for
and identify deficiencies in internal control.
The new standard is only meant to address the deficiencies an auditor may
become aware of during the course of audit procedures and, therefore, is
influenced by the nature, timing and extent of the procedures performed.
Consequently, it is important to have appropriate engagement letter language
in place to avoid confusion or a client’s “expectation gap” with respect to
the firm’s responsibilities and the inherent limitations of the audit
SAS No. 112 has two significant requirements:
- The auditor must evaluate the control deficiencies
that he or she has become aware of to determine whether those
deficiencies, individually or in combination, are significant
deficiencies or material weaknesses.
- The auditor must communicate in writing significant
deficiencies and material weaknesses to management and those who are
charged with governance.
Regarding the second requirement, for some smaller clients, or in the
case of an owner-managed client, management and those who are charged with
governance may be the same people. However, in larger organizations,
governance is broader than just the management component and is considered
the collective responsibility of the board of directors, an audit committee,
partners and anyone else designated by the organization as having
responsibility for governance. Clearly, in order to comply with the
requirements of SAS No. 112, it is important that the CPA uses appropriate
judgment when determining the “who” in the definition of those who are
charged with governance.
The standard does attempt to define certain key terminology. However, it is
very apparent that a great deal of professional skepticism and judgment is
required when applying this guidance to “real-world” scenarios. CPAs need to
exercise their own good judgment in assessing and concluding “whether
prudent officials, having knowledge of the same facts and circumstances,
would agree with the classification of the deficiencies.”
“Prudent” in this context means that CPAs will need to be careful or
diligent in performing their duties. From a liability perspective, the
requirement to communicate in writing certainly appears to be a strong loss-prevention tool. CAMICO has long advocated that CPAs put all significant
communications in writing and that these communications be directed at
management and those charged with governance.
In our experience, a defense is almost always more successful when based on
documentation rather than memory. Also, the contents of the written
communication can be expanded beyond the required elements specified in the
new standard to include other matters that may be of potential benefit to
the client, as well as other items that may help to avoid the client
“expectation gap.” This approach is simply good client service.
CPAs also should give special attention to the implications of SAS No. 112
as it relates to small-business clients. Typically, there are many inherent
limitations in the accounting procedures of small businesses that may cause
control deficiencies. Probably the most common internal-control shortcoming
in small businesses is an inability to segregate duties.
For example, if your client is a small business, and the owner relies on a
long-time employee to handle all the bookkeeping, payroll and banking
responsibilities, the owner might spend little to no time reviewing the
bookkeeper’s work. If your firm has been engaged to quarterly review certain
procedures performed by the bookkeeper, including bank reconciliations,
would the work performed by your firm be viewed as compensating controls and
an adequate substitute for the owner’s lack of oversight? As clarified under
SAS No. 112, the answer is no, as only the controls that the client has in
place can be considered when evaluating compensating controls. In this
scenario, the lack of appropriate segregation of duties and management
oversight would be considered a material weakness and would need to be
communicated in writing to the owner.
Professional skepticism is important when focusing on the consideration of
compensating controls to determine if they appropriately mitigate the
significance of a control deficiency.
Even the more restrictive requirements under SAS No. 112 as it relates to
identifying, evaluating and communicating significant deficiencies in
internal control are still below the expectation level and responsibilities
jurors often place on CPAs. CAMICO claims experience shows that the public
expects CPAs to follow the professional standards and to “get it
Consequently, CPAs who focus only on professional standards to the exclusion
of jury standards will be treading on thin ice. From our experience, the key
to “getting it right” is to follow professional standards, meet client
expectations, and adhere to the public’s perception of CPAs’
responsibilities. This formula is clearly the best loss-prevention technique
for protecting the public interest.
Remember, communicating internal-control matters in writing to clients
offers CPAs an opportunity to better serve their clients, to better protect
themselves, and to enhance existing client relationships.
About the Author
Suzanne M. Holl, CPA, is vice president of loss-prevention services with CAMICO. She provides CAMICO’s member-owners with information on a wide
variety of loss prevention and accounting issues.
Reprinted with permission from CAMICO.
Ó All rights are
Printer Friendly Version