Is There a Missing Link in Your System of Internal Controls

By Sheri Rockburn and Barbara Reid

The American Institute of Certified Public Accountants (AICPA) issued Statement on Auditing Standards number 112, commonly referred to as SAS 112, in May 2006. SAS 112 will affect all auditees, including local governments—cities, towns, counties and school districts—and is effective for audit periods ending on or after December 15, 2006. SAS 112 defines how auditors will communicate matters related to your entity’s internal controls over financial reporting. This statement introduces new definitions of internal control deficiencies and further defines those deficiencies that may be “significant" or considered a “material weakness." Effectively, this new statement will lower the reporting threshold regarding internal control deficiencies, resulting, in some cases, in an increase in the number of audit findings. The requirements of this statement may also lengthen the time needed for your auditor to complete the audit. More internal control deficiencies will likely be considered significant or material, and these deficiencies will be communicated more broadly than in the past, in the form of written audit findings. This article outlines the terminology contained within SAS 112 and how this new statement will impact the auditing process.

What exactly are internal controls as addressed in SAS 112? “Internal controls" refer to the process—affected by those charged with governance, management and other personnel—designed to provide reasonable assurance regarding the achievement of the municipality’s objectives including: reliable financial reporting; effective and efficient operations; and compliance with applicable laws and regulations.

“Reliable financial reporting" refers to the timely preparation of financial statements fairly presented in conformity with generally accepted accounting principles, otherwise known as GAAP. A system of internal controls over financial reporting does not stop at the general ledger, but includes controls over the preparation of the financial statements, including year-end adjustments, as well as the required note disclosures. “Effective and efficient operations" refer to the optimal use of scarce resources to perform the services, functions and activities necessary to accomplish the municipality’s objectives. “Compliance with applicable laws and regulations" refers to operating within the constraints and restrictions imposed by internal policies, the adopted budget, state and federal laws, and other oversight regulations.

What types of internal control deficiencies will be the focus of review under the requirements of SAS 112? To answer that, the following questions are provided to help assess your municipality’s readiness to respond to your auditor’s inquiries and evaluation of your internal controls in compliance with SAS 112. A “no" response to any question indicates a potential internal control deficiency that may need immediate attention in order to avoid a future audit finding.

  • Does your municipality have sufficient expertise to appropriately apply generally accepted accounting principles?
  • ·
  • Is management and/or financial staff adequately trained and qualified to fulfill their assigned functions?
  • ·
  • Is there an antifraud program in place?
  • ·
  • Are there controls over non-routine and non-systematic transactions, such as journal entries, abatements, or expenditures of FEMA funds?
  • ·
  • Are accurate and timely reconciliations of significant accounts routinely performed, such as bank reconciliations, and reconciliations of account receivable/account payable sub-ledgers, grant ledgers, tax and utility receivables?
  • ·
  • Are there sufficient controls over period-end financial reporting, including procedures over approving and processing adjusting entries in the general ledger, preparing financial statements, and providing required note disclosures?
  • ·
  • Are financial reports issued timely?
  • ·
  • Are internal controls adequately documented?
  • ·
  • Is there adequate segregation of duties over significant accounts and processes such as cash receipts, payroll and purchasing functions?
  • ·
  • Are there controls in place to safeguard municipal assets, such as performing periodic physical inventories and maintaining capital asset records?
  • ·
  • Are there adequate IT controls in place over major systems, such as financial reporting, payroll, general ledger and grant management, as well as adequate back-up systems and disaster recovery procedures?
  • ·
  • Are there adequate controls over the work of outside organizations or contractors that process, manage or report on a significant accounting function, such as payroll?
  • ·
  • Has the municipality satisfactorily addressed all prior year audit findings?

As previously noted, a “no" answer to any of these questions may be indicative of a weak or missing link in your system of internal controls. Another key question, and potential missing link, is whether your municipality relies on the auditor to prepare the financial statements, reconcile accounts, or prepare year-end adjusting entries. If so, depending upon your specific circumstances, such activities may be considered at least a control deficiency, and possibly a material weakness, in your internal control system.

The determination of a control deficiency will be made by your auditor based upon qualitative and quantitative evidence and will follow a “prudent official" standard. In other words, the auditor will objectively evaluate the severity of the control deficiency, using a process similar to that of a regulator or oversight agency. When your auditor is evaluating the impact of a deficiency, the timeframe for assessing its impact includes not only the current audit period but also the effect and impact the deficiency may have in the future.

For example, if a municipality chooses not to fill a vacant accounting position, and this vacancy limits the ability to adequately segregate duties over financial transactions now or at some point in the future, the municipality may have either a significant deficiency or a material weakness. In this example, the classification of a control deficiency as either a significant deficiency or a material weakness will depend on the projected impact, or level of materiality, that this lack of adequate segregation of duties may have on the financial statements, as determined by the auditor. In making this determination, the auditor will also consider any “compensating controls" that may mitigate or lower the impact of the deficiency. For example, perhaps the town administrator routinely reviews (after the fact) all transactions involving purchases over a certain dollar threshold. Although the control deficiency still exists—the administrator’s review does not eliminate the lack of segregation of duties—but the impact or level of materiality due to the control deficiency may be diminished by this compensating control.

What is the difference between a control deficiency, a significant deficiency and a material weakness? According to SAS 112, a “control deficiency" exists when the design or operation of a control does not allow management or employees, in the normal course of performing their functions, to prevent or detect misstatements on a timely basis. Such control deficiencies may be further classified as either “significant" or “material."

A “significant deficiency" is a control deficiency, or combination of control deficiencies, that adversely affect the municipality’s ability to reliably initiate, authorize, record, process or report financial data in accordance with GAAP, resulting in the possibility that a “more than inconsequential" misstatement of the financial statements will not be prevented or detected.

A “material weakness" is a significant deficiency, or combination of significant deficiencies, that results in the likelihood that a “material" misstatement of the financial statements will not be prevented or detected. Basically, the difference between a control deficiency, a significant deficiency and a material weakness is the likelihood and magnitude of the misstatement that could potentially occur.

For example, a common control within many municipal operations deals with the accounts payable process. Typical controls in the purchasing process include obtaining three quotes and the issuance of a purchase order for items greater than $1,000. The auditor will test purchasing transactions to determine if in fact the stated controls are being executed as prescribed. They will also test whether controls are in place to identify, in a timely manner, those transactions that may have circumvented the required procedures. If the audit testing reveals that the controls are not operating as intended, the auditor must then determine the impact or magnitude this control deficiency may have on the financial statements, and classify the deficiency accordingly as either a control deficiency, a significant deficiency or a material weakness.

How, and to whom, will internal control deficiencies be reported? SAS 112 requires auditors to communicate in writing to management and “those charged with governance" the significant deficiencies and material weaknesses identified during the audit, as well as those deficiencies identified in the past that have not yet been remedied. Prior to SAS 112, auditors had discretion whether to report such deficiencies orally or in writing, which resulted in inconsistent communications regarding these matters. From a practical standpoint, the internal control deficiencies will now most likely be communicated at the time the audit report is presented, but no later than 60 days following the audit report release date. In some cases, the auditor may decide to communicate internal control issues earlier, during the conduct of the audit rather than after completion.

SAS 112 defines “those charged with governance" as the person(s) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. In most municipalities, governance is a collective responsibility carried out by the board of selectmen or city/town council, and/or management team members such as the town manager/administrator and finance director.

What role can the auditor play in the internal control system? It is management’s responsibility to ensure that the municipality has an adequately designed internal control environment, which includes assessing areas of risk, monitoring, evaluating and revising the internal controls on a regular basis. Additionally, internal controls must be documented and operating as prescribed. This process is known as the Internal Control Cycle and is illustrated in the accompanying graphic on page 13. One key point addressed in SAS 112 is that the auditor cannot be part of the internal control environment. Your system of internal controls, including controls over the preparation of financial statements in accordance with GAAP, cannot rely on work performed by the auditor. This requirement stems from the principle that the auditor cannot maintain independence and objectivity if he or she is auditing their own work.

What steps can be taken to reduce control deficiencies and eliminate deficiencies being reported as audit findings? The first step is to discuss potential SAS 112 implications with your auditor and to address all audit findings previously reported. The second step is to evaluate whether management and/or key financial staff are adequately trained and qualified to perform their respective duties, and if not, to determine what additional training may be necessary. The third step is to assess the high-risk areas specific to your municipality. This is accomplished by reviewing the questions listed above, as well as identifying the major financial activities, material balance sheet accounts, significant revenue streams and primary expenditure accounts. The fourth step is to then document the key controls that support those financial processes and accounts, including those systems or spreadsheets that may be independent of, or integrated within, the general ledger. The final step is to ensure an on-going process that assesses the areas of risk within your municipality, and responds to those risks accordingly.

A copy of SAS 112, which includes further definitions, descriptions and examples of control deficiencies, is available at

Sheri Rockburn is a Certified Public Accountant with Municipal Resources, Inc.

Barbara Reid is Government Finance Advisor for New Hampshire Local Government Center.

The New Hampshire Local Government Center has partnered with Municipal Resources, Inc. to develop training designed to minimize control deficiencies as a result of the new SAS 112 auditing standards. These workshops will provide the tools necessary to perform an in-depth self-review of internal control systems, helping to identify and assess the areas of risks unique to your municipality. This program is directed towards managers, administrators, finance directors, accounting staff and any other municipal employee charged with establishing and maintaining effective internal controls. More information will be provided at the LGC annual conference in November.