About SAS 112/115
- What is SAS 112/115?
SAS 112 (Statement of Auditing Standards 112) establishes standards, responsibilities and guidance for external auditors for identifying and evaluating internal control over financial reporting. Specifically, this standard requires communicating certain internal control deficiencies identified in an audit. See the SAS 112/115 Overview for more information.
- When did SAS 112/115 become effective?
- On July 1, 2007, SAS 112 was incorporated into UCSD's external financial audit conducted by PricewaterhouseCoopers (PwC).
SAS 115 - The Auditing Standards Board has issued a statement on Auditing Standards (SAS) No. 115, 'Communicating Internal Control Related Matters Identified in an Audit.' SAS No. 115 supersedes SAS No.112 of the same title and was issued to eliminate differences within AICPA’s Audit and Attest Standards resulting from the issuance of Statement on Standards for Attestation Engagements (SSAE) No. 15.
- What does SAS 112/115 say?
- See the SAS 112/115 Overview.
- Why should I or my department be concerned about SAS 112/115?
- The existence, application, and evidence of key controls at the departmental level has always been a strong component of an effective control environment. This is now more true than ever because our external auditors will rely on the strength provided by such an environment as a mitigating control when a control failure is detected.
- Does the concept of internal control relate only to business practices and policy?
No. The concept of internal control applies to virtually everything in a department, including instruction, research, other scholarly activities, and student and employee relations. The integrity and effectiveness of all activities depends on the knowledge and ability of each individual to do the right thing, and the willingness to do so every time.
Department responsibilities related to SAS 112/115
- What are my specific department responsibilities?
Department leaders are responsible for communicating an expectation of ethical conduct to all employees, and for assuring that the proper checks and balances (i.e., control activities) are performed and documented on a regular and periodic basis. Department leaders should also ensure that documentation noting these checks are maintained and available for auditors if requested.
For specific control activities and their schedule, see Documenting Your Department's Key Controls for more information.
- Are the controls identified as "key controls" the only controls that my department must monitor?
- No. Other controls exist for governance and to comply with university policy, laws, and regulations. The controls identified in the Department Key Controls Documentation relate to the preparation of the financial statements and are subject to review under SAS 112/115.
- Does SAS 112/115 require departments to add internal control activities to their processes?
- Potentially, when it created the UC Davis Department Key Controls Documentation, the Controller's Office determined the key controls that should already be in place within each department, however, if these controls are not currently in place, they will need to be added to current procedures.
Departments should review their activities, identify key controls and document those controls. See Documenting Your Department's Key Controls for more information.
- If I document key control activity on other financial reports (i.e. ALR, MLR), do I need to document it again on the Department Key Controls Documentation?
- No, if your review is documented in an electronic system you do not need to print and sign it again.
Who performs and certifies Control activities
- Who performs and reviews control activities?
The performance and review of key controls in your unit depends on your particular organizational structure. In most cases, fiscal officer's or MSO's/CAO's review key control functions are performed. A good rule of thumb is to look for the person responsible for overseeing the performance of university business activities within your department or division. See Documenting Your Department’s Key Controls for more information.
- At what level of the organization (i.e. division level, operational unit level, or cost center level) should key control activity be performed and certified?
- Key control activity should be performed by individuals who have the knowledge and understanding of their key controls. Depending on the structure of your unit or department, key controls may be performed by fiscal officers and in others may be performed by MSO's/CAO's. Key control performance and reviews can be determined by each area.
- Can someone perform the key control and certify/review it as well?
- No. Effective internal control activity includes the proper separation of control tasks. See Documenting Your Department’s Key Controls for more information.
- When should key control activity be performed and certified?
- Your department needs to perform and certify key controls on a regular and periodic basis to demonstrate that the controls are working properly. See Documenting Your Department’s Key Controls for specific guidelines.
Control lapses or errors
- What if a key control activity uncovers a problem?
One benefit of key controls is that they can uncover issues or problems. If this occurs, work with your MSO/CAO to determine the problem's source and identify a solution. If you need guidance, contact Controls & Accountability. It may be appropriate to review internal business processes and training to mitigate further risks.
- Will control lapses or errors in control activities trigger additional reporting requirements for a department?
- It depends on the severity of the error or the control lapse. It may prompt additional reviews and audits from the campus Audit and Management Advisory Services (AMAS) group or the Office of the Controller. In addition, external auditors could initiate random audits of campus departments.
It's important to remember that key control activities are our "check and balance" to ensure our internal control environment is effective. As you are performing these control activities, you may find breakdowns in the process. An issue with how a process is working may arise, or because internal control is affected by people, someone may not perform an activity correctly. Internal control is a process and may need to be adjusted periodically.
- What happens if my department is audited and there is no documentation of the performance of control activities
- If documentation cannot be provided to the auditor that control activities have been performed, it is as if it hasn’t been done. This may result in an audit deficiency reportable to the Regents. Departments need to ensure that they maintain sufficient documentation to support the performance of these activities.
- How does the departmental SAS 112/115 certification process relate to the annual financial statement audit by external auditors?
- UC Davis has identified key financial controls at the campus to our external auditors. These controls exist within central unit processes and/or within department activities. The controls listed on the Department Key Controls Documentation are those specifically associated with a department.
During our annual financial statement audit, our external auditors will test our controls in order to give an opinion on our university financial statements. If deficiencies are found within a key control, then this may lead to reportable audit findings to the Regents.