New Audit Standards May Feel Like a Foreign Landscape
By Jennifer Chandler Hauge
Has your auditor given you a call about the new audit standards under Statement on Auditing Standards, No. 112 (“SAS 112”)? Officially known as “Communicating Internal Control Related Matters Identified in An Audit,” the new requirements will be unfamiliar to many nonprofits that receive a management letter identifying “significant deficiencies” or “material weaknesses” in internal controls that had not been noted in prior years. Since many accountants were not fully briefed on the new standards until recently, audit firms didn’t have much time to prepare their clients for changes created by SAS 112. Consequently, this year’s audit and management letter may feel as if you are in a foreign territory—but there are steps your organization can take to soften the landing in new territory.
In May 2006, the American Institute of Certified Public Accountants (AICPA) issued new accounting standards. Specifically, SAS 112, which is effective for audits of financial statements for fiscal years ending December 15, 2006, or thereafter, requires auditors to communicate in writing to management or others charged with the nonprofit’s governance (such as the board members) whether any significant deficiencies/material weaknesses exist in the organization’s internal controls. (The report of the deficiency could be made orally as long as it’s followed by a written report within 60 days.)
The new standards underscore that it is management’s responsibility, not the auditor’s to establish and maintain internal controls and to fairly represent the financial position of the nonprofit in financial reports/statements. Also, the new standards underscore that:
- It’s the auditor’s responsibility to evaluate those controls and to communicate to management if there are deficiencies, including deficiencies that were noted in prior audits but not yet addressed or resolved by the nonprofit. In addition, auditors are required to communicate deficiencies and weaknesses in writing to the board every year for as long as the deficiencies and weaknesses exist.
- Auditors who discover “control deficiencies” during the course of an audit are required to identify the “likelihood” of a given deficiency continuing, as well as the magnitude of the potential or actual error that could be caused by that deficiency.
- Auditors are required to evaluate whether the deficiency is a “significant deficiency” or a “material weakness.” (If the auditor determines that the control deficiency is not a significant deficiency or a material weakness, the auditor doesn’t have to report the control deficiency in writing to management.)
What Is a “Control Deficiency?”
As we all know, ill-prepared financial reports can lead to incorrect financial information being shared with management or board members, and inaccurate reporting to the IRS, which can result in penalties to the organization, or even material fraud, including misappropriation of assets. Consequently, financial risk management involves putting in place procedures that can prevent or detect misstatements of the true picture of a nonprofit’s finances.
- A “control deficiency” exists if there aren’t adequate systems in place that can help employees or management prevent or detect misstatements of the nonprofit’s financial position on a timely basis. For example:
- A control deficiency in a small nonprofit would exist if it were standard practice for the same employee to open the mail and log-in checks received, process deposits, approve expenditures, and reconcile bank statements. This internal control weakness will now be referred to in the management letter every year until the problem is resolved. Under prior standards, the auditor had the option of communicating such deficiencies verbally to the management and the board.
- A control deficiency exists in a nonprofit that does not have any staff member capable of preparing financial statements in conformity with Generally Accepted Accounting Principles. In such cases the outside auditor is required to issue a management letter citing a “material weakness” because SAS 112 provides that there is a “control deficiency” in any organization that does not have the internal capacity to prepare financial statements that comply with GAAP.
If this situation applies to your nonprofit, consider outsourcing the preparation of financial statements to a vendor more highly trained than the nonprofit’s own staff. The nonprofit’s policies and procedures should be followed by the outsourced service provider, and management is still responsible for the outsourced functions. Added bonus: The vendor may have more up-to-date financial management software and may be able to guarantee that state-of-the-art computer back-up systems are in place.
Your organization can take 10 steps to prepare itself to comply with the new standards:
- Educate staff with financial responsibilities, as well as the nonprofit’s volunteer treasurer, and all board members about the new requirement that auditors both evaluate whether control deficiencies exist and the requirement that the auditors communicate their findings with management/board members.
- Take a look at last year’s management letter. Were any internal control weaknesses noted or suggestions made? What has been done about those suggestions? Be prepared to demonstrate that the issues noted by the auditors have been addressed—or be ready with an explanation why they have not been remediated.
- Work with your outside auditor to identify concerns before the auditor arrives to conduct fieldwork in your office to provide an opportunity for your nonprofit to “fix” deficiencies before the auditor is required to note them in the audit letter. Ask your accountant or auditor for sample financial policies.
- Communicate any changes your nonprofit has made in its procedures so the auditor is aware of them and can take those changes into account in this year’s audit.
- Ensure that the nonprofit has technology controls, such as limited access to computer files with financial and confidential human resources information, and has a business continuity plan that includes backing up of computer files.
- Ensure that the board is meeting on a regular basis, and is engaged and actively participating in oversight of the nonprofit’s finances that includes reviewing accurate and timely financial reports.
- Make it standard practice to conduct background checks on employees who handle cash and financial accounting/reporting.
- Expect slightly higher audit preparation fees. You may want to discuss fees with your auditor now to be prepared for budget planning purposes.
- Evaluate the reasonableness of making changes in procedures that will result in meeting the higher standards.
- For some organizations, receiving a management letter that identifies a “material weakness” may be hard to swallow but unavoidable because the nonprofit has no staff member skilled enough to prepare financial statements in accordance with GAAP.
January/February 2008 Risk Management Essentials