In the May issue of the CSMFO magazine, I had written an article entitled “The Viewpoint from the Managing Partner of a CPA Firm”. This was an article that was written from the heart and was sparked by the numerous and recent incidences of fraud occurring in local governments. In that article, one key point was that there is much misperception regarding the objectives of a financial audit. To quote that article, “The heart of the matter, in my opinion, is that there is a disconnect between the objective of a financial audit and what governing board members are looking for in an audit.”
The disconnect is that financial auditors are engaged to render an opinion on the year-end financial statements and do so following the concept of reasonable assurance. The auditors test material accounts in those financial statements and also gain an understanding of internal controls regarding the financial reporting system. Financial auditors are not required to audit the government’s controls during the financial audit…and are only required to “gain an understanding”. Financial auditors may elect to test controls which will often reduce the amount of account analysis required on the year-end financial statement. But again, financial auditors are not required to test internal controls.
In the article, I discussed the importance of monitoring internal controls and the advantages of performing internal audits throughout the year and other procedures in order to meet the needs of government finance officers and elected officials.
Well….timing is everything they say! Recently, Statement of Auditing Standards (SAS) 130 was published which has an effective date for audits beginning after December 15, 2016. The title of SAS 130 is “An Audit of Internal Control over Financial Reporting that is integrated with an Audit of Financial Statements”. I believe SAS 130 will provide an opportunity for all finance officials to send a message to your governing board members and citizenry, that more resources, time and attention ought to be directed towards your internal control framework.
The Standard is lengthy and detailed…..but let’s look at some of the key points of this timely SAS which have been extracted from the pronouncement:
What is SAS 130 all about?
It “Establishes requirements and provides guidance that applies only when an auditor is engaged to perform an audit of internal control over financial reporting (ICFR) that is integrated with an audit of financial statements.”
As mentioned, financial auditors are not required to test, let alone audit, internal controls. SAS 130 now gives guidance when a government elects to have their auditors “audit” the internal controls over financial reporting which will then be integrated with the financial audit.
What are the objectives of SAS 130?
To “Obtain reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment about the effectiveness of ICFR” and,
To “Express an opinion on the effectiveness of ICFR in a written report, and communicate with management and those in charge with governance as required by SAS 130.”
The objectives of SAS 130 are what I believe governing board members, management and citizens are looking for. Currently, financial auditors render an opinion on the material accuracy of the financial statements and do not render an opinion on internal controls.
A SAS 130 audit will result in the auditor actually expressing an opinion on internal controls and will require reporting whether there are material weaknesses in internal controls.
SAS 130 talks about ICFR, what is it?
“Internal control over Financial Reporting (ICFR). A process effected by those charged with governance, management and other personnel, designed to provide reasonable assurance regarding the preparation of reliable financial statements in accordance with the applicable financial reporting framework and includes those policies and procedures that:
a. Pertain to the maintenance of records
b. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the applicable financial statement framework, and
c. Provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized acquisition, use or disposition of the entity’s assets that could have a material effect on the financial statements
ICFR has inherent limitations. ICFR is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. ICFR also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements will not be prevented or detected and corrected on a timely basis by ICFR.”
A SAS 130 audit will be designed to specifically test the internal controls over financial reporting (ICFR) and look at records such as journal entries, purchase orders, etc. The auditors will test to determine that the transactions are being properly recorded and that there is reasonable assurance that any errors or unauthorized transactions will be prevented or detected and corrected in a timely manner.
Are auditors required to perform an audit of ICFR?
“This statement on Auditing Standards (SAS) 130 establishes requirements and provides guidance that applies only when an auditor is engaged to perform an audit of internal control over financial reporting (ICFR) that is integrated with an audit of financial statements.”
A SAS 130 audit is not required, however, I believe it addresses much of the disconnect between the perception of a financial audit and the objectives of a financial audit. Your governing board members, management and citizens all want a level of assurance that your controls over financial reporting are operating effectively. So though it is not required, I believe that most governments will request this audit annually.
Are the ICFR effective to eliminate fraud?
“….an entity’s ICFR is less likely to prevent, or detect and correct, a misstatement caused by fraud than a misstatement caused by error.”
The fact is, is that even with the strongest of controls in place and regular monitoring, there is still the chance that fraud will occur. When the fraudster has a will, there will be a way! SAS 130 acknowledges that a misstatement caused by fraud is less likely to be prevented or detected than that caused by human error.
I do believe, that with sound controls, regular monitoring and regular audits, there will be the lessened likelihood that a material fraud will occur.
Does SAS 130 give guidance on how to test internal controls?
Yes, some of these are:
“The auditor should evaluate the design effectiveness of controls by determining whether the entity’s controls, if operated as prescribed by persons possessing the necessary authority and competence to perform them effectively, satisfy the entity’s control objectives, and can effectively prevent, or detect and correct, misstatements cause by error or fraud that could result in material misstatement of the financial statements.
The auditor should obtain evidence about the effectiveness of selected controls for each relevant assertion. The auditor is not responsible for obtaining sufficient appropriate audit evidence to support an opinion about the effectiveness of each individual control.
The auditor should vary the nature, timing and extent of testing of controls from period to period to introduce unpredictability into the testing and respond to changes in circumstances.”
Yes, timing is everything….in many respects! In order to effectively audit internal controls, it needs to have a measure of “unpredictability” which a financial audit is not necessarily designed to do. Also, since SAS
130 is effective for periods ending after December 15, 2016 (FY 2017) and financial audits are not designed to test controls or give an opinion on internal controls…..it is time for all government finance officials to discuss with their governing boards the importance of devoting more resources and time to their internal control framework and engage their auditors to perform a SAS 130 audit!
This article submitted by Rich Kikuchi, CPA Partner.
This article was also published in CSMFO Magazine, click HERE to read the new issue!
Click HERE for PDF.
