STATEMENT OF AUDITING STANDARDS 112 SAS112

1
STATEMENT OF AUDITING STANDARDS 112
(SAS112) Communicating Internal Control Matters
Identified in an Audit UC Riverside June 2007
2
" Today's  audit environment   encourages 
transparency and accountability. Therefore, an
integrated campuswide effort is  needed 
to  effectively steward the funds entrusted to
UCR.
Chancellor Córdova
3
AGENDA
1- Why SAS112 2- What is SAS112 3- Impact of
SAS112 4- Internal Control 5- Minimizing risk
in dept. operations 6- What to do?
4
- United States Federal Law and SEC For
Public Companies -SarbanesOxley
(SOX) Requires conducting an assessment of the
effectiveness of internal controls by
management, to be audited and approved by the
companys independent accountants
WorldCom Enron
Why SAS112?
SAS112 is our SOX
- American Institute of Certified
Public Accountants For
non-profit organizations (UCR) - SAS
112
5
Non-Compliance Fine - Contract Grants
University of California (2002). Fine 1.8 m
Northwestern University (2003). Fine 5.5m
Harvard University (2004). Fine 2.6m
Mayo Foundation (Mayo Clinics). Fine 6.5m
Florida International University (2005). Fine
11.5m
University of Alabama Birmingham (2005). Fine
3.4 m
6
What is SAS112?

• Establishes standards for communicating internal
  control issues relating to
• integrity of financial reporting
• compliance with applicable laws and regulation
• Establishes standards that classifies
  communicated control issues as
• - control deficiencies
• - significant deficiencies
• - material weaknesses

SAS112 standards have been adopted by the federal
agencies and the Government Audit Standards has
been updated to incorporate SAS112
7
Impact of SAS 112 on UCR Due to significant
changes in the evaluation of control exceptions
and more stringent audit standards, UCR is more
likely to encounter control issues being
identified and reported - Increased scrutiny -
Larger audit samples - More evidence and
documentation required during audits - Lower
audit materiality thresholds
8
Impact of SAS 112 on UCR SAS 112 requires UCR to
disclose deficiencies to 3rd parties Regents Spo
nsors (Federal, State Private) 3rd party
creditors Accrediting agencies Rating
agencies Insurers
9
Impacts of deficiencies and weaknesses
disclosures -negative impact on reputation for
UC, UCR, VCA, and Department -increased internal
and external audits -audit disallowances, fines
and penalties -potential negative impact on
resource allocation
10
Generally, internal controls at UCR are in order
and adequate, but there are departments, function
s and areas where we noted.
Control Issues with - Ledger reconciliation
review - Budget variance analysis -
Revenue monitoring - Cash handling -
Payroll processing - Timekeeping billing
- Cost Transfers - Fiscal Year End
Processes - PAN Reviews
The campus goals, related to SAS112, are to
- Enhance understanding of Internal Controls
- Minimize Control Issues
11
INTERNAL CONTROL

• Internal Control
• Internal control is broadly defined as a process,
  effected by the UC Regents, management and other
  personnel, designed to provide reasonable
  assurance regarding the achievement of objectives
  in the following categories
• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.

12
Who is responsible for implementing internal
controls?
13
PARTNERSHIP
Central Offices (Accounting, Audit Advisory
Services, APB, OR, etc.)
Executive Management
Departments (Chair/ Director, MSO, Staff)
Control Units (Deans/VC CFAO)
14
Minimizing the Risks

• Department Head
• Oversees and is integrated into the financial
  management process
• Ensures proper controls and monitoring procedures
  are in place
• Ensures financial reports are accurate and
  meaningful
• Ensure SAAs, transactors and reviewers are
  appropriately trained and supported in their key
  business process roles

15
Minimizing the Risks

• Timely reconciliation and review of monthly
  ledgers
• Budget to Actual review
• Analysis of causes for variances
• Review of payroll transactions by financial staff
  and responsible manager
• Regular review of financial reports by
  department manager and business officer
• Evidence of ledger reconciliation and review
• New Ledger Recon Tool-coming soon

16
Minimizing the Risk

• Timely resolution of errors
• Frequent and late cost transfers can be a symptom
  of a deficiency
• Ensure sufficient segregation of duties
• No one person should have complete control over
  the key processing functions for financial
  transactions
• Provides for prevention and detection
• Errors
• Inappropriate activities
• Post Audit Notification (PAN) Reviews
• Payroll/Personnel System and UCRFS transactions
• Timely
• Adequate

17
What to do

• Control Assessment

• Training

When issues are identified
1- Self-report
2-Assistance
3-Escalate/Remediate
4-Proactive Approach
When control issues or policy non-compliance are
recurring and systemic
Everyone is responsible
It will be transparent and there will be
consequences
18
Contacts

• Gretchen Bolar, Vice Chancellor-Academic Planning
  Budget gretchen.bolar_at_ucr.edu
• Bobbi McCracken, Asst. Vice Chancellor-Financial
  Services bobbi.mccracken_at_ucr.edu
• Mike Jenson, Director-Audit Advisory Services
• michael.jenson_at_ucr.edu
• Bruce Morgan, Asst. Vice Chancellor-Office of
  Research bruce.morgan_at_ucr.edu
• Toffee Jeturian, Asst. Director-Audit Advisory
  Services rodolfo.jeturian_at_ucr.edu
• Marc Guerra, Director-Financial Control
  Accountability marc.guerra_at_ucr.edu