Internal Controls

SAS 112/115 Overview

Statement of Auditing Standards No. 112/115 (SAS 112/115) establishes standards and provides guidance on communicating matters related to an entity's internal control over financial reporting identified in an audit of financial statements. It is applicable whenever an auditor expresses an opinion on financial statements (including a disclaimer of opinion).  Effective July 1, 2007, SAS 112/115 was incorporated into UC Davis' external financial audit conducted by PricewaterhouseCoopers (PwC).

In particular, SAS 112/115

  • Defines the terms "significant deficiency" and "material weakness," incorporating the definitions already in use for public companies
  • Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements
  • Requires the auditor to communicate in writing, to management and those charged with governance such as the University Board of Regents, significant deficiencies and material weaknesses identified in an audit

Why is SAS 112/115 considered significant?

SAS 112/115 changed the process for evaluating deficiencies that come to the attention of auditors and has brought the thresholds for reporting control deficiencies in line with the thresholds required for public companies. As the revised thresholds effectively lowered the bar, it is expected that the reporting of what are now defined as either significant deficiencies or material weaknesses will be become increasingly prevalent.

There is a possibility that items not previously identified as control deficiencies could rise to what has now been defined as a significant deficiency or a material weakness simply as a result of imposing a new definition on the auditor, not as a result of any deterioration in the university's system of internal control. The materiality of the control deficiency is determined based on what potentially could go wrong, not just on the number of actual misstatements.

What does this mean to UC Davis?

The Controller's Office has worked with campus external auditors to identify existing internal controls that support the financial reporting process. The goal is to ensure that existing key controls are in place and that UC Davis can demonstrate, through documentation, that they are operating as intended.

Key controls currently identified for the preparation of the financial statements are not the only controls that need to be monitored. Other controls exist for governance and regulatory compliance, and they also must be followed. Consequently, SAS 112/115 has important implications for all campus departments, not just those in the central business offices.

We highly recommend departments:

  • Implement departmental key controls, and ensure the control is working.
  • Document evidence of review for all levels (signature, e-mail, and/ or signed checklist).
  • Fix and follow-up when a control deficiency or weakness is identified.
  • Document corrective action.

Key control areas include

  • Ledger verification (all funds)
  • Overdraft funds
  • Payroll expense verification
  • Effort reports
  • Physical inventory
  • Purchasing and payables invoices
  • Cash and cash equivalent handling
  • Security of assets and personal information

The AVC Finance/Controller's office will continue to act as a liaison between the external auditors and the departments, providing guidance, key controls framework, and any additional communication on SAS 112/115.

Learn more about SAS 112/115

* SAS115-The Auditing Standards Board has issued a statement on Auditing Standards (SAS) No. 115, 'Communicating Internal Control Related Matters Identified in an Audit.' SAS No. 115 supersedes SAS No.112 of the same title and was issued to eliminate differences within AICPA’s Audit and Attest Standards resulting from the issuance of Statement on Standards for Attestation Engagements (SSAE) No. 15.

Supplemental content

Controls & Accountability