Skip to Main Content

SAS 115 Key Internal Controls

Statement on Auditing Standards No. 115 (SAS No. 115)

Communicating Internal Control Matters Identified in an Audit

Statements on Auditing Standards (SAS) are authoritative guidance promulgated by the American Institute of Public Accountants (AICPA) comprising generally accepted auditing standards (GAAS) applied by public accountants on audits of non-public companies.

The University of California’s public accountants, currently the accounting firm of PwC, are required to apply such standards on their annuals audits of the University, including the UCLA campus and medical center and also engagements regarding Office of Management and Budget Circular A-133 audits. SAS No. 115 is a critical standard and one that requires the University to maintain with due propriety, throughout each fiscal year, an effective internal control environment. Virtually everyone at the University shares a role in maintaining the propriety of our internal control environment. Note that SAS No. 115 supersedes SAS No. 112.

SAS 115 - Communicating Internal Control Matters Identified in an Audit, is summarized by the AICPA as:

This section establishes standards and provides guidance on communicating matters related to an entity’s internal control over financial reporting identified in an audit of financial statements. It is applicable whenever an auditor expresses or disclaims an opinion on financial statements. The section defines the terms deficiency in internal control, significant deficiency, and material weakness; provides guidance on evaluating the severity of deficiencies in internal control identified in an audit of financial statements; and requires the auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit.

Internal Control, as described by the AICPA:

Internal control is a process - affected by those charged with governance, management, and other personnel - designed to provide reasonable assurance about the achievement of the entity's objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal control over the safeguarding of assets against unauthorized acquisition, use, or disposition may include controls related to financial reporting and operations objectives. Generally, controls that are relevant to an audit of financial statements are those that pertain to the entity's objective of reliable financial reporting. In this section, the term financial reporting relates to the preparation of reliable financial statements that are fairly presented in conformity with generally accepted accounting principles (GAAP). The design and formality of an entity's internal control will vary depending on the entity's size, the industry in which it operates its culture, and management's philosophy.

Internal Control Deficiency Definitions, as defined by the AICPA:

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis.

A deficiency in design exists when

  • a control necessary to meet the control objective is missing; or
  • an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.

A deficiency in operation exists when

  • a properly designed control does not operate as designed; or
  • the person performing the control does not possess the necessary authority or competence to perform the control effectively.

A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected on a timely basis.

A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.