Enterprise Risk Management
A work group consisting of representatives from UC San Diego and IBM has developed a web based tool, called UC Tracker, to facilitate the review and documentation of key department controls as required by SAS 112/115*. Key internal controls, such as ledger review and equipment inventory, require hundreds of employees at each campus to perform controls and certify effectiveness. Evidences of performance and certification currently reside in various campus departments requiring the maintenance of many files and the transfers of significant amounts of paper to central offices.
UC Tracker eliminates the need for maintaining certification files and sending certifications to central offices. It can also reduce the need for files documenting the performance of several key controls. UC Tracker includes a notification system to remind performers and certifiers that it is time to perform or certify a control and to alert higher level management when a control is not performed or certified timely. A web-based dashboard in UC Tracker provides campus management with a complete and current status of the performance and certification of key controls.
SAS 112/115* establishes standards and provides guidance to external financial auditors on communicating matters related to an entity's internal control over financial reporting identified in an audit of financial statements.
In particular, SAS 112/115:
- Defines the terms "significant deficiency" and "material weakness" incorporating the definitions already in use for public companies
- Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements
- Requires the auditor to communicate in writing, to management and those charged with governance such as the University Board of Regents, significant deficiencies and material weaknesses identified in an audit
What does this mean to you and your campus?
SAS 112/115 requires a lower threshold for reporting internal control deficiencies to the chancellor and the Board of Regents. The Controller's Office at each campus has worked with campus external auditors to identify existing internal controls that support the financial reporting process. The goal is to ensure that existing key controls are in place and that each campus can demonstrate, through documentation that they are operating as intended.
In simple terms, requirements for key controls under SAS 112/115 are that-
- A key control must exist.
- A key control must be functioning effectively.
- A key control must be documented.
To learn more about SAS 112/115 at your campus, please contact your local Controller's office.
* Statement of Auditing Standards No. 112 (SAS 112), "Communicating Internal Control Related Matters Identified in an Audit" is superseded by Statement of Auditing Standards No. 115 (SAS 115) of the same name.