As audit committees and boards of directors are meeting to review audit reports for 2006, alarm bells are starting to ring about surprising new criticism about the quality of internal controls. For many organziations that have have had uneventful audits in the past, a new accounting standard—officially known as Communicating Internal Control Related Matters Identified in an Audit, or SAS 112—has from one year to the next put them on notice that the good practice of the past is no longer sufficient to earn the auditor’s approval.

Auditors have always considered the quality and sufficiency of internal controls as a component of the audit. When weaknesses in internal controls are observed, audit firms are more likely to highlight organizational shortcomings by submitting a management letter to an organization’s board of directors citing weaknesses and recommending action. With the greater stringency in standards of SAS 112, alarm bells are sounding throughout the nonprofit world.

Indeed, it’s not that the quality of nonprofits’ internal controls has changed, but rather the standards by which they are evaluated. By providing more guidance on weaknesses in internal controls, the new standard accomplishes three goals: (1) it provides new definitions and terminology to identify internal control weaknesses; (2) it allows auditors less discretion in identifying weaknesses as significant or marginal; (3) and it requires that auditors apply more stringent standards that consider combinations of weaknesses as well as quantitative and qualitative factors. (See the boxes below for definitions and for common situations that organizations might encounter).

In effect, more stringent standards have raised the bar for nonprofits’ financial staff. While previously many small and medium-sized organizations received management letters citing segregation of duties as a weakness, the new SAS 112 letters use more forceful language, even in describing internal controls that are essentially the same as those from the previous year.

But SAS 112 doesn’t mean that you should rush to fire your finance director or make excuses to your auditor about how hard it is to manage a small nonprofit. Board members, executive directors, and finance staff need to learn about these new standards, understand how they will be applied to the organization, and make thoughtful decisions about how their organization will respond.

The American Institute of Certified Public Accountants (AICPA), the national professional organization for CPAs, issues auditing standards to provide definitive standards for all audit engagements. Applying these standards is not optional for a CPA firm conducting an audit, although some interpretation and judgment is always required. In May 2006, SAS 112 took effect for audits of financial statements whose years end on or after December 15, 2006.

While the standards were issued in May, many members of the accounting industry didn’t fully understand the significance of the new rules until later that year, when the AICPA issued additional guidance. This delay explains in part why so many nonprofits have been caught by surprise. Audit firms that serve nonprofits had little time to prepare their clients for the new standards before the year-end audit season began. Further, because these standards are new, audit firms are still developing their approach and internal benchmarks. Different firms still demonstrate inconsistencies in application, though these differences may diminish as nonprofits receive additional training.

The new statement “establishes standards and provides guidance on communicating matters related to an entity’s internal control over financial reporting identified in an audit of financial statements.” The statement defines terminology related to control effectiveness, provides detailed guidance on evaluating the severity of any weaknesses, and outlines the required reporting of any identified weaknesses that auditors must provide to management and “those charged with governance.” Internal control weaknesses fall into two categories: significant deficiency and material weakness.

At root, the new standards increase the likelihood that control deficiencies will be identified and reported. It also places additional fact-finding burdens on auditors, who must now consider a wider range of factors, including the organization’s ability to generate financial reports that are in compliance with GAAP. According to the accounting firm PricewaterhouseCoopers, the new definitions make it far more likely that more control deficiencies will be considered severe.

Nonprofits can predict the likelihood of some level of finding by considering two things. First, if your audit firm previously issued a management letter describing internal control weaknesses or reportable conditions and your organization has not made significant changes in how it conducts its financial operations, expect the same finding but with the new terminology applied.

Second, assess your ability to apply GAAP to financial transactions and reports. Think about your internal year-end financial reports.Does your nonprofit correctly report the following information in your year-end financial reports according to GAAP accounting rules: receipt and release of temporarily restricted funds, in-kind contributions, accrued expenses, and depreciation? If you previously relied on auditors to provide adjustments for these items, be prepared for a finding of a material weakness control deficiency.

Small nonprofits often rely on auditors to complete their financial statements. A hot topic of debate is the impact of SAS 112 on the role of an auditor in drafting financial statements. Some contend that since the standard requires an evaluation of an organization’s preparation of reliable financial reports, an organization can’t meet this standard if auditors draft GAAP financial statements. Others argue, however, that having an auditor draft financial statements does not create a control deficiency, but it may be the result of—or provide evidence of—a control deficiency.

This may seem like hairsplitting, but in many audits the distinction proves crucial. Some auditors have insisted that a client nonprofit must prepare the entire financial statement in GAAP compliance, including footnotes, in order to “pass the test.” Other auditors have determined that as long as an organization has the expertise and ability to prepare GAAP statements, the question of who prepares a financial statement is less important. But fundamentally, the standards make clear that auditors cannot fill in for organizational shortcomings; they cannot be a component of internal controls or a “compensating control” for existing weaknesses. Regardless of whether your auditor prepares some adjusting entries, the new standards make clear that an auditor’s role is to test and verify the information provided by an organization and issue an opinion—not to calculate and produce financial statements.

Now that SAS 112 has raised many organization’s attention around audits, directors and boards are asking whether they should make an effort to “comply” with SAS 112. But the question isn’t whether to comply, but rather to determine your organization’s best path given the new standards. Consider SAS 112 a test of your organization’s financial statements and internal controls and decide the grade level the organization wants or needs to earn. Is an A important to you, or is a B acceptable? In turn, a management letter serves as an indication to management and the board about the effectiveness of internal controls. To get an A, financial statements must be prepared in full compliance with GAAP by the organization or by contracted advisers other than the auditor.

Take the example of Helpful Services Inc. (HSI), an $8 million social service agency in Minnesota. HSI’s chief financial officer is a CPA and has a well-qualified finance staff. Preparing complete and accurate drafts of all financial statements and footnotes takes additional time, but the CFO invests the effort to meet the highest standard. With this level of financial reporting quality, there are no SAS 112 letter or findings related to reliable financial reporting.

For a smaller organization, however, achieving an A might require extraordinary effort or extra costs. Consider South End Youth Center, which has a $1 million budget. SYC has an experienced, part-time accountant who is not a CPA. In previous years, the audit process went smoothly and earned compliments from auditors. SYC has always relied on its auditor to provide a few adjusting entries to record depreciation and in-kind contributions. Auditors also prepare the financial statement drafts and footnotes. This year, SYC received a SAS 112 letter citing a material weakness in financial reporting. The auditor explained that the audit preparation was similar to that in previous years, and the deficiency finding was not severe. SYC earned a B for SAS 112, but anything less than an A will result in a deficiency finding. In the future, SYC’s board will consider whether the additional costs of increasing staffing or hiring additional expertise adds enough value to its financial operations.

But what about a C or a D? Not every deficiency should be accepted with a shrug. In the case of Lakeview Arts Center, for example, the auditing process has never gone well. Lakeview has grown to $1 million in budget, but the organization continues to enlist an administrative assistant for bookkeeping who relies on past practices to decipher entries and doesn’t have professional training. No entries are made to classify restricted funds or releases, capitalize new fixed assets, record pledges, or reconcile accounts receivable. This results in uneven financial reporting, badly prepared audit schedules, and major adjusting entries. In this case, the material weakness finding is well deserved. Lakeview’s unreliable financial statements have impact on a board’s and management’s ability to monitor progress and make decisions. In this case, a management letter will report a material weakness and describe the severity of the reporting problems and adjusting entries. Lakeview’s board and management should take action to improve reporting quality by training staff or hiring outside expertise. And these efforts will likely just earn the organization a B next year.

To begin working with the new standards, the first step is to communicate them to your treasurer, finance committee, and board of directors. The last thing you want is to be surprised when the audit report is presented. Second, consult with your auditors before they arrive to begin audit fieldwork for SAS 112, and discuss how you will communicate with each other about internal control findings during the audit. Then, once management and board members are familiar with the basic standards and terminology of SAS 112, it’s possible to assess your organization’s level of performance with a self-rating. After deciding what grade you would give the organization, discuss whether an A is important and which resources your organization needs to achieve that grade. Whatever the findings, there are always ways to improve internal controls and the quality of financial accounting. This is the ultimate goal of the new auditing standards and an important one for any nonprofit that purports to be a steward of donors’ and supporters’ funds.

To understand these rules, here are some definitions, as paraphrased from the AICPA statement:

Internal control. The process of internal control is designed to provide reasonable assurance that an organization’s assets are safeguarded, that operations are managed effectively and efficiently, and that financial reports are reliable. Internal controls vary according to organizational size, complexity, and management structure. Auditors are not required to test internal controls, but if they observe any weaknesses during the course of the audit, they must follow this reporting standard.

Reliable financial reporting. Reliable reporting requires that statements conform with generally accepted accounting principles (GAAP). This definition is central to many of the concerns that application of the new SAS 112 has raised.

Significant deficiency. This determination of internal control weaknesses replaces the “reportable condition” concept used in the previous standard. This is known as a “level one” finding, identifying weaknesses that could result in problems with controls over financial operations or transactions, and financial statement reliability that would not be prevented or detected. The common “segregation of duties”finding—which is triggered when an individual has control over more than one aspect of a financial process —will often fall into this category.

Material weakness. A material weakness is a “level two” finding and indicates a more significant weakness of the same controls, concluding that a material misstatement of financial reporting would not be prevented or detected. (Keep in mind, however, the term “material” is always subject to interpretation. According to the New York State Society of CPAs, Materiality refers to the “Magnitude of an omission or misstatements of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would change or be influenced).”


The difference between a significant deficiency and a material weakness can best best be described as one of magnitude. The following examples are simply that—examples, not precise outlines of deficiencies—but they provide guidelines for understanding these categories and potential reporting problems under SAS 112.

Sample findings of significant deficiencies in internal controls under SAS 112:

  • An organization demonstrates a need for better segregation of duties because one individual receives the bills, generates and mails the checks, and enters the payment in the accounting system. This allocation of duties represents a deficiency, even though a different person may sign the checks.
  • An organization’s donations and payments are received and opened by one individual, with no additional oversight and no log sheet of funds received.
  • An organization has inadequate, but not material, documentation of expense reimbursements.
  • An organization lacks written procedures for carrying out financial functions.
  • During the course of the year, an organization’s general ledger accounts, such as accounts receivable, are not reconciled.
  • An organization fails to follow its own accounting policies, such as requiring two signatures on checks.

Sample findings of material weaknesses in internal controls under SAS 112:

An organization prepares its financial statements without applying all required accounting standards. As a result, an auditor has to make adjustments to correct the statements for entries, such as depreciation or restricted funds releases.

  • An organization fails to identify material errors in its financial statements.
  • Rather than a board chair or treasurer, an executive director and a direct report approve ED’s expense reimbursements, raising concern about fraudulent expenses.
  • An organization fails to identify or address fraud by a senior management employee or board member.
  • An organization lacks segregation of duties, whereby one staff member does everything, from mailing pledge reminders, opening mail, making deposits, keeping accounting records, receiving and reconciling bank statements, and preparing financial statements.
  • An organization makes adjustments to intentionally change financial statements, such as entering a hoped-for pledge as income to improve the year-end picture.