Can your financial statements be reasonably relied upon?
I think it might be good to apologize now. This subject isn’t exciting, but like exercise, you have to push through the pain to get the benefit. So grab a glass of water, and let’s plow into this dry subject. Casinos are required to have annual audits. Auditors proudly deliver stacks of reports that are the result of the work performed. Unfortunately, most tribal leaders, gaming commissioners and staff, and even casino management, don’t really understand what the reports are telling them. In this article, I will demystify some of these reports, and provide you with some insight for reviewing and understanding what they are telling you, and how you can use the information to improve your business.
There are different types of audits that casinos are required to undergo.
Internal Audits – These are performed by personnel of the gaming commission, or they can be contracted to an outside firm. If you choose to contract with an outside firm, it generally would not be the same company that performs your external financial statement audit. Internal audits are usually focused on testing compliance with laws, regulations, or approved policies and procedures. They ask the overarching question – are people doing what they are supposed to be doing?
External Audits – Just like it sounds. These are contracted to external CPA firms. There are different external audits required each year as well. The main ones to be aware of are the annual financial statement audit, the audit of compliance with the NIGC minimum internal control standards (MICS report), and the audit of compliance with Title 31.
Today we will be focusing on the internal control reports associated with the external financial statement audit. They include
- AUP (Agreed Upon Procedures Report) or MICS Report.
- SAS 114 (Auditor’s Communication with Those Charged with Governance)
- SAS 115 (Communicating Internal Control Related Matters Identified in an Audit) Still with me? The dust is really going to start flying now.
AUP - Agreed Upon Procedures
The external auditor will review the casino’s processes, procedures and actual documentation to verify its compliance with the NIGC’s internal controls. The AUP report will show any instances of non-compliance with those regulations. The report will list each section of the regulation where the auditor has detected an issue of noncompliance, along with information and suggestions for resolving each issue. This report can be lengthy if there are a large number of instances of non-compliance. The format of the report will vary from auditor to auditor, but the information communicated should be consistent. There is guidance on the NIGC’s website as to what the report is supposed to contain. Here are a couple of things to consider when reviewing this report:
- A large number of instances of non-compliance may indicate a lax attitude toward internal controls.
- A large number of REPEAT findings might also indicate that the controls in place to ensure compliance with regulations are poor, or the general attitude toward controls is lax.
As you review this report, be sure to notice whether the finding is because you don’t have appropriate policies and procedures, or if it is because someone is not following the policies and procedures that you do have. Not having an adequate system of WRITTEN and TGRAapproved policies and procedures is a problem, but it is a bigger problem if the policies are not being followed. Management may have responses to the findings in the report. The quality of the response will show you how seriously management takes the findings. The response should clearly outline the action to be taken, and specify deadlines for completion. Your TGRA should follow up on the corrective action BEFORE it is time for the next external audit. Remember, recurring findings indicate that management may not be taking things seriously. The external auditors will follow up!
SAS 114 - Auditor's Communication with Those Charged with Governance
This letter is required by the accounting profession’s standards to communicate significant findings from the audit. The following items are required to be communicated:
- The casino’s significant accounting practices, which may include comment on the acceptability of those practices and the use of estimates, if any.
- Significant difficulties encountered during the audit, if any.
- Uncorrected misstatements, if any.
- Disagreements with management, if any.
- Other matters arising from the audit that are significant and relevant to those charged with governance.
Each of these items will be listed in the letter, but they may state that “there were no…” to indicate that there were no findings or issues for that item. If there are issues disclosed in this letter, you need to carefully review the auditor’s report on the financial statements (more on that to come). Changes may have been made because of an issue encountered.
SAS 115 - Communicating Internal Control Related Matters Identified in an Audit
This last internal control related report is also required by the accounting profession’s standards to communicate things defined as either:
- Material Weaknesses– A material weakness is a deﬁciency, or combination of deﬁciencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s ﬁnancial statements will not be prevented or detected and corrected in a timely basis.
- x– A signiﬁcant deﬁciency is a deﬁciency, or a combination of deﬁciencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
You may not see this letter if your audit was clean. That’s a good thing! If you do get this letter, be sure to review it carefully. There are a couple of things to understand about the letter:
- The number of items– Obviously, the more items there are on the report, the more work is needed to be done to correct them.
- The nature of each finding– Material Weaknesses are more serious than Significant Deficiencies.
As with any finding or exception, the seriousness of the situation has to be evaluated. Anything that exposes the casino to theft or losses needs to be dealt with quickly.
Hopefully the dust cleared, and you can see the reports in a new light. Are the assets of the casino and Tribe properly safeguarded? Can the financial statements be reasonably relied upon? These internal control related reports produced by the auditor will help to answer those questions. That’s why it is so important that you, as the reader of those reports, have an adequate understanding of their purpose and meaning.