Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

Transcription

1 Internatinal Auditing and Assurance Standards Bard ISA 265 April 2009 Internatinal Standard n Auditing Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management

2 Internatinal Auditing and Assurance Standards Bard Internatinal Federatin f Accuntants 545 Fifth Avenue, 14 th Flr New Yrk, New Yrk USA This Internatinal Standard n Auditing (ISA) 265, Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management was prepared by the Internatinal Auditing and Assurance Standards Bard (IAASB), an independent standard-setting bdy within the Internatinal Federatin f Accuntants (IFAC). The bjective f the IAASB is t serve the public interest by setting high quality auditing and assurance standards and by facilitating the cnvergence f internatinal and natinal standards, thereby enhancing the quality and unifrmity f practice thrughut the wrld and strengthening public cnfidence in the glbal auditing and assurance prfessin. This publicatin may be dwnladed free f charge frm the IFAC website: The apprved text is published in the English language. The missin f IFAC is t serve the public interest, strengthen the wrldwide accuntancy prfessin and cntribute t the develpment f strng internatinal ecnmies by establishing and prmting adherence t high quality prfessinal standards, furthering the internatinal cnvergence f such standards and speaking ut n public interest issues where the prfessin s expertise is mst relevant. Cpyright April 2009 by the Internatinal Federatin f Accuntants (IFAC). All rights reserved. Permissin is granted t make cpies f this wrk prvided that such cpies are fr use in academic classrms r fr persnal use and are nt sld r disseminated and prvided that each cpy bears the fllwing credit line: Cpyright April 2009 by the Internatinal Federatin f Accuntants (IFAC). All rights reserved. Used with permissin f IFAC. Cntact permissins@ifac.rg fr permissin t reprduce, stre r transmit this dcument. Otherwise, written permissin frm IFAC is required t reprduce, stre r transmit, r t make ther similar uses f, this dcument, except as permitted by law. Cntact permissins@ifac.rg. ISBN:

3 INTERNATIONAL STANDARD ON AUDITING 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT Intrductin (Effective fr audits f financial statements fr perids beginning n r after December 15, 2009) CONTENTS Paragraph Scpe f this ISA Effective Date... 4 Objective... 5 Definitins... 6 Requirements Applicatin and Other Explanatry Material Determinatin f Whether Deficiencies in Internal Cntrl Have Been Identified... Significant Deficiencies in Internal Cntrl... A1-A4 A5-A11 Cmmunicatin f Deficiencies in Internal Cntrl... A12-A30 Internatinal Standard n Auditing (ISA) 265, Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management shuld be read in cnjunctin with ISA 200, Overall Objectives f the Independent Auditr and the Cnduct f an Audit in Accrdance with Internatinal Standards n Auditing. 2

4 Intrductin Scpe f this ISA COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL 1. This Internatinal Standard n Auditing (ISA) deals with the auditr s respnsibility t cmmunicate apprpriately t thse charged with gvernance and management deficiencies in internal cntrl 1 that the auditr has identified in an audit f financial statements. This ISA des nt impse additinal respnsibilities n the auditr regarding btaining an understanding f internal cntrl and designing and perfrming tests f cntrls ver and abve the requirements f ISA 315 and ISA ISA establishes further requirements and prvides guidance regarding the auditr s respnsibility t cmmunicate with thse charged with gvernance in relatin t the audit. 2. The auditr is required t btain an understanding f internal cntrl relevant t the audit when identifying and assessing the risks f material misstatement. 4 In making thse risk assessments, the auditr cnsiders internal cntrl in rder t design audit prcedures that are apprpriate in the circumstances, but nt fr the purpse f expressing an pinin n the effectiveness f internal cntrl. The auditr may identify deficiencies in internal cntrl nt nly during this risk assessment prcess but als at any ther stage f the audit. This ISA specifies which identified deficiencies the auditr is required t cmmunicate t thse charged with gvernance and management. 3. Nthing in this ISA precludes the auditr frm cmmunicating t thse charged with gvernance and management ther internal cntrl matters that the auditr has identified during the audit. Effective Date 4. This ISA is effective fr audits f financial statements fr perids beginning n r after December 15, Objective 5. The bjective f the auditr is t cmmunicate apprpriately t thse charged with gvernance and management deficiencies in internal cntrl that the auditr has identified during the audit and that, in the auditr s prfessinal judgment, are f sufficient imprtance t merit their respective attentins ISA 315, Identifying and Assessing the Risks f Material Misstatement thrugh Understanding the Entity and Its Envirnment, paragraphs 4 and 12. ISA 330, The Auditr s Respnses t Assessed Risks. ISA 260, Cmmunicatin with Thse Charged with Gvernance. ISA 315, paragraph 12. Paragraphs A60-A65 prvide guidance n cntrls relevant t the audit. 3

5 Definitins COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL 6. Fr purpses f the ISAs, the fllwing terms have the meanings attributed belw: (a) (b) Deficiency in internal cntrl This exists when: (i) (ii) Requirements A cntrl is designed, implemented r perated in such a way that it is unable t prevent, r detect and crrect, misstatements in the financial statements n a timely basis; r A cntrl necessary t prevent, r detect and crrect, misstatements in the financial statements n a timely basis is missing. Significant deficiency in internal cntrl A deficiency r cmbinatin f deficiencies in internal cntrl that, in the auditr s prfessinal judgment, is f sufficient imprtance t merit the attentin f thse charged with gvernance. (Ref: Para. A5) 7. The auditr shall determine whether, n the basis f the audit wrk perfrmed, the auditr has identified ne r mre deficiencies in internal cntrl. (Ref: Para. A1-A4) 8. If the auditr has identified ne r mre deficiencies in internal cntrl, the auditr shall determine, n the basis f the audit wrk perfrmed, whether, individually r in cmbinatin, they cnstitute significant deficiencies. (Ref: Para. A5-A11) 9. The auditr shall cmmunicate in writing significant deficiencies in internal cntrl identified during the audit t thse charged with gvernance n a timely basis. (Ref: Para. A12-A18, A27) 10. The auditr shall als cmmunicate t management at an apprpriate level f respnsibility n a timely basis: (Ref: Para. A19, A27) (a) (b) In writing, significant deficiencies in internal cntrl that the auditr has cmmunicated r intends t cmmunicate t thse charged with gvernance, unless it wuld be inapprpriate t cmmunicate directly t management in the circumstances; and (Ref: Para. A14, A20-A21) Other deficiencies in internal cntrl identified during the audit that have nt been cmmunicated t management by ther parties and that, in the auditr s prfessinal judgment, are f sufficient imprtance t merit management s attentin. (Ref: Para. A22-A26) 4

6 11. The auditr shall include in the written cmmunicatin f significant deficiencies in internal cntrl: (a) (b) A descriptin f the deficiencies and an explanatin f their ptential effects; and (Ref: Para. A28) Sufficient infrmatin t enable thse charged with gvernance and management t understand the cntext f the cmmunicatin. In particular, the auditr shall explain that: (Ref: Para. A29-A30) (i) (ii) (iii) The purpse f the audit was fr the auditr t express an pinin n the financial statements; The audit included cnsideratin f internal cntrl relevant t the preparatin f the financial statements in rder t design audit prcedures that are apprpriate in the circumstances, but nt fr the purpse f expressing an pinin n the effectiveness f internal cntrl; and The matters being reprted are limited t thse deficiencies that the auditr has identified during the audit and that the auditr has cncluded are f sufficient imprtance t merit being reprted t thse charged with gvernance. *** Applicatin and Other Explanatry Material Determinatin f Whether Deficiencies in Internal Cntrl Have Been Identified (Ref: Para. 7) A1. In determining whether the auditr has identified ne r mre deficiencies in internal cntrl, the auditr may discuss the relevant facts and circumstances f the auditr s findings with the apprpriate level f management. This discussin prvides an pprtunity fr the auditr t alert management n a timely basis t the existence f deficiencies f which management may nt have been previusly aware. The level f management with whm it is apprpriate t discuss the findings is ne that is familiar with the internal cntrl area cncerned and that has the authrity t take remedial actin n any identified deficiencies in internal cntrl. In sme circumstances, it may nt be apprpriate fr the auditr t discuss the auditr s findings directly with management, fr example, if the findings appear t call management s integrity r cmpetence int questin (see paragraph A20). A2. In discussing the facts and circumstances f the auditr s findings with management, the auditr may btain ther relevant infrmatin fr further cnsideratin, such as: 5

7 Management s understanding f the actual r suspected causes f the deficiencies. Exceptins arising frm the deficiencies that management may have nted, fr example, misstatements that were nt prevented by the relevant infrmatin technlgy (IT) cntrls. A preliminary indicatin frm management f its respnse t the findings. Cnsideratins Specific t Smaller Entities A3. While the cncepts underlying cntrl activities in smaller entities are likely t be similar t thse in larger entities, the frmality with which they perate will vary. Further, smaller entities may find that certain types f cntrl activities are nt necessary because f cntrls applied by management. Fr example, management s sle authrity fr granting credit t custmers and apprving significant purchases can prvide effective cntrl ver imprtant accunt balances and transactins, lessening r remving the need fr mre detailed cntrl activities. A4. Als, smaller entities ften have fewer emplyees which may limit the extent t which segregatin f duties is practicable. Hwever, in a small wnermanaged entity, the wner-manager may be able t exercise mre effective versight than in a larger entity. This higher level f management versight needs t be balanced against the greater ptential fr management verride f cntrls. Significant Deficiencies in Internal Cntrl (Ref: Para. 6(b), 8) A5. The significance f a deficiency r a cmbinatin f deficiencies in internal cntrl depends nt nly n whether a misstatement has actually ccurred, but als n the likelihd that a misstatement culd ccur and the ptential magnitude f the misstatement. Significant deficiencies may therefre exist even thugh the auditr has nt identified misstatements during the audit. A6. Examples f matters that the auditr may cnsider in determining whether a deficiency r cmbinatin f deficiencies in internal cntrl cnstitutes a significant deficiency include: The likelihd f the deficiencies leading t material misstatements in the financial statements in the future. The susceptibility t lss r fraud f the related asset r liability. The subjectivity and cmplexity f determining estimated amunts, such as fair value accunting estimates. The financial statement amunts expsed t the deficiencies. 6

8 The vlume f activity that has ccurred r culd ccur in the accunt balance r class f transactins expsed t the deficiency r deficiencies. The imprtance f the cntrls t the financial reprting prcess; fr example: General mnitring cntrls (such as versight f management). Cntrls ver the preventin and detectin f fraud. Cntrls ver the selectin and applicatin f significant accunting plicies. Cntrls ver significant transactins with related parties. Cntrls ver significant transactins utside the entity s nrmal curse f business. Cntrls ver the perid-end financial reprting prcess (such as cntrls ver nn-recurring jurnal entries). The cause and frequency f the exceptins detected as a result f the deficiencies in the cntrls. The interactin f the deficiency with ther deficiencies in internal cntrl. A7. Indicatrs f significant deficiencies in internal cntrl include, fr example: Evidence f ineffective aspects f the cntrl envirnment, such as: Indicatins that significant transactins in which management is financially interested are nt being apprpriately scrutinized by thse charged with gvernance. Identificatin f management fraud, whether r nt material, that was nt prevented by the entity s internal cntrl. Management s failure t implement apprpriate remedial actin n significant deficiencies previusly cmmunicated. Absence f a risk assessment prcess within the entity where such a prcess wuld rdinarily be expected t have been established. Evidence f an ineffective entity risk assessment prcess, such as management s failure t identify a risk f material misstatement that the auditr wuld expect the entity s risk assessment prcess t have identified. Evidence f an ineffective respnse t identified significant risks (fr example, absence f cntrls ver such a risk). 7

9 Misstatements detected by the auditr s prcedures that were nt prevented, r detected and crrected, by the entity s internal cntrl. Restatement f previusly issued financial statements t reflect the crrectin f a material misstatement due t errr r fraud. Evidence f management s inability t versee the preparatin f the financial statements. A8. Cntrls may be designed t perate individually r in cmbinatin t effectively prevent, r detect and crrect, misstatements. 5 Fr example, cntrls ver accunts receivable may cnsist f bth autmated and manual cntrls designed t perate tgether t prevent, r detect and crrect, misstatements in the accunt balance. A deficiency in internal cntrl n its wn may nt be sufficiently imprtant t cnstitute a significant deficiency. Hwever, a cmbinatin f deficiencies affecting the same accunt balance r disclsure, relevant assertin, r cmpnent f internal cntrl may increase the risks f misstatement t such an extent as t give rise t a significant deficiency. A9. Law r regulatin in sme jurisdictins may establish a requirement (particularly fr audits f listed entities) fr the auditr t cmmunicate t thse charged with gvernance r t ther relevant parties (such as regulatrs) ne r mre specific types f deficiency in internal cntrl that the auditr has identified during the audit. Where law r regulatin has established specific terms and definitins fr these types f deficiency and requires the auditr t use these terms and definitins fr the purpse f the cmmunicatin, the auditr uses such terms and definitins when cmmunicating in accrdance with the legal r regulatry requirement. A10. Where the jurisdictin has established specific terms fr the types f deficiency in internal cntrl t be cmmunicated but has nt defined such terms, it may be necessary fr the auditr t use judgment t determine the matters t be cmmunicated further t the legal r regulatry requirement. In ding s, the auditr may cnsider it apprpriate t have regard t the requirements and guidance in this ISA. Fr example, if the purpse f the legal r regulatry requirement is t bring t the attentin f thse charged with gvernance certain internal cntrl matters f which they shuld be aware, it may be apprpriate t regard such matters as being generally equivalent t the significant deficiencies required by this ISA t be cmmunicated t thse charged with gvernance. A11. The requirements f this ISA remain applicable ntwithstanding that law r regulatin may require the auditr t use specific terms r definitins. 5 ISA 315, paragraph A66. 8

10 Cmmunicatin f Deficiencies in Internal Cntrl Cmmunicatin f Significant Deficiencies in Internal Cntrl t Thse Charged with Gvernance (Ref: Para. 9) A12. Cmmunicating significant deficiencies in writing t thse charged with gvernance reflects the imprtance f these matters, and assists thse charged with gvernance in fulfilling their versight respnsibilities. ISA 260 establishes relevant cnsideratins regarding cmmunicatin with thse charged with gvernance when all f them are invlved in managing the entity. 6 A13. In determining when t issue the written cmmunicatin, the auditr may cnsider whether receipt f such cmmunicatin wuld be an imprtant factr in enabling thse charged with gvernance t discharge their versight respnsibilities. In additin, fr listed entities in certain jurisdictins, thse charged with gvernance may need t receive the auditr s written cmmunicatin befre the date f apprval f the financial statements in rder t discharge specific respnsibilities in relatin t internal cntrl fr regulatry r ther purpses. Fr ther entities, the auditr may issue the written cmmunicatin at a later date. Nevertheless, in the latter case, as the auditr s written cmmunicatin f significant deficiencies frms part f the final audit file, the written cmmunicatin is subject t the verriding requirement 7 fr the auditr t cmplete the assembly f the final audit file n a timely basis. ISA 230 states that an apprpriate time limit within which t cmplete the assembly f the final audit file is rdinarily nt mre than 60 days after the date f the auditr s reprt. 8 A14. Regardless f the timing f the written cmmunicatin f significant deficiencies, the auditr may cmmunicate these rally in the first instance t management and, when apprpriate, t thse charged with gvernance t assist them in taking timely remedial actin t minimize the risks f material misstatement. Ding s, hwever, des nt relieve the auditr f the respnsibility t cmmunicate the significant deficiencies in writing, as this ISA requires. A15. The level f detail at which t cmmunicate significant deficiencies is a matter f the auditr s prfessinal judgment in the circumstances. Factrs that the auditr may cnsider in determining an apprpriate level f detail fr the cmmunicatin include, fr example: ISA 260, paragraph 13. ISA 230, Audit Dcumentatin, paragraph 14. ISA 230, paragraph A21. 9

11 The nature f the entity. Fr instance, the cmmunicatin required fr a public interest entity may be different frm that fr a nn-public interest entity. The size and cmplexity f the entity. Fr instance, the cmmunicatin required fr a cmplex entity may be different frm that fr an entity perating a simple business. The nature f significant deficiencies that the auditr has identified. The entity s gvernance cmpsitin. Fr instance, mre detail may be needed if thse charged with gvernance include members wh d nt have significant experience in the entity s industry r in the affected areas. Legal r regulatry requirements regarding the cmmunicatin f specific types f deficiency in internal cntrl. A16. Management and thse charged with gvernance may already be aware f significant deficiencies that the auditr has identified during the audit and may have chsen nt t remedy them because f cst r ther cnsideratins. The respnsibility fr evaluating the csts and benefits f implementing remedial actin rests with management and thse charged with gvernance. Accrdingly, the requirement in paragraph 9 applies regardless f cst r ther cnsideratins that management and thse charged with gvernance may cnsider relevant in determining whether t remedy such deficiencies. A17. The fact that the auditr cmmunicated a significant deficiency t thse charged with gvernance and management in a previus audit des nt eliminate the need fr the auditr t repeat the cmmunicatin if remedial actin has nt yet been taken. If a previusly cmmunicated significant deficiency remains, the current year s cmmunicatin may repeat the descriptin frm the previus cmmunicatin, r simply reference the previus cmmunicatin. The auditr may ask management r, where apprpriate, thse charged with gvernance, why the significant deficiency has nt yet been remedied. A failure t act, in the absence f a ratinal explanatin, may in itself represent a significant deficiency. Cnsideratins Specific t Smaller Entities A18. In the case f audits f smaller entities, the auditr may cmmunicate in a less structured manner with thse charged with gvernance than in the case f larger entities. Cmmunicatin f Deficiencies in Internal Cntrl t Management (Ref: Para. 10) A19. Ordinarily, the apprpriate level f management is the ne that has respnsibility and authrity t evaluate the deficiencies in internal cntrl and t take the necessary remedial actin. Fr significant deficiencies, the 10

12 apprpriate level is likely t be the chief executive fficer r chief financial fficer (r equivalent) as these matters are als required t be cmmunicated t thse charged with gvernance. Fr ther deficiencies in internal cntrl, the apprpriate level may be peratinal management with mre direct invlvement in the cntrl areas affected and with the authrity t take apprpriate remedial actin. Cmmunicatin f Significant Deficiencies in Internal Cntrl t Management (Ref: Para. 10(a)) A20. Certain identified significant deficiencies in internal cntrl may call int questin the integrity r cmpetence f management. Fr example, there may be evidence f fraud r intentinal nn-cmpliance with laws and regulatins by management, r management may exhibit an inability t versee the preparatin f adequate financial statements that may raise dubt abut management s cmpetence. Accrdingly, it may nt be apprpriate t cmmunicate such deficiencies directly t management. A21. ISA 250 establishes requirements and prvides guidance n the reprting f identified r suspected nn-cmpliance with laws and regulatins, including when thse charged with gvernance are themselves invlved in such nncmpliance. 9 ISA 240 establishes requirements and prvides guidance regarding cmmunicatin t thse charged with gvernance when the auditr has identified fraud r suspected fraud invlving management. 10 Cmmunicatin f Other Deficiencies in Internal Cntrl t Management (Ref: Para. 10(b)) A22. During the audit, the auditr may identify ther deficiencies in internal cntrl that are nt significant deficiencies but that may be f sufficient imprtance t merit management s attentin. The determinatin as t which ther deficiencies in internal cntrl merit management s attentin is a matter f prfessinal judgment in the circumstances, taking int accunt the likelihd and ptential magnitude f misstatements that may arise in the financial statements as a result f thse deficiencies. A23. The cmmunicatin f ther deficiencies in internal cntrl that merit management s attentin need nt be in writing but may be ral. Where the auditr has discussed the facts and circumstances f the auditr s findings with management, the auditr may cnsider an ral cmmunicatin f the ther deficiencies t have been made t management at the time f these discussins. Accrdingly, a frmal cmmunicatin need nt be made subsequently ISA 250, Cnsideratin f Laws and Regulatins in an Audit f Financial Statements, paragraphs ISA 240, The Auditr s Respnsibilities Relating t Fraud in an Audit f Financial Statements, paragraph

13 A24. If the auditr has cmmunicated deficiencies in internal cntrl ther than significant deficiencies t management in a prir perid and management has chsen nt t remedy them fr cst r ther reasns, the auditr need nt repeat the cmmunicatin in the current perid. The auditr is als nt required t repeat infrmatin abut such deficiencies if it has been previusly cmmunicated t management by ther parties, such as internal auditrs r regulatrs. It may, hwever, be apprpriate fr the auditr t re-cmmunicate these ther deficiencies if there has been a change f management, r if new infrmatin has cme t the auditr s attentin that alters the prir understanding f the auditr and management regarding the deficiencies. Nevertheless, the failure f management t remedy ther deficiencies in internal cntrl that were previusly cmmunicated may becme a significant deficiency requiring cmmunicatin with thse charged with gvernance. Whether this is the case depends n the auditr s judgment in the circumstances. A25. In sme circumstances, thse charged with gvernance may wish t be made aware f the details f ther deficiencies in internal cntrl the auditr has cmmunicated t management, r be briefly infrmed f the nature f the ther deficiencies. Alternatively, the auditr may cnsider it apprpriate t infrm thse charged with gvernance f the cmmunicatin f the ther deficiencies t management. In either case, the auditr may reprt rally r in writing t thse charged with gvernance as apprpriate. A26. ISA 260 establishes relevant cnsideratins regarding cmmunicatin with thse charged with gvernance when all f them are invlved in managing the entity. 11 Cnsideratins Specific t Public Sectr Entities (Ref: Para. 9-10) A27. Public sectr auditrs may have additinal respnsibilities t cmmunicate deficiencies in internal cntrl that the auditr has identified during the audit, in ways, at a level f detail and t parties nt envisaged in this ISA. Fr example, significant deficiencies may have t be cmmunicated t the legislature r ther gverning bdy. Law, regulatin r ther authrity may als mandate that public sectr auditrs reprt deficiencies in internal cntrl, irrespective f the significance f the ptential effects f thse deficiencies. Further, legislatin may require public sectr auditrs t reprt n brader internal cntrl-related matters than the deficiencies in internal cntrl required t be cmmunicated by this ISA, fr example, cntrls related t cmpliance with legislative authrities, regulatins, r prvisins f cntracts r grant agreements. 11 ISA 260, paragraph

14 Cntent f Written Cmmunicatin f Significant Deficiencies in Internal Cntrl (Ref: Para. 11) A28. In explaining the ptential effects f the significant deficiencies, the auditr need nt quantify thse effects. The significant deficiencies may be gruped tgether fr reprting purpses where it is apprpriate t d s. The auditr may als include in the written cmmunicatin suggestins fr remedial actin n the deficiencies, management s actual r prpsed respnses, and a statement as t whether r nt the auditr has undertaken any steps t verify whether management s respnses have been implemented. A29. The auditr may cnsider it apprpriate t include the fllwing infrmatin as additinal cntext fr the cmmunicatin: An indicatin that if the auditr had perfrmed mre extensive prcedures n internal cntrl, the auditr might have identified mre deficiencies t be reprted, r cncluded that sme f the reprted deficiencies need nt, in fact, have been reprted. An indicatin that such cmmunicatin has been prvided fr the purpses f thse charged with gvernance, and that it may nt be suitable fr ther purpses. A30. Law r regulatin may require the auditr r management t furnish a cpy f the auditr s written cmmunicatin n significant deficiencies t apprpriate regulatry authrities. Where this is the case, the auditr s written cmmunicatin may identify such regulatry authrities. 13

15

16 Internatinal Federatin f Accuntants 545 Fifth Avenue, 14 th Flr, New Yrk, NY USA Tel +1 (212) Fax +1 (212)