INTERNATIONAL STANDARD ON AUDITING 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT CONTENTS

Transcription

1 INTERNATIONAL STANDARD ON AUDITING 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT (Effective fr audits f financial statements fr perids beginning n r after December 15, 2009) CONTENTS Paragraph Intrductin Scpe f this ISA Effective Date... 4 Objective... 5 Definitins... 6 Requirements Applicatin and Other Explanatry Material Determinatin f Whether Deficiencies in Internal Cntrl Have Been Identified... A1 A4 Significant Deficiencies in Internal Cntrl... A5 A11 Cmmunicatin f Deficiencies in Internal Cntrl... A12 A30 Internatinal Standard n Auditing (ISA) 265, Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management shuld be read in cnjunctin with ISA 200, Overall Objectives f the Independent Auditr and the Cnduct f an Audit in Accrdance with Internatinal Standards n Auditing. AUDITING 237 ISA 265

2 Intrductin COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL Scpe f this ISA 1. This Internatinal Standard n Auditing (ISA) deals with the auditr s respnsibility t cmmunicate apprpriately t thse charged with gvernance and management deficiencies in internal cntrl 1 that the auditr has identified in an audit f financial statements. This ISA des nt impse additinal respnsibilities n the auditr regarding btaining an understanding f internal cntrl and designing and perfrming tests f cntrls ver and abve the requirements f ISA 315 and ISA ISA establishes further requirements and prvides guidance regarding the auditr s respnsibility t cmmunicate with thse charged with gvernance in relatin t the audit. 2. The auditr is required t btain an understanding f internal cntrl relevant t the audit when identifying and assessing the risks f material misstatement. 4 In making thse risk assessments, the auditr cnsiders internal cntrl in rder t design audit prcedures that are apprpriate in the circumstances, but nt fr the purpse f expressing an pinin n the effectiveness f internal cntrl. The auditr may identify deficiencies in internal cntrl nt nly during this risk assessment prcess but als at any ther stage f the audit. This ISA specifies which identified deficiencies the auditr is required t cmmunicate t thse charged with gvernance and management. 3. Nthing in this ISA precludes the auditr frm cmmunicating t thse charged with gvernance and management ther internal cntrl matters that the auditr has identified during the audit. Effective Date 4. This ISA is effective fr audits f financial statements fr perids beginning n r after December 15, Objective 5. The bjective f the auditr is t cmmunicate apprpriately t thse charged with gvernance and management deficiencies in internal cntrl that the auditr has identified during the audit and that, in the auditr s prfessinal judgment, are f sufficient imprtance t merit their respective attentins ISA 315, Identifying and Assessing the Risks f Material Misstatement thrugh Understanding the Entity and Its Envirnment, paragraphs 4 and 12. ISA 330, The Auditr s Respnses t Assessed Risks. ISA 260, Cmmunicatin with Thse Charged with Gvernance. ISA 315, paragraph 12. Paragraphs A60 A65 prvide guidance n cntrls relevant t the audit. ISA

3 Definitins 6. Fr purpses f the ISAs, the fllwing terms have the meanings attributed belw: (a) Deficiency in internal cntrl This exists when: (i) A cntrl is designed, implemented r perated in such a way that it is unable t prevent, r detect and crrect, misstatements in the financial statements n a timely basis; r (ii) A cntrl necessary t prevent, r detect and crrect, misstatements in the financial statements n a timely basis is missing. (b) Significant deficiency in internal cntrl A deficiency r cmbinatin f deficiencies in internal cntrl that, in the auditr s prfessinal judgment, is f sufficient imprtance t merit the attentin f thse charged with gvernance. (Ref: Para. A5) Requirements 7. The auditr shall determine whether, n the basis f the audit wrk perfrmed, the auditr has identified ne r mre deficiencies in internal cntrl. (Ref: Para. A1 A4) 8. If the auditr has identified ne r mre deficiencies in internal cntrl, the auditr shall determine, n the basis f the audit wrk perfrmed, whether, individually r in cmbinatin, they cnstitute significant deficiencies. (Ref: Para. A5 A11) 9. The auditr shall cmmunicate in writing significant deficiencies in internal cntrl identified during the audit t thse charged with gvernance n a timely basis. (Ref: Para. A12 A18, A27) 10. The auditr shall als cmmunicate t management at an apprpriate level f respnsibility n a timely basis: (Ref: Para. A19, A27) (a) In writing, significant deficiencies in internal cntrl that the auditr has cmmunicated r intends t cmmunicate t thse charged with gvernance, unless it wuld be inapprpriate t cmmunicate directly t management in the circumstances; and (Ref: Para. A14, A20 A21) (b) Other deficiencies in internal cntrl identified during the audit that have nt been cmmunicated t management by ther parties and that, in the auditr s prfessinal judgment, are f sufficient imprtance t merit management s attentin. (Ref: Para. A22 A26) AUDITING 239 ISA 265

4 11. The auditr shall include in the written cmmunicatin f significant deficiencies in internal cntrl: (a) A descriptin f the deficiencies and an explanatin f their ptential effects; and (Ref: Para. A28) (b) Sufficient infrmatin t enable thse charged with gvernance and management t understand the cntext f the cmmunicatin. In particular, the auditr shall explain that: (Ref: Para. A29 A30) (i) The purpse f the audit was fr the auditr t express an pinin n the financial statements; (ii) The audit included cnsideratin f internal cntrl relevant t the preparatin f the financial statements in rder t design audit prcedures that are apprpriate in the circumstances, but nt fr the purpse f expressing an pinin n the effectiveness f internal cntrl; and (iii) The matters being reprted are limited t thse deficiencies that the auditr has identified during the audit and that the auditr has cncluded are f sufficient imprtance t merit being reprted t thse charged with gvernance. *** Applicatin and Other Explanatry Material Determinatin f Whether Deficiencies in Internal Cntrl Have Been Identified (Ref: Para. 7) A1. In determining whether the auditr has identified ne r mre deficiencies in internal cntrl, the auditr may discuss the relevant facts and circumstances f the auditr s findings with the apprpriate level f management. This discussin prvides an pprtunity fr the auditr t alert management n a timely basis t the existence f deficiencies f which management may nt have been previusly aware. The level f management with whm it is apprpriate t discuss the findings is ne that is familiar with the internal cntrl area cncerned and that has the authrity t take remedial actin n any identified deficiencies in internal cntrl. In sme circumstances, it may nt be apprpriate fr the auditr t discuss the auditr s findings directly with management, fr example, if the findings appear t call management s integrity r cmpetence int questin (see paragraph A20). A2. In discussing the facts and circumstances f the auditr s findings with management, the auditr may btain ther relevant infrmatin fr further cnsideratin, such as: ISA

5 Management s understanding f the actual r suspected causes f the deficiencies. Exceptins arising frm the deficiencies that management may have nted, fr example, misstatements that were nt prevented by the relevant infrmatin technlgy (IT) cntrls. A preliminary indicatin frm management f its respnse t the findings. Cnsideratins Specific t Smaller Entities A3. While the cncepts underlying cntrl activities in smaller entities are likely t be similar t thse in larger entities, the frmality with which they perate will vary. Further, smaller entities may find that certain types f cntrl activities are nt necessary because f cntrls applied by management. Fr example, management s sle authrity fr granting credit t custmers and apprving significant purchases can prvide effective cntrl ver imprtant accunt balances and transactins, lessening r remving the need fr mre detailed cntrl activities. A4. Als, smaller entities ften have fewer emplyees which may limit the extent t which segregatin f duties is practicable. Hwever, in a small wner-managed entity, the wner-manager may be able t exercise mre effective versight than in a larger entity. This higher level f management versight needs t be balanced against the greater ptential fr management verride f cntrls. Significant Deficiencies in Internal Cntrl (Ref: Para. 6(b), 8) A5. The significance f a deficiency r a cmbinatin f deficiencies in internal cntrl depends nt nly n whether a misstatement has actually ccurred, but als n the likelihd that a misstatement culd ccur and the ptential magnitude f the misstatement. Significant deficiencies may therefre exist even thugh the auditr has nt identified misstatements during the audit. A6. Examples f matters that the auditr may cnsider in determining whether a deficiency r cmbinatin f deficiencies in internal cntrl cnstitutes a significant deficiency include: The likelihd f the deficiencies leading t material misstatements in the financial statements in the future. The susceptibility t lss r fraud f the related asset r liability. The subjectivity and cmplexity f determining estimated amunts, such as fair value accunting estimates. The financial statement amunts expsed t the deficiencies. The vlume f activity that has ccurred r culd ccur in the accunt balance r class f transactins expsed t the deficiency r deficiencies. AUDITING 241 ISA 265

6 The imprtance f the cntrls t the financial reprting prcess; fr example: General mnitring cntrls (such as versight f management). Cntrls ver the preventin and detectin f fraud. Cntrls ver the selectin and applicatin f significant accunting plicies. Cntrls ver significant transactins with related parties. Cntrls ver significant transactins utside the entity s nrmal curse f business. Cntrls ver the perid-end financial reprting prcess (such as cntrls ver nn-recurring jurnal entries). The cause and frequency f the exceptins detected as a result f the deficiencies in the cntrls. The interactin f the deficiency with ther deficiencies in internal cntrl. A7. Indicatrs f significant deficiencies in internal cntrl include, fr example: Evidence f ineffective aspects f the cntrl envirnment, such as: Indicatins that significant transactins in which management is financially interested are nt being apprpriately scrutinized by thse charged with gvernance. Identificatin f management fraud, whether r nt material, that was nt prevented by the entity s internal cntrl. Management s failure t implement apprpriate remedial actin n significant deficiencies previusly cmmunicated. Absence f a risk assessment prcess within the entity where such a prcess wuld rdinarily be expected t have been established. Evidence f an ineffective entity risk assessment prcess, such as management s failure t identify a risk f material misstatement that the auditr wuld expect the entity s risk assessment prcess t have identified. Evidence f an ineffective respnse t identified significant risks (fr example, absence f cntrls ver such a risk). Misstatements detected by the auditr s prcedures that were nt prevented, r detected and crrected, by the entity s internal cntrl. Restatement f previusly issued financial statements t reflect the crrectin f a material misstatement due t errr r fraud. ISA

7 Evidence f management s inability t versee the preparatin f the financial statements. A8. Cntrls may be designed t perate individually r in cmbinatin t effectively prevent, r detect and crrect, misstatements. 5 Fr example, cntrls ver accunts receivable may cnsist f bth autmated and manual cntrls designed t perate tgether t prevent, r detect and crrect, misstatements in the accunt balance. A deficiency in internal cntrl n its wn may nt be sufficiently imprtant t cnstitute a significant deficiency. Hwever, a cmbinatin f deficiencies affecting the same accunt balance r disclsure, relevant assertin, r cmpnent f internal cntrl may increase the risks f misstatement t such an extent as t give rise t a significant deficiency. A9. Law r regulatin in sme jurisdictins may establish a requirement (particularly fr audits f listed entities) fr the auditr t cmmunicate t thse charged with gvernance r t ther relevant parties (such as regulatrs) ne r mre specific types f deficiency in internal cntrl that the auditr has identified during the audit. Where law r regulatin has established specific terms and definitins fr these types f deficiency and requires the auditr t use these terms and definitins fr the purpse f the cmmunicatin, the auditr uses such terms and definitins when cmmunicating in accrdance with the legal r regulatry requirement. A10. Where the jurisdictin has established specific terms fr the types f deficiency in internal cntrl t be cmmunicated but has nt defined such terms, it may be necessary fr the auditr t use judgment t determine the matters t be cmmunicated further t the legal r regulatry requirement. In ding s, the auditr may cnsider it apprpriate t have regard t the requirements and guidance in this ISA. Fr example, if the purpse f the legal r regulatry requirement is t bring t the attentin f thse charged with gvernance certain internal cntrl matters f which they shuld be aware, it may be apprpriate t regard such matters as being generally equivalent t the significant deficiencies required by this ISA t be cmmunicated t thse charged with gvernance. A11. The requirements f this ISA remain applicable ntwithstanding that law r regulatin may require the auditr t use specific terms r definitins. AUDITING 5 ISA 315, paragraph A ISA 265

8 Cmmunicatin f Deficiencies in Internal Cntrl Cmmunicatin f Significant Deficiencies in Internal Cntrl t Thse Charged with Gvernance (Ref: Para. 9) A12. Cmmunicating significant deficiencies in writing t thse charged with gvernance reflects the imprtance f these matters, and assists thse charged with gvernance in fulfilling their versight respnsibilities. ISA 260 establishes relevant cnsideratins regarding cmmunicatin with thse charged with gvernance when all f them are invlved in managing the entity. 6 A13. In determining when t issue the written cmmunicatin, the auditr may cnsider whether receipt f such cmmunicatin wuld be an imprtant factr in enabling thse charged with gvernance t discharge their versight respnsibilities. In additin, fr listed entities in certain jurisdictins, thse charged with gvernance may need t receive the auditr s written cmmunicatin befre the date f apprval f the financial statements in rder t discharge specific respnsibilities in relatin t internal cntrl fr regulatry r ther purpses. Fr ther entities, the auditr may issue the written cmmunicatin at a later date. Nevertheless, in the latter case, as the auditr s written cmmunicatin f significant deficiencies frms part f the final audit file, the written cmmunicatin is subject t the verriding requirement 7 fr the auditr t cmplete the assembly f the final audit file n a timely basis. ISA 230 states that an apprpriate time limit within which t cmplete the assembly f the final audit file is rdinarily nt mre than 60 days after the date f the auditr s reprt. 8 A14. Regardless f the timing f the written cmmunicatin f significant deficiencies, the auditr may cmmunicate these rally in the first instance t management and, when apprpriate, t thse charged with gvernance t assist them in taking timely remedial actin t minimize the risks f material misstatement. Ding s, hwever, des nt relieve the auditr f the respnsibility t cmmunicate the significant deficiencies in writing, as this ISA requires. A15. The level f detail at which t cmmunicate significant deficiencies is a matter f the auditr s prfessinal judgment in the circumstances. Factrs that the auditr may cnsider in determining an apprpriate level f detail fr the cmmunicatin include, fr example: The nature f the entity. Fr example, the cmmunicatin required fr a public interest entity may be different frm that fr a nn-public interest entity ISA 260, paragraph 13. ISA 230, Audit Dcumentatin, paragraph 14. ISA 230, paragraph A21. ISA

9 The size and cmplexity f the entity. Fr example, the cmmunicatin required fr a cmplex entity may be different frm that fr an entity perating a simple business. The nature f significant deficiencies that the auditr has identified. The entity s gvernance cmpsitin. Fr example, mre detail may be needed if thse charged with gvernance include members wh d nt have significant experience in the entity s industry r in the affected areas. Legal r regulatry requirements regarding the cmmunicatin f specific types f deficiency in internal cntrl. A16. Management and thse charged with gvernance may already be aware f significant deficiencies that the auditr has identified during the audit and may have chsen nt t remedy them because f cst r ther cnsideratins. The respnsibility fr evaluating the csts and benefits f implementing remedial actin rests with management and thse charged with gvernance. Accrdingly, the requirement in paragraph 9 applies regardless f cst r ther cnsideratins that management and thse charged with gvernance may cnsider relevant in determining whether t remedy such deficiencies. A17. The fact that the auditr cmmunicated a significant deficiency t thse charged with gvernance and management in a previus audit des nt eliminate the need fr the auditr t repeat the cmmunicatin if remedial actin has nt yet been taken. If a previusly cmmunicated significant deficiency remains, the current year s cmmunicatin may repeat the descriptin frm the previus cmmunicatin, r simply reference the previus cmmunicatin. The auditr may ask management r, where apprpriate, thse charged with gvernance, why the significant deficiency has nt yet been remedied. A failure t act, in the absence f a ratinal explanatin, may in itself represent a significant deficiency. Cnsideratins Specific t Smaller Entities A18. In the case f audits f smaller entities, the auditr may cmmunicate in a less structured manner with thse charged with gvernance than in the case f larger entities. AUDITING Cmmunicatin f Deficiencies in Internal Cntrl t Management (Ref: Para. 10) A19. Ordinarily, the apprpriate level f management is the ne that has respnsibility and authrity t evaluate the deficiencies in internal cntrl and t take the necessary remedial actin. Fr significant deficiencies, the apprpriate level is likely t be the chief executive fficer r chief financial fficer (r equivalent) as these matters are als required t be cmmunicated t thse charged with gvernance. Fr ther deficiencies in internal cntrl, the 245 ISA 265

10 apprpriate level may be peratinal management with mre direct invlvement in the cntrl areas affected and with the authrity t take apprpriate remedial actin. Cmmunicatin f Significant Deficiencies in Internal Cntrl t Management (Ref: Para. 10(a)) A20. Certain identified significant deficiencies in internal cntrl may call int questin the integrity r cmpetence f management. Fr example, there may be evidence f fraud r intentinal nn-cmpliance with laws and regulatins by management, r management may exhibit an inability t versee the preparatin f adequate financial statements that may raise dubt abut management s cmpetence. Accrdingly, it may nt be apprpriate t cmmunicate such deficiencies directly t management. A21. ISA 250 establishes requirements and prvides guidance n the reprting f identified r suspected nn-cmpliance with laws and regulatins, including when thse charged with gvernance are themselves invlved in such nncmpliance. 9 ISA 240 establishes requirements and prvides guidance regarding cmmunicatin t thse charged with gvernance when the auditr has identified fraud r suspected fraud invlving management. 10 Cmmunicatin f Other Deficiencies in Internal Cntrl t Management (Ref: Para. 10(b)) A22. During the audit, the auditr may identify ther deficiencies in internal cntrl that are nt significant deficiencies but that may be f sufficient imprtance t merit management s attentin. The determinatin as t which ther deficiencies in internal cntrl merit management s attentin is a matter f prfessinal judgment in the circumstances, taking int accunt the likelihd and ptential magnitude f misstatements that may arise in the financial statements as a result f thse deficiencies. A23. The cmmunicatin f ther deficiencies in internal cntrl that merit management s attentin need nt be in writing but may be ral. Where the auditr has discussed the facts and circumstances f the auditr s findings with management, the auditr may cnsider an ral cmmunicatin f the ther deficiencies t have been made t management at the time f these discussins. Accrdingly, a frmal cmmunicatin need nt be made subsequently. A24. If the auditr has cmmunicated deficiencies in internal cntrl ther than significant deficiencies t management in a prir perid and management has 9 10 ISA 250, Cnsideratin f Laws and Regulatins in an Audit f Financial Statements, paragraphs ISA 240, The Auditr s Respnsibilities Relating t Fraud in an Audit f Financial Statements, paragraph 41. ISA

11 chsen nt t remedy them fr cst r ther reasns, the auditr need nt repeat the cmmunicatin in the current perid. The auditr is als nt required t repeat infrmatin abut such deficiencies if it has been previusly cmmunicated t management by ther parties, such as internal auditrs r regulatrs. It may, hwever, be apprpriate fr the auditr t re-cmmunicate these ther deficiencies if there has been a change f management, r if new infrmatin has cme t the auditr s attentin that alters the prir understanding f the auditr and management regarding the deficiencies. Nevertheless, the failure f management t remedy ther deficiencies in internal cntrl that were previusly cmmunicated may becme a significant deficiency requiring cmmunicatin with thse charged with gvernance. Whether this is the case depends n the auditr s judgment in the circumstances. A25. In sme circumstances, thse charged with gvernance may wish t be made aware f the details f ther deficiencies in internal cntrl the auditr has cmmunicated t management, r be briefly infrmed f the nature f the ther deficiencies. Alternatively, the auditr may cnsider it apprpriate t infrm thse charged with gvernance f the cmmunicatin f the ther deficiencies t management. In either case, the auditr may reprt rally r in writing t thse charged with gvernance as apprpriate. A26. ISA 260 establishes relevant cnsideratins regarding cmmunicatin with thse charged with gvernance when all f them are invlved in managing the entity. 11 Cnsideratins Specific t Public Sectr Entities (Ref: Para. 9 10) A27. Public sectr auditrs may have additinal respnsibilities t cmmunicate deficiencies in internal cntrl that the auditr has identified during the audit, in ways, at a level f detail and t parties nt envisaged in this ISA. Fr example, significant deficiencies may have t be cmmunicated t the legislature r ther gverning bdy. Law, regulatin r ther authrity may als mandate that public sectr auditrs reprt deficiencies in internal cntrl, irrespective f the significance f the ptential effects f thse deficiencies. Further, legislatin may require public sectr auditrs t reprt n brader internal cntrl-related matters than the deficiencies in internal cntrl required t be cmmunicated by this ISA, fr example, cntrls related t cmpliance with legislative authrities, regulatins, r prvisins f cntracts r grant agreements. AUDITING 11 ISA 260, paragraph ISA 265

12 Cntent f Written Cmmunicatin f Significant Deficiencies in Internal Cntrl (Ref: Para. 11) A28. In explaining the ptential effects f the significant deficiencies, the auditr need nt quantify thse effects. The significant deficiencies may be gruped tgether fr reprting purpses where it is apprpriate t d s. The auditr may als include in the written cmmunicatin suggestins fr remedial actin n the deficiencies, management s actual r prpsed respnses, and a statement as t whether r nt the auditr has undertaken any steps t verify whether management s respnses have been implemented. A29. The auditr may cnsider it apprpriate t include the fllwing infrmatin as additinal cntext fr the cmmunicatin: An indicatin that if the auditr had perfrmed mre extensive prcedures n internal cntrl, the auditr might have identified mre deficiencies t be reprted, r cncluded that sme f the reprted deficiencies need nt, in fact, have been reprted. An indicatin that such cmmunicatin has been prvided fr the purpses f thse charged with gvernance, and that it may nt be suitable fr ther purpses. A30. Law r regulatin may require the auditr r management t furnish a cpy f the auditr s written cmmunicatin n significant deficiencies t apprpriate regulatry authrities. Where this is the case, the auditr s written cmmunicatin may identify such regulatry authrities. ISA