Communicating Deficiencies in Internal Control to Those Charged with Governance and Management



Similar documents
MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Audit Committee Charter

Internal Audit Charter and operating standards

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

10 th May Dear Peter, Re: Audit Quality in Australia: A Strategic Review

Change Management Process

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

E-Business Strategies For a Cmpany s Bard

GENERAL MOTORS COMPANY AUDIT COMMITTEE CHARTER. Most Recently Amended: December 8, 2015

Key Steps for Organizations in Responding to Privacy Breaches

IFRS Discussion Group

Professional indemnity insurance arrangements for enrolled nurses, registered nurses and nurse practitioners

Corporate Standards for data quality and the collation of data for external presentation

SEC FLASH REPORT. June 28, 2011

Malpractice and Maladministration Policy

Financial Accountability Handbook

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Data Protection Act Data security breach management

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

How To Write An Ehsms Training, Awareness And Competency Procedure

Presentation: The Demise of SAS 70 - What s Next?

Internet and Policy User s Guide

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

Personal Data Security Breach Management Policy

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Health and Safety Training and Supervision

7 October Re: Themed Inspection into Third Party Personal Injury Claims. Dear

Electronic Commerce - Effect on the Audit of Financial Statements

VCU Payment Card Policy

Financial Planning Agreement

australian nursing federation

April In addition, we encounter valuation practices that present concerns in certain contexts, including:

Change Management Process For [Project Name]

POLISH STANDARDS ON HEALTH AND SAFETY AS A TOOL FOR IMPLEMENTING REQUIREMENTS OF THE EUROPEAN DIRECTIVES INTO THE PRACTICE OF ENTERPRISES

Reforms to South Australian Gambling Legislation

Directives to LHINs in respect of Reporting Requirements under the BPSAA. Issued By Minister of Health and Long-Term Care

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

Chapter 7 Business Continuity and Risk Management

Sources of Federal Government and Employee Information

Municipal Advisor Registration

ERISA Compliance FAQs: Fiduciary Responsibilities

Fraud Prevention Techniques for Higher Education

ACQUIRED RARE DISEASE DRUG THERAPY EXCEPTION PROCESS

Trends and Considerations in Currency Recycle Devices. What is a Currency Recycle Device? November 2003

FORM ADV (Paper Version) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS

Phi Kappa Sigma International Fraternity Insurance Billing Methodology

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

THIRD PARTY PROCUREMENT PROCEDURES

We will record and prepare documents based off the information presented

Plus500CY Ltd. Statement on Privacy and Cookie Policy

IRCA Briefing note: ISO/FDIS 19011:2011 Guidelines for auditing management systems

Department of Economic Development. Vocational Training Financial Support Scheme Guidance Document. Updated December 2014

How To Ensure Your Health Care Is Safe

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

Briefing 4 Inquests and the disclosure of information to the coroner

FIREFIGHTER HEART AND CIRCULATORY MALFUNCTION BENEFITS PROGRAM STANDARD OPERATING GUIDELINES Approved by the DOLA Executive Director July 1, 2014

Business Continuity Management Systems Foundation Training Course

.100 POLICY STATEMENT

Process for Responding to Privacy Breaches

PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

Appendix H. Annual Risk Assessment and Audit Plan 2013/14

Johnston Public Schools Special Education Procedural Manual. IEP Overview

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF UPLAND SOFTWARE, INC.

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

A Comparison of UK and Chinese Broking Regulation

INSURANCE COMPANIES. Purushottam Nyati February 21, 2015

GREEN MOUNTAIN ENERGY COMPANY

DisplayNote Technologies Limited Data Protection Policy July 2014

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

CHANGE MANAGEMENT STANDARD

INFRASTRUCTURE TECHNICAL LEAD

Creating an Ethical Culture and Protecting Your Bottom Line:

Symantec User Authentication Service Level Agreement

Heythrop College Disciplinary Procedure for Support Staff

Transcription:

Internatinal Auditing and Assurance Standards Bard ISA 265 April 2009 Internatinal Standard n Auditing Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management

Internatinal Auditing and Assurance Standards Bard Internatinal Federatin f Accuntants 545 Fifth Avenue, 14 th Flr New Yrk, New Yrk 10017 USA This Internatinal Standard n Auditing (ISA) 265, Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management was prepared by the Internatinal Auditing and Assurance Standards Bard (IAASB), an independent standard-setting bdy within the Internatinal Federatin f Accuntants (IFAC). The bjective f the IAASB is t serve the public interest by setting high quality auditing and assurance standards and by facilitating the cnvergence f internatinal and natinal standards, thereby enhancing the quality and unifrmity f practice thrughut the wrld and strengthening public cnfidence in the glbal auditing and assurance prfessin. This publicatin may be dwnladed free f charge frm the IFAC website: http://www.ifac.rg. The apprved text is published in the English language. The missin f IFAC is t serve the public interest, strengthen the wrldwide accuntancy prfessin and cntribute t the develpment f strng internatinal ecnmies by establishing and prmting adherence t high quality prfessinal standards, furthering the internatinal cnvergence f such standards and speaking ut n public interest issues where the prfessin s expertise is mst relevant. Cpyright April 2009 by the Internatinal Federatin f Accuntants (IFAC). All rights reserved. Permissin is granted t make cpies f this wrk prvided that such cpies are fr use in academic classrms r fr persnal use and are nt sld r disseminated and prvided that each cpy bears the fllwing credit line: Cpyright April 2009 by the Internatinal Federatin f Accuntants (IFAC). All rights reserved. Used with permissin f IFAC. Cntact permissins@ifac.rg fr permissin t reprduce, stre r transmit this dcument. Otherwise, written permissin frm IFAC is required t reprduce, stre r transmit, r t make ther similar uses f, this dcument, except as permitted by law. Cntact permissins@ifac.rg. ISBN: 978-1-60815-005-2 1

INTERNATIONAL STANDARD ON AUDITING 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT Intrductin (Effective fr audits f financial statements fr perids beginning n r after December 15, 2009) CONTENTS Paragraph Scpe f this ISA... 1-3 Effective Date... 4 Objective... 5 Definitins... 6 Requirements... 7-11 Applicatin and Other Explanatry Material Determinatin f Whether Deficiencies in Internal Cntrl Have Been Identified... Significant Deficiencies in Internal Cntrl... A1-A4 A5-A11 Cmmunicatin f Deficiencies in Internal Cntrl... A12-A30 Internatinal Standard n Auditing (ISA) 265, Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management shuld be read in cnjunctin with ISA 200, Overall Objectives f the Independent Auditr and the Cnduct f an Audit in Accrdance with Internatinal Standards n Auditing. 2

Intrductin Scpe f this ISA COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL 1. This Internatinal Standard n Auditing (ISA) deals with the auditr s respnsibility t cmmunicate apprpriately t thse charged with gvernance and management deficiencies in internal cntrl 1 that the auditr has identified in an audit f financial statements. This ISA des nt impse additinal respnsibilities n the auditr regarding btaining an understanding f internal cntrl and designing and perfrming tests f cntrls ver and abve the requirements f ISA 315 and ISA 330. 2 ISA 260 3 establishes further requirements and prvides guidance regarding the auditr s respnsibility t cmmunicate with thse charged with gvernance in relatin t the audit. 2. The auditr is required t btain an understanding f internal cntrl relevant t the audit when identifying and assessing the risks f material misstatement. 4 In making thse risk assessments, the auditr cnsiders internal cntrl in rder t design audit prcedures that are apprpriate in the circumstances, but nt fr the purpse f expressing an pinin n the effectiveness f internal cntrl. The auditr may identify deficiencies in internal cntrl nt nly during this risk assessment prcess but als at any ther stage f the audit. This ISA specifies which identified deficiencies the auditr is required t cmmunicate t thse charged with gvernance and management. 3. Nthing in this ISA precludes the auditr frm cmmunicating t thse charged with gvernance and management ther internal cntrl matters that the auditr has identified during the audit. Effective Date 4. This ISA is effective fr audits f financial statements fr perids beginning n r after December 15, 2009. Objective 5. The bjective f the auditr is t cmmunicate apprpriately t thse charged with gvernance and management deficiencies in internal cntrl that the auditr has identified during the audit and that, in the auditr s prfessinal judgment, are f sufficient imprtance t merit their respective attentins. 1 2 3 4 ISA 315, Identifying and Assessing the Risks f Material Misstatement thrugh Understanding the Entity and Its Envirnment, paragraphs 4 and 12. ISA 330, The Auditr s Respnses t Assessed Risks. ISA 260, Cmmunicatin with Thse Charged with Gvernance. ISA 315, paragraph 12. Paragraphs A60-A65 prvide guidance n cntrls relevant t the audit. 3

Definitins COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL 6. Fr purpses f the ISAs, the fllwing terms have the meanings attributed belw: (a) (b) Deficiency in internal cntrl This exists when: (i) (ii) Requirements A cntrl is designed, implemented r perated in such a way that it is unable t prevent, r detect and crrect, misstatements in the financial statements n a timely basis; r A cntrl necessary t prevent, r detect and crrect, misstatements in the financial statements n a timely basis is missing. Significant deficiency in internal cntrl A deficiency r cmbinatin f deficiencies in internal cntrl that, in the auditr s prfessinal judgment, is f sufficient imprtance t merit the attentin f thse charged with gvernance. (Ref: Para. A5) 7. The auditr shall determine whether, n the basis f the audit wrk perfrmed, the auditr has identified ne r mre deficiencies in internal cntrl. (Ref: Para. A1-A4) 8. If the auditr has identified ne r mre deficiencies in internal cntrl, the auditr shall determine, n the basis f the audit wrk perfrmed, whether, individually r in cmbinatin, they cnstitute significant deficiencies. (Ref: Para. A5-A11) 9. The auditr shall cmmunicate in writing significant deficiencies in internal cntrl identified during the audit t thse charged with gvernance n a timely basis. (Ref: Para. A12-A18, A27) 10. The auditr shall als cmmunicate t management at an apprpriate level f respnsibility n a timely basis: (Ref: Para. A19, A27) (a) (b) In writing, significant deficiencies in internal cntrl that the auditr has cmmunicated r intends t cmmunicate t thse charged with gvernance, unless it wuld be inapprpriate t cmmunicate directly t management in the circumstances; and (Ref: Para. A14, A20-A21) Other deficiencies in internal cntrl identified during the audit that have nt been cmmunicated t management by ther parties and that, in the auditr s prfessinal judgment, are f sufficient imprtance t merit management s attentin. (Ref: Para. A22-A26) 4

11. The auditr shall include in the written cmmunicatin f significant deficiencies in internal cntrl: (a) (b) A descriptin f the deficiencies and an explanatin f their ptential effects; and (Ref: Para. A28) Sufficient infrmatin t enable thse charged with gvernance and management t understand the cntext f the cmmunicatin. In particular, the auditr shall explain that: (Ref: Para. A29-A30) (i) (ii) (iii) The purpse f the audit was fr the auditr t express an pinin n the financial statements; The audit included cnsideratin f internal cntrl relevant t the preparatin f the financial statements in rder t design audit prcedures that are apprpriate in the circumstances, but nt fr the purpse f expressing an pinin n the effectiveness f internal cntrl; and The matters being reprted are limited t thse deficiencies that the auditr has identified during the audit and that the auditr has cncluded are f sufficient imprtance t merit being reprted t thse charged with gvernance. *** Applicatin and Other Explanatry Material Determinatin f Whether Deficiencies in Internal Cntrl Have Been Identified (Ref: Para. 7) A1. In determining whether the auditr has identified ne r mre deficiencies in internal cntrl, the auditr may discuss the relevant facts and circumstances f the auditr s findings with the apprpriate level f management. This discussin prvides an pprtunity fr the auditr t alert management n a timely basis t the existence f deficiencies f which management may nt have been previusly aware. The level f management with whm it is apprpriate t discuss the findings is ne that is familiar with the internal cntrl area cncerned and that has the authrity t take remedial actin n any identified deficiencies in internal cntrl. In sme circumstances, it may nt be apprpriate fr the auditr t discuss the auditr s findings directly with management, fr example, if the findings appear t call management s integrity r cmpetence int questin (see paragraph A20). A2. In discussing the facts and circumstances f the auditr s findings with management, the auditr may btain ther relevant infrmatin fr further cnsideratin, such as: 5

Management s understanding f the actual r suspected causes f the deficiencies. Exceptins arising frm the deficiencies that management may have nted, fr example, misstatements that were nt prevented by the relevant infrmatin technlgy (IT) cntrls. A preliminary indicatin frm management f its respnse t the findings. Cnsideratins Specific t Smaller Entities A3. While the cncepts underlying cntrl activities in smaller entities are likely t be similar t thse in larger entities, the frmality with which they perate will vary. Further, smaller entities may find that certain types f cntrl activities are nt necessary because f cntrls applied by management. Fr example, management s sle authrity fr granting credit t custmers and apprving significant purchases can prvide effective cntrl ver imprtant accunt balances and transactins, lessening r remving the need fr mre detailed cntrl activities. A4. Als, smaller entities ften have fewer emplyees which may limit the extent t which segregatin f duties is practicable. Hwever, in a small wnermanaged entity, the wner-manager may be able t exercise mre effective versight than in a larger entity. This higher level f management versight needs t be balanced against the greater ptential fr management verride f cntrls. Significant Deficiencies in Internal Cntrl (Ref: Para. 6(b), 8) A5. The significance f a deficiency r a cmbinatin f deficiencies in internal cntrl depends nt nly n whether a misstatement has actually ccurred, but als n the likelihd that a misstatement culd ccur and the ptential magnitude f the misstatement. Significant deficiencies may therefre exist even thugh the auditr has nt identified misstatements during the audit. A6. Examples f matters that the auditr may cnsider in determining whether a deficiency r cmbinatin f deficiencies in internal cntrl cnstitutes a significant deficiency include: The likelihd f the deficiencies leading t material misstatements in the financial statements in the future. The susceptibility t lss r fraud f the related asset r liability. The subjectivity and cmplexity f determining estimated amunts, such as fair value accunting estimates. The financial statement amunts expsed t the deficiencies. 6

The vlume f activity that has ccurred r culd ccur in the accunt balance r class f transactins expsed t the deficiency r deficiencies. The imprtance f the cntrls t the financial reprting prcess; fr example: General mnitring cntrls (such as versight f management). Cntrls ver the preventin and detectin f fraud. Cntrls ver the selectin and applicatin f significant accunting plicies. Cntrls ver significant transactins with related parties. Cntrls ver significant transactins utside the entity s nrmal curse f business. Cntrls ver the perid-end financial reprting prcess (such as cntrls ver nn-recurring jurnal entries). The cause and frequency f the exceptins detected as a result f the deficiencies in the cntrls. The interactin f the deficiency with ther deficiencies in internal cntrl. A7. Indicatrs f significant deficiencies in internal cntrl include, fr example: Evidence f ineffective aspects f the cntrl envirnment, such as: Indicatins that significant transactins in which management is financially interested are nt being apprpriately scrutinized by thse charged with gvernance. Identificatin f management fraud, whether r nt material, that was nt prevented by the entity s internal cntrl. Management s failure t implement apprpriate remedial actin n significant deficiencies previusly cmmunicated. Absence f a risk assessment prcess within the entity where such a prcess wuld rdinarily be expected t have been established. Evidence f an ineffective entity risk assessment prcess, such as management s failure t identify a risk f material misstatement that the auditr wuld expect the entity s risk assessment prcess t have identified. Evidence f an ineffective respnse t identified significant risks (fr example, absence f cntrls ver such a risk). 7

Misstatements detected by the auditr s prcedures that were nt prevented, r detected and crrected, by the entity s internal cntrl. Restatement f previusly issued financial statements t reflect the crrectin f a material misstatement due t errr r fraud. Evidence f management s inability t versee the preparatin f the financial statements. A8. Cntrls may be designed t perate individually r in cmbinatin t effectively prevent, r detect and crrect, misstatements. 5 Fr example, cntrls ver accunts receivable may cnsist f bth autmated and manual cntrls designed t perate tgether t prevent, r detect and crrect, misstatements in the accunt balance. A deficiency in internal cntrl n its wn may nt be sufficiently imprtant t cnstitute a significant deficiency. Hwever, a cmbinatin f deficiencies affecting the same accunt balance r disclsure, relevant assertin, r cmpnent f internal cntrl may increase the risks f misstatement t such an extent as t give rise t a significant deficiency. A9. Law r regulatin in sme jurisdictins may establish a requirement (particularly fr audits f listed entities) fr the auditr t cmmunicate t thse charged with gvernance r t ther relevant parties (such as regulatrs) ne r mre specific types f deficiency in internal cntrl that the auditr has identified during the audit. Where law r regulatin has established specific terms and definitins fr these types f deficiency and requires the auditr t use these terms and definitins fr the purpse f the cmmunicatin, the auditr uses such terms and definitins when cmmunicating in accrdance with the legal r regulatry requirement. A10. Where the jurisdictin has established specific terms fr the types f deficiency in internal cntrl t be cmmunicated but has nt defined such terms, it may be necessary fr the auditr t use judgment t determine the matters t be cmmunicated further t the legal r regulatry requirement. In ding s, the auditr may cnsider it apprpriate t have regard t the requirements and guidance in this ISA. Fr example, if the purpse f the legal r regulatry requirement is t bring t the attentin f thse charged with gvernance certain internal cntrl matters f which they shuld be aware, it may be apprpriate t regard such matters as being generally equivalent t the significant deficiencies required by this ISA t be cmmunicated t thse charged with gvernance. A11. The requirements f this ISA remain applicable ntwithstanding that law r regulatin may require the auditr t use specific terms r definitins. 5 ISA 315, paragraph A66. 8

Cmmunicatin f Deficiencies in Internal Cntrl Cmmunicatin f Significant Deficiencies in Internal Cntrl t Thse Charged with Gvernance (Ref: Para. 9) A12. Cmmunicating significant deficiencies in writing t thse charged with gvernance reflects the imprtance f these matters, and assists thse charged with gvernance in fulfilling their versight respnsibilities. ISA 260 establishes relevant cnsideratins regarding cmmunicatin with thse charged with gvernance when all f them are invlved in managing the entity. 6 A13. In determining when t issue the written cmmunicatin, the auditr may cnsider whether receipt f such cmmunicatin wuld be an imprtant factr in enabling thse charged with gvernance t discharge their versight respnsibilities. In additin, fr listed entities in certain jurisdictins, thse charged with gvernance may need t receive the auditr s written cmmunicatin befre the date f apprval f the financial statements in rder t discharge specific respnsibilities in relatin t internal cntrl fr regulatry r ther purpses. Fr ther entities, the auditr may issue the written cmmunicatin at a later date. Nevertheless, in the latter case, as the auditr s written cmmunicatin f significant deficiencies frms part f the final audit file, the written cmmunicatin is subject t the verriding requirement 7 fr the auditr t cmplete the assembly f the final audit file n a timely basis. ISA 230 states that an apprpriate time limit within which t cmplete the assembly f the final audit file is rdinarily nt mre than 60 days after the date f the auditr s reprt. 8 A14. Regardless f the timing f the written cmmunicatin f significant deficiencies, the auditr may cmmunicate these rally in the first instance t management and, when apprpriate, t thse charged with gvernance t assist them in taking timely remedial actin t minimize the risks f material misstatement. Ding s, hwever, des nt relieve the auditr f the respnsibility t cmmunicate the significant deficiencies in writing, as this ISA requires. A15. The level f detail at which t cmmunicate significant deficiencies is a matter f the auditr s prfessinal judgment in the circumstances. Factrs that the auditr may cnsider in determining an apprpriate level f detail fr the cmmunicatin include, fr example: 6 7 8 ISA 260, paragraph 13. ISA 230, Audit Dcumentatin, paragraph 14. ISA 230, paragraph A21. 9

The nature f the entity. Fr instance, the cmmunicatin required fr a public interest entity may be different frm that fr a nn-public interest entity. The size and cmplexity f the entity. Fr instance, the cmmunicatin required fr a cmplex entity may be different frm that fr an entity perating a simple business. The nature f significant deficiencies that the auditr has identified. The entity s gvernance cmpsitin. Fr instance, mre detail may be needed if thse charged with gvernance include members wh d nt have significant experience in the entity s industry r in the affected areas. Legal r regulatry requirements regarding the cmmunicatin f specific types f deficiency in internal cntrl. A16. Management and thse charged with gvernance may already be aware f significant deficiencies that the auditr has identified during the audit and may have chsen nt t remedy them because f cst r ther cnsideratins. The respnsibility fr evaluating the csts and benefits f implementing remedial actin rests with management and thse charged with gvernance. Accrdingly, the requirement in paragraph 9 applies regardless f cst r ther cnsideratins that management and thse charged with gvernance may cnsider relevant in determining whether t remedy such deficiencies. A17. The fact that the auditr cmmunicated a significant deficiency t thse charged with gvernance and management in a previus audit des nt eliminate the need fr the auditr t repeat the cmmunicatin if remedial actin has nt yet been taken. If a previusly cmmunicated significant deficiency remains, the current year s cmmunicatin may repeat the descriptin frm the previus cmmunicatin, r simply reference the previus cmmunicatin. The auditr may ask management r, where apprpriate, thse charged with gvernance, why the significant deficiency has nt yet been remedied. A failure t act, in the absence f a ratinal explanatin, may in itself represent a significant deficiency. Cnsideratins Specific t Smaller Entities A18. In the case f audits f smaller entities, the auditr may cmmunicate in a less structured manner with thse charged with gvernance than in the case f larger entities. Cmmunicatin f Deficiencies in Internal Cntrl t Management (Ref: Para. 10) A19. Ordinarily, the apprpriate level f management is the ne that has respnsibility and authrity t evaluate the deficiencies in internal cntrl and t take the necessary remedial actin. Fr significant deficiencies, the 10

apprpriate level is likely t be the chief executive fficer r chief financial fficer (r equivalent) as these matters are als required t be cmmunicated t thse charged with gvernance. Fr ther deficiencies in internal cntrl, the apprpriate level may be peratinal management with mre direct invlvement in the cntrl areas affected and with the authrity t take apprpriate remedial actin. Cmmunicatin f Significant Deficiencies in Internal Cntrl t Management (Ref: Para. 10(a)) A20. Certain identified significant deficiencies in internal cntrl may call int questin the integrity r cmpetence f management. Fr example, there may be evidence f fraud r intentinal nn-cmpliance with laws and regulatins by management, r management may exhibit an inability t versee the preparatin f adequate financial statements that may raise dubt abut management s cmpetence. Accrdingly, it may nt be apprpriate t cmmunicate such deficiencies directly t management. A21. ISA 250 establishes requirements and prvides guidance n the reprting f identified r suspected nn-cmpliance with laws and regulatins, including when thse charged with gvernance are themselves invlved in such nncmpliance. 9 ISA 240 establishes requirements and prvides guidance regarding cmmunicatin t thse charged with gvernance when the auditr has identified fraud r suspected fraud invlving management. 10 Cmmunicatin f Other Deficiencies in Internal Cntrl t Management (Ref: Para. 10(b)) A22. During the audit, the auditr may identify ther deficiencies in internal cntrl that are nt significant deficiencies but that may be f sufficient imprtance t merit management s attentin. The determinatin as t which ther deficiencies in internal cntrl merit management s attentin is a matter f prfessinal judgment in the circumstances, taking int accunt the likelihd and ptential magnitude f misstatements that may arise in the financial statements as a result f thse deficiencies. A23. The cmmunicatin f ther deficiencies in internal cntrl that merit management s attentin need nt be in writing but may be ral. Where the auditr has discussed the facts and circumstances f the auditr s findings with management, the auditr may cnsider an ral cmmunicatin f the ther deficiencies t have been made t management at the time f these discussins. Accrdingly, a frmal cmmunicatin need nt be made subsequently. 9 10 ISA 250, Cnsideratin f Laws and Regulatins in an Audit f Financial Statements, paragraphs 22-28. ISA 240, The Auditr s Respnsibilities Relating t Fraud in an Audit f Financial Statements, paragraph 41. 11

A24. If the auditr has cmmunicated deficiencies in internal cntrl ther than significant deficiencies t management in a prir perid and management has chsen nt t remedy them fr cst r ther reasns, the auditr need nt repeat the cmmunicatin in the current perid. The auditr is als nt required t repeat infrmatin abut such deficiencies if it has been previusly cmmunicated t management by ther parties, such as internal auditrs r regulatrs. It may, hwever, be apprpriate fr the auditr t re-cmmunicate these ther deficiencies if there has been a change f management, r if new infrmatin has cme t the auditr s attentin that alters the prir understanding f the auditr and management regarding the deficiencies. Nevertheless, the failure f management t remedy ther deficiencies in internal cntrl that were previusly cmmunicated may becme a significant deficiency requiring cmmunicatin with thse charged with gvernance. Whether this is the case depends n the auditr s judgment in the circumstances. A25. In sme circumstances, thse charged with gvernance may wish t be made aware f the details f ther deficiencies in internal cntrl the auditr has cmmunicated t management, r be briefly infrmed f the nature f the ther deficiencies. Alternatively, the auditr may cnsider it apprpriate t infrm thse charged with gvernance f the cmmunicatin f the ther deficiencies t management. In either case, the auditr may reprt rally r in writing t thse charged with gvernance as apprpriate. A26. ISA 260 establishes relevant cnsideratins regarding cmmunicatin with thse charged with gvernance when all f them are invlved in managing the entity. 11 Cnsideratins Specific t Public Sectr Entities (Ref: Para. 9-10) A27. Public sectr auditrs may have additinal respnsibilities t cmmunicate deficiencies in internal cntrl that the auditr has identified during the audit, in ways, at a level f detail and t parties nt envisaged in this ISA. Fr example, significant deficiencies may have t be cmmunicated t the legislature r ther gverning bdy. Law, regulatin r ther authrity may als mandate that public sectr auditrs reprt deficiencies in internal cntrl, irrespective f the significance f the ptential effects f thse deficiencies. Further, legislatin may require public sectr auditrs t reprt n brader internal cntrl-related matters than the deficiencies in internal cntrl required t be cmmunicated by this ISA, fr example, cntrls related t cmpliance with legislative authrities, regulatins, r prvisins f cntracts r grant agreements. 11 ISA 260, paragraph 13. 12

Cntent f Written Cmmunicatin f Significant Deficiencies in Internal Cntrl (Ref: Para. 11) A28. In explaining the ptential effects f the significant deficiencies, the auditr need nt quantify thse effects. The significant deficiencies may be gruped tgether fr reprting purpses where it is apprpriate t d s. The auditr may als include in the written cmmunicatin suggestins fr remedial actin n the deficiencies, management s actual r prpsed respnses, and a statement as t whether r nt the auditr has undertaken any steps t verify whether management s respnses have been implemented. A29. The auditr may cnsider it apprpriate t include the fllwing infrmatin as additinal cntext fr the cmmunicatin: An indicatin that if the auditr had perfrmed mre extensive prcedures n internal cntrl, the auditr might have identified mre deficiencies t be reprted, r cncluded that sme f the reprted deficiencies need nt, in fact, have been reprted. An indicatin that such cmmunicatin has been prvided fr the purpses f thse charged with gvernance, and that it may nt be suitable fr ther purpses. A30. Law r regulatin may require the auditr r management t furnish a cpy f the auditr s written cmmunicatin n significant deficiencies t apprpriate regulatry authrities. Where this is the case, the auditr s written cmmunicatin may identify such regulatry authrities. 13

Internatinal Federatin f Accuntants 545 Fifth Avenue, 14 th Flr, New Yrk, NY 10017 USA Tel +1 (212) 286-9344 Fax +1 (212) 286-9570 www.ifac.rg

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information