Statement on Auditing Standards-SA 265

Scope and objectives

The scope and objective of the auditing standards related to the auditor’s responsibility to communicate deficiencies in internal control to those charged with governance and management. The SA 265 applies when the auditor identifies deficiencies in internal control during the audit of financial statements. The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. However, the auditor is not required to express an opinion on the effectiveness of internal control.

The SA 265 specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management. The objective is to communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor’s professional judgment, are of sufficient importance to merit their respective attentions.

The SA 265 defines “deficiency in internal control” as a control that is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis or a missing control necessary to prevent or detect misstatements in the financial statements. A “significant deficiency in internal control” is a deficiency or combination of deficiencies in internal control that, in the auditor’s professional judgment, is of sufficient importance to merit the attention of those charged with governance. The auditor is required to communicate significant deficiencies to those charged with governance and management.

The effective date for this SA 265 is for audits of financial statements for periods beginning on or after April 1, 2010. However, the auditor is not precluded from communicating other internal control matters to those charged with governance and management that the auditor has identified during the audit. The SA 265 is meant to ensure that those charged with governance and management are informed of any significant deficiencies in internal control that could impact the accuracy and reliability of the financial statements.

Requirements

The several requirements for auditors related to communicating deficiencies in internal control to those charged with governance and management. First, the auditor must determine whether they have identified any deficiencies in internal control based on the audit work performed. If deficiencies are identified, the auditor must communicate them appropriately to the relevant parties.

In some cases, the auditor may need to discuss their findings with management in order to obtain additional information or provide them with an opportunity to address the issues identified. This discussion should take place with the appropriate level of management, which is typically the one that is familiar with the internal control area concerned and has the authority to take remedial action on any identified deficiencies. However, if the findings call into question management’s integrity or competence, the auditor may not want to discuss them directly with management.

SA 265 also notes that smaller entities may have different control activities than larger entities. For example, smaller entities may have less formal control activities, but they may rely on management’s oversight and decision-making to provide effective control. The auditor should consider these differences when evaluating internal control deficiencies in smaller entities. Additionally, the auditor should balance the higher level of management oversight in small entities with the greater potential for management override of controls.

Significant Deficiencies in Internal Control                                                                    

The auditors should determine whether deficiencies in internal control identified during an audit are significant and need to be communicated to those charged with governance.

The significance of a deficiency in internal control is not only determined by whether a misstatement has occurred, but also by the likelihood that a misstatement could occur and the potential magnitude of the misstatement. The auditor should consider various factors, such as the susceptibility to loss or fraud of related assets or liabilities, subjectivity and complexity of determining estimated amounts, financial statement amounts exposed to the deficiencies, and the importance of controls to the financial reporting process.

The auditor should also consider the cause and frequency of exceptions detected as a result of deficiencies in controls, as well as the interaction of the deficiency with other deficiencies in internal control. Indicators of significant deficiencies in internal control include ineffective aspects of the control environment, absence of a risk assessment process, evidence of an ineffective entity risk assessment process, ineffective response to identified significant risks, and misstatements detected by the auditor’s procedures that were not prevented by internal control.

The combination of deficiencies affecting the same account balance or disclosure, relevant assertion, or component of internal control may increase the risk of misstatement to such an extent that it gives rise to a significant deficiency, even if each deficiency on its own is not significant.

Some jurisdictions may require auditors to communicate specific types of deficiencies in internal control to those charged with governance or other relevant parties. In such cases, the auditor should use the specific terms and definitions established by law or regulation. If there are no specific terms or definitions established, the auditor should exercise judgment in determining the matters to be communicated, taking into account the requirements and guidance in the applicable standards.

Communication of Significant Deficiencies in Internal Control to Those Charged with Governance                                                                                          

The auditor’s responsibility to communicate any significant deficiencies in internal control to the individuals charged with governance (e.g., the board of directors) of the organization being audited. This communication should be done in writing and in a timely manner. The purpose of this communication is to highlight the importance of the deficiencies and assist the charged individuals in fulfilling their oversight responsibilities.

The timing of the written communication may vary depending on the circumstances, but the auditor should consider whether it is necessary for the charged individuals to receive the communication before the financial statements are approved or if it can be issued at a later date. Regardless of the timing, the auditor may communicate significant deficiencies orally to management and those charged with governance to prompt timely remedial action, but a written communication is still required.

The level of detail in the communication should be based on the auditor’s professional judgment, taking into account factors such as the nature, size, and complexity of the entity, the nature of the deficiencies, and any legal or regulatory requirements.

The fact that a significant deficiency was communicated in a previous audit does not eliminate the need for the auditor to repeat the communication if remedial action has not been taken. The responsibility for evaluating the costs and benefits of implementing remedial action lies with management and those charged with governance. A failure to act on a previously communicated significant deficiency may represent a significant deficiency in itself.

Considerations Specific to Smaller Entities

The audits of smaller entities, the auditor may communicate with those charged with governance in a less structured manner than for larger entities. This means that the auditor can use fewer formal means of communication when discussing significant deficiencies in internal control with the governance body.

Additionally, the auditor is required to communicate to management on a timely basis regarding deficiencies in internal control. The appropriate level of management to communicate with depends on the nature of the deficiency. For significant deficiencies, the appropriate level of management is likely to be the chief executive officer or chief financial officer, who have the authority to evaluate the deficiencies and take remedial action. For other deficiencies, the appropriate level may be operational management with more direct involvement in the control areas affected and with the authority to take appropriate remedial action.

Overall, the auditor must communicate significant deficiencies in internal control identified during the audit to those charged with governance and management at the appropriate level, in a timely manner, and in a manner that is commensurate with the size and complexity of the entity.

Communication of Significant Deficiencies in Internal Control to Management

The auditor’s communication responsibilities regarding deficiencies in internal control to management.

First, the SA 265 notes that if the auditor identifies significant deficiencies in internal control that call into question the integrity or competence of management (such as fraud or intentional non-compliance), it may not be appropriate to communicate those deficiencies directly to management. Instead, SA 250 and SA 240 establish requirements and guidance for reporting non-compliance with laws and regulations and fraud involving management, respectively.

The state that during the audit, the auditor may identify other deficiencies in internal control that are not significant deficiencies but may still be important enough to merit management’s attention. Whether such deficiencies merit communication is a matter of professional judgment based on the likelihood and potential magnitude of misstatements that may arise in the financial statements as a result.

If the auditor decides that other deficiencies in internal control merit management’s attention, they may communicate them orally or in writing to management. If deficiencies have been previously communicated to management and management has chosen not to remedy them, the auditor need not repeat the communication in the current period. However, if new information has come to light or there has been a change in management, the auditor may need to re-communicate the deficiencies.

 Those charged with governance may wish to be made aware of other deficiencies in internal control that the auditor has communicated to management. In those cases, the auditor may report orally or in writing to those charged with governance as appropriate.

Finally, certain entities may have additional responsibilities for communicating deficiencies in internal control, such as government entities, which may be required to report to the legislature or other governing body.

Content of Written Communication of Significant Deficiencies in Internal Control

The requirements for written communication of significant deficiencies in internal control. The auditor must describe the deficiencies and explain their potential effects, but quantifying those effects is not necessary. The auditor may group together significant deficiencies where appropriate, and provide suggestions for remedial action, management’s actual or proposed responses, and a statement on whether the auditor has taken any steps to verify management’s responses have been implemented.

Additionally, the written communication must include sufficient information to help those charged with governance and management understand the context of the deficiencies. This may include information on the limitations of the audit, such as an indication that if the auditor had performed more extensive procedures on internal control, they might have identified more deficiencies to report. It may also include information on the purpose of the communication and any regulatory requirements.

The purpose of the audit was to express an opinion on the financial statements, and the audit included consideration of internal control relevant to the preparation of the financial statements. However, the audit was not performed for the purpose of expressing an opinion on the effectiveness of internal control. The deficiencies being reported are limited to those identified during the audit and deemed sufficiently important to merit reporting to those charged with governance.

“Communicating Deficiencies in Internal Control to Those Charged with Governance and Management”

The ISA 265, which pertains to the communication of deficiencies in internal control to those responsible for governance and management. The modifications include the removal of an example related to restating prior period financial statements to reflect the correction of a material misstatement due to error or fraud. This example has been removed because it is not relevant in the Indian accounting scenario, which requires prior period items to be separately disclosed in the Statement of Profit and Loss.

The second modification deals with the additional responsibilities of public sector auditors to communicate/report deficiencies in internal control to the legislature or governing body. The text notes that the Standards issued by the Auditing and Assurance Standards Board apply equally to all entities, irrespective of their form, nature, and size. Therefore, a specific reference to public sector entities has been removed. However, the text also notes that non-public sector entities may be subject to similar reporting requirements under relevant statutes or regulations. As a result, the modifications retain the spirit of the ISA.

Quiz: Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

1. According to SA 265, when should the auditor communicate deficiencies in internal control?

a) Only if they identify significant deficiencies

b) Only if they identify significant deficiencies that call into question management’s integrity or competence

c) Only if they identify deficiencies that call into question management’s integrity or competence

d) If they identify any deficiencies in internal control

Answer: d)

2. What is the purpose of communicating significant deficiencies in internal control to those charged with governance?

a) To highlight the importance of the deficiencies

b) To assist those charged with governance in fulfilling their oversight responsibilities

c) To prompt timely remedial action

d) All of the above

Answer: d)

3. How should significant deficiencies in internal control be communicated to those charged with governance and management?

a) Orally only

b) In writing only

c) Both orally and in writing

d) It depends on the size and complexity of the entity

Answer: c)

4. What factors should the auditor consider when determining the significance of a deficiency in internal control?

a) Likelihood and potential magnitude of misstatements

b) Susceptibility to loss or fraud

c) Importance of controls to the financial reporting process

d) All of the above

Answer: d)

5. What level of detail should be included in the written communication of significant deficiencies?

a) Detailed explanation of the deficiencies

b) Quantification of potential effects

c) Suggestions for remedial action

d) It depends on the auditor’s professional judgment and the size and complexity of the entity

Answer: d)

6. If significant deficiencies have been previously communicated to management and management has not taken remedial action, the auditor is not required to repeat the communication in the current period.

a) True

b) False

Answer: b)

7. Smaller entities may have less formal control activities but may rely on management’s oversight and decision-making to provide effective control.

a) True

b) False

Answer: a)

8. Public sector entities are subject to the same reporting requirements under SA 265 as non-public sector entities.

a) True

b) False

Answer: b)

9. The auditor’s responsibility is to express an opinion on the effectiveness of internal control.

a) True

b) False

Answer: b)

10. When should the written communication of significant deficiencies be issued?

a) Before the financial statements are approved

b) After the financial statements are approved

c) It depends on the timing determined by the auditor

d) Both before and after the financial statements are approved

Answer: c)

Additional questions:

11. True or False: The auditor is required to express an opinion on the effectiveness of internal control according to SA 265.

a) True

b) False

Answer: b)

12. Which of the following is not a factor to consider when determining the significance of a deficiency in internal control?

a) Complexity of the entity

b) Potential magnitude of misstatement

c) Susceptibility to loss or fraud

d) Size of the entity

Answer: d)

13. How should deficiencies in internal control be communicated to management?

a) Orally only

b) In writing only

c) Both orally and in writing

d) It depends on the significance of the deficiency

Answer: c)

14. If deficiencies in internal control have been previously communicated to management and they have taken remedial action, the auditor must repeat the communication in the current period.

a) True

b) False

Answer: b)

15. In the context of smaller entities, what level of management should the auditor communicate with for significant deficiencies?

a) Chief executive officer or chief financial officer

b) Operational management

c) Both a) and b)

d) It depends on the nature of the deficiency

Answer: c)

16. The auditor’s written communication of significant deficiencies must include quantification of the potential effects.

a) True

b) False

Answer: b)

17. When communicating deficiencies in internal control to those charged with governance, what is the preferred method of communication according to SA 265?

a) Orally

b) In writing

c) Both orally and in writing

d) It depends on the preferences of those charged with governance

Answer: b)

18. The auditor’s responsibility is to evaluate the costs and benefits of implementing remedial action for significant deficiencies.

a) True

b) False

Answer: b)

19. Which of the following is not an indicator of a significant deficiency in internal control?

a) Ineffective response to identified significant risks

b) Misstatements detected by the auditor’s procedures

c) Effective aspects of the control environment

d) Absence of a risk assessment process

Answer: c)

20. SA 265 applies to all entities, irrespective of their form, nature, and size.

a) True

b) False

Answer: a)

Statement on Auditing Standards – SA 210

Statement on Auditing Standards – SA 220

Statement on Auditing Standards – SA 230

Statement on Auditing Standards – SA 240

Statement on Auditing Standards – SA 250

Statement on Auditing Standards – SA 260

Statement on Auditing Standards – SA 265

Statement on Auditing Standards – SA 299

Statement on Auditing Standards – SA 300

 Statement on Auditing Standards – SA 315

Statement on Auditing Standards – SA 320

Statement on Auditing Standards – SA 330

Statement on Auditing Standards – SA 402

Statement on Auditing Standards – SA 450

Statement On Auditing Standards – SA 500

Statement on Auditing Standards – SA 501

Statement on Auditing Standards – SA 505

Statement on Auditing Standards – SA 510

Statement on Auditing Standards – SA 520

Statement on Auditing Standards – SA 530

Statement on Auditing Standards – SA 540

Statement on Auditing Standards – SA 560

Statement on Auditing Standards – SA 570

Statement on Auditing Standards – SA 580

Statement on Auditing Standards – SA 600

Statement on Auditing Standards – SA 610

Statement on Auditing Standards – SA 620

Statement on Auditing Standards – SA 700

Statement on Auditing Standards – SA 701

Statement on Auditing Standards – SA 705

Statement on Auditing Standards – SA 706

 Statement on Auditing Standards – SA 710

Statement on Auditing Standards – SA 720

Statement on Auditing Standards – SA 800

Statement on Auditing Standards – SA 805

Statement on Auditing Standards – SA 810

Statement on Auditing Standards – SAE 3400

Statement on Auditing Standards – SAE 3402

Statement on Auditing Standards – SRE 2400

Statement on Auditing Standards – SRE 2410

Statement on Auditing Standards – SRS 4400

Statement on Auditing Standards – SRS 4410

Audit trail in software requirements

Standard on Quality Control

Statement on developmental and regulatory policies