Communicating deficiencies in internal controls to those charged with governance and management (ISA 265) is a new International Standard on Auditing (ISA) that comes into effect, together with all the other clarified ISAs, for all audits of financial statements beginning on or after 15 December 2009.

ISA 265 consists of a number of requirements that the auditor shall perform in order to have complied with this standard.

The table contains the requirements placed on the auditor in terms of ISA 265 together with assistance on how practically to apply the requirements, together with some explanatory notes on interpreting the requirements.

Theashen Vandiar CA(SA), is Project Director: Auditing and members Advice, SAICA.

Requirement on Auditor in terms of ISA 265

Application of the requirements of ISA 265Further Explanatory notes
1.  Determine if one or more deficiencies in internal controls have been identified.1.1      Discuss the relevant facts and circumstances with the appropriate level of management.1.1      Appropriate level of management is those that are familiar with the internal control area concerned and that have the authority to take remedial action.
1.2      When discussing the above with management, the auditor may obtain other relevant information for further consideration.1.2      Other relevant information includes:

1.2.1   management’s understanding of the actual or suspected causes of the deficiencies.

1.2.2   exceptions arising from the deficiencies that management may have noted.

1.2.3   a preliminary indication from management of its responses to the findings.

2.  Determine if the deficiency(ies) identified constitute significant deficiencies.2.1      Matters to be considered when determining if a deficiency is significant:

2.1.1   The likelihood of the deficiencies leading to material misstatements in the financial statements in the future.

2.1.2   The susceptibility to loss or fraud of the related asset or liability.

2.1.3   The subjectivity and complexity of determining estimated amounts.

2.1.4   The financial statement amounts exposed to the deficiencies.

2.1.5   The importance of the controls to the financial reporting process.

2.1.6   The cause and frequency of the exceptions detected as a result of the deficiencies in the control.

2.1      Indicators of significant deficiencies include:

2.1.1   Evidence of ineffective aspects of the control environment.

2.1.2   Absence of a risk assessment process within the entity.

2.1.3   Evidence of an ineffective response to identified significant risks. Misstatements detected during substantive testing that were not prevented, detected or corrected by the entity’s internal controls.

2.1.4   Restatement of previously issued financial statements to reflect the correction of material misstatement due to error or fraud.

2.1.5   Evidence of management’s inability to oversee the preparation of the financial statements.

3.  Communicate in writing significant deficiencies in internal controls identified to those charged with governance on a timely basis.3.1      Communication should be in writing to reflect the importance of the matters.

3.2      In determining “WHEN” to issue the communication, consideration needs to be given as to when communication would be most appropriate in enabling those charged with governance to discharge their oversight responsibilities.

3.3      Professional judgment must be applied in determining the level of detail at which to communicate significant deficiencies.

3.3.     In determining appropriate level of detail, the auditor should consider the following factors:

3.3.1   The nature of the entity.

3.3.2   The size and complexity of the entity.

3.3.3   The nature of the significant deficiencies identified.

3.3.4   The entity’s governance composition.

3.3.5   Legal or regulatory requirements regarding the communication of specific types of deficiencies in internal controls.

4.  Communicate to management:

(a) in writing regarding significant deficiencies in internal controls identified.

4. (a)1   This requirement does not apply if it is considered inappropriate to communicate directly to management.4.(a)1    It is considered inappropriate when:

4.1.1     the integrity and competence of management is called into question.

4.1.2     there are suspected non-compliance with laws and regulations (refer to ISA 250 for guidance).

4.1.3     the auditor has identified fraud or suspected fraud involving management. (Refer to ISA 240 for guidance).

4.  Communicate to management:

(b) regarding other deficiencies that merit management’s attention.

4(b).1    The communication need not be in writing but may be oral.4(b).1  Determining what merits management’s attention is a professional judgment that takes into account the likelihood and potential magnitude of misstatements that may arise in the financial statements as a result of those deficiencies.