## **Learning Outcomes**

After reading this article, you will be able to explain what tests of controls are, how control deficiencies are identified during an audit, and how these are communicated to management and those charged with governance in line with ISA 265. You will understand the difference between significant and less significant deficiencies, the format and content of management letters, and be able to recommend appropriate improvements for identified weaknesses.

## **ACCA Audit and Assurance (AA) Syllabus**

For ACCA Audit and Assurance (AA), you are required to understand how auditors evaluate, test, and report on internal controls, including the communication of deficiencies. In particular, you should be able to:

- Explain the purpose and design of tests of controls and their role within the audit.
- Identify control deficiencies and evaluate their significance.
- Describe the requirements for reporting deficiencies to management and those charged with governance (ISA 265).
- Draft clear management letter comments, including tailored recommendations to address specific deficiencies.
- Distinguish between control, significant, and material weaknesses for communication purposes.
- Apply these concepts to real-life scenarios involving sales, purchases, payroll, and other key business cycles.

## **Test Your Knowledge**

_Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision._

1. What is the primary objective of performing tests of controls in an audit?
2. According to ISA 265, when must significant deficiencies be communicated to those charged with governance?
3. For each deficiency below, draft an appropriate management letter comment and recommendation:
   - Supplier statements are not reconciled monthly.
   - Payroll changes are processed without independent review.
4. State the key elements that should be included in a management letter (report to management).

## **Introduction**

Auditors assess internal controls to determine the risk of material misstatement. Where controls are designed and operated effectively, auditors may reduce substantive procedures. Tests of controls verify that these procedures function as intended throughout the year. When deficiencies are found—either in the design or operation of controls—ISA 265 requires auditors to report these to management or those charged with governance, especially if they are significant. The management letter is the formal mechanism for making such communications and providing recommendations for improvement.

> **Key Term: test of controls**
> An audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.

## Assessing and Testing Controls

### Why Test Controls?

Auditors decide to test controls where they intend to rely on their effectiveness to reduce substantive testing. This is typically possible when the control system is strong, well-documented, and relevant to significant audit risks.

### How Are Tests of Controls Performed?

Common methods include:

- Inspection of documents for evidence of authorisation.
- Observation of processes or procedures being performed.
- Inquiry of personnel about how controls are executed.
- Reperformance of control activities by the auditor.
- Use of test data in IT environments to see if programmed controls function as expected.

> **Key Term: deficiency in internal control**
> A control that is missing or not designed, implemented, or operated effectively, so it fails to prevent, or detect and correct, misstatements on a timely basis.

## Identifying Control Deficiencies

A deficiency can arise where no control exists, the control is not appropriately designed, or the control does not operate as intended.

Deficiencies vary in significance. Factors affecting significance include:

- Likelihood of resulting in material misstatement.
- Subjectivity and complexity of the process involved.
- Potential for fraud or loss, and the size/volume involved.

When a deficiency is judged to be significant, ISA 265 requires direct communication with those charged with governance.

> **Key Term: significant deficiency**
> A deficiency, or a combination of deficiencies, in internal control that merits the attention of those charged with governance.

## Communicating Deficiencies – The Management Letter

### Purpose

The management letter (or report to management) presents control deficiencies discovered during the audit, their implications, and practical recommendations to address them.

### Recipients

- All deficiencies significant to financial reporting are communicated to those charged with governance (e.g., audit committee).
- Other, less significant deficiencies may be communicated to management.

### Management Letter Content

A typical management letter includes:

- A covering letter stating the limitations of testing and intended use of the report.
- An appendix listing each deficiency, the consequence/risk, and a specific recommendation.

### **Worked Example 1.1**

**During an audit, the accounts clerk is responsible for preparing, authorizing, and recording bank payments, with no independent review. Identify the deficiency and draft a management letter comment.**

> **Answer:**  
> **Deficiency and Consequence:** Bank payments are prepared and recorded by the same individual without independent review. This increases the risk of fraudulent payments or errors going undetected, resulting in financial loss or misstatement.  
> **Recommendation:** Segregate duties by requiring a senior manager to authorize bank payments. Periodically review payment listings for unusual or unauthorized transactions.

### **Worked Example 1.2**

**No regular reconciliation is performed between the inventory records and physical inventory. Explain the control weakness and recommend an improvement.**

> **Answer:**  
> **Deficiency and Consequence:** Absence of inventory reconciliations may lead to undetected theft, loss, or recording errors, causing misstatement of the inventory balance and profit.  
> **Recommendation:** Initiate monthly inventory reconciliations performed by independent staff, with discrepancies investigated promptly and resolved.

## Assessing the Significance of Deficiencies

Not all deficiencies have the same consequence. Auditors use professional judgment, considering the potential financial impact and frequency, to categorise them as significant or less significant. All significant deficiencies must be communicated in writing to those charged with governance as soon as practicable.

> **Exam Warning**
> Failing to escalate a significant deficiency to the governance level—as required by ISA 265—may result in loss of marks in assessments where scenarios clearly meet the criteria for significance.

## Structure and Wording of Recommendations

Management letter recommendations must be:

- Direct, specifying the control to be implemented or improved.
- Tailored to the identified risk.
- Brief, actionable, and assigned to a responsible role or function.
- Realistic, balancing cost and benefit.

## Example: Management Letter Table

| Deficiency & Consequence                                           | Recommendation                                                                                                                        |
| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
| Supplier statements are not reconciled, risking undetected errors. | Reconcile supplier statements monthly; investigate any differences immediately. Assign responsibility to the purchase ledger manager. |

## Limitations and Disclaimers

The management letter should clearly state:

- Only deficiencies identified during the audit are included—not a comprehensive review of all controls.
- It is for management's use only and not for external parties.
- Further testing may have identified more weaknesses.

> **Key Term: management letter**
> A formal report issued by auditors to management and/or those charged with governance, presenting identified control deficiencies and tailored recommendations, typically at the end of the audit.

## **Summary**

Testing controls allows auditors to rely on effective systems and reduce other audit work. When deficiencies are found, these must be reported to management—significant ones to governance—together with practical recommendations through the management letter. ISA 265 sets out a structured approach for identifying, assessing, and communicating such matters, supporting better overall control environments.

## **Key Point Checklist**

_This article has covered the following key knowledge points:_

- Explain the purpose and procedures for tests of controls in an audit.
- Define and identify deficiencies and significant deficiencies in internal control.
- State when, how, and to whom deficiencies must be communicated, according to ISA 265.
- Describe the content and format of a management letter, including actionable recommendations.
- Distinguish material, significant, and less significant deficiencies for reporting.
- Draft specific management letter comments based on common audit findings.

## **Key Terms and Concepts**

- test of controls
- deficiency in internal control
- significant deficiency
- management letter

Tests of controls and control deficiencies - Deficiencies and management letter (ISA 265)