Welcome

Communicating control deficiencies - Requirements and method...

ResourcesCommunicating control deficiencies - Requirements and method...

Learning Outcomes

After reading this article, you will be able to explain the auditor’s requirements for communicating deficiencies in internal control, distinguish significant from other deficiencies, and describe the structure, recipients, and content of formal auditor communications (such as management letters). You will also know the typical format and recommendations included, and how these communications are assessed for ACCA exam purposes.

ACCA Foundations in Audit (FAU) Syllabus

For ACCA Foundations in Audit (FAU), you are required to understand the role of auditors in identifying and communicating weaknesses in internal control systems. Specifically, you should focus on:

  • The requirement to communicate deficiencies in internal control identified during an audit
  • The distinction between significant deficiencies and other control weaknesses
  • Appropriate methods and format for communicating control deficiencies to management and those charged with governance
  • The typical content and structure of a report to management (management letter)
  • Professional judgement in assessing which deficiencies must be formally communicated

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. Which standard sets out the requirements for communicating control deficiencies found during an external audit?
  2. Who must receive written communication of significant control deficiencies identified by the auditor?
  3. True or false? Auditors only report material frauds, not other control deficiencies, to management.
  4. What main information should an auditor include when communicating a significant control deficiency to those charged with governance?

Introduction

Auditors regularly identify weaknesses in internal control systems that may increase the risk of error or fraud. While not all such issues affect the audit opinion, auditors have a professional duty to report them promptly to the appropriate members of the client entity. This article explains when and how auditors must communicate control deficiencies, who must be informed, and the recommended structure and content for such communications.

Key Term: control deficiency
A weakness in the design, implementation, or operation of an internal control such that it is unable to prevent or detect and correct misstatements on a timely basis.

Key Term: significant deficiency
A control deficiency, or a combination of deficiencies, in internal control that is serious enough to merit the attention of those charged with governance.

WHY COMMUNICATE CONTROL DEFICIENCIES?

Identifying and reporting control deficiencies is part of the auditor’s responsibility to support sound financial management and good governance. Deficiencies can threaten the reliability of financial information, so their timely communication allows management to address and remedy these weaknesses.

ISA 265 sets out the duties for auditors to communicate defects in internal control. Auditors must use professional judgement to decide which control weaknesses are significant and should be reported to those charged with governance (e.g., the audit committee or board).

WHAT MUST BE COMMUNICATED?

Control deficiencies identified during the audit should be considered in terms of severity and likelihood of resulting in material misstatements. If deficiencies meet the criteria for “significant deficiency,” they must be communicated in writing to those charged with governance and, when appropriate, to management.

Deficiencies that are less severe, but still relevant for improving controls, may be reported separately to management.

Key Term: those charged with governance
The persons or organizations with responsibility for overseeing the strategic direction and obligations of the entity, such as the board of directors or audit committee.

WHAT IS A SIGNIFICANT DEFICIENCY?

The auditor determines significance based on factors like:

  • Probability the deficiency could lead to a material misstatement
  • Size of amounts or balances at risk
  • Frequency and root cause of the deficiency
  • Lack of segregation of duties or a pervasive weakness

Common examples include absence of reconciliations, inadequate authorization procedures, or weak IT controls.

Worked Example 1.1

A medium-sized company does not regularly review user access rights to its accounting system. The auditor discovers that several employees who left the company still have enabled user accounts with administrator privileges. Is this a significant deficiency?

Answer:
Yes. The risk of unauthorized system access and possible manipulation of accounting records is high. This is likely to have an impact on the reliability of financial statements and requires urgent attention by those charged with governance. The auditor must communicate this as a significant deficiency.

METHODS OF COMMUNICATION: WRITTEN AND ORAL

Significant deficiencies must always be shared in writing—usually in a formal management letter or “Report to Management.” Less severe deficiencies may be reported in other ways, such as memos or face-to-face meetings, but written documentation is best practice.

Written communication should:

  • Describe each deficiency and its effect (potential or actual)
  • Explain the context, including the audit’s objectives and scope
  • State that the purpose of the audit was not to provide assurance on internal controls
  • Offer constructive recommendations for improvement (optional, but expected)
  • Request a management response outlining corrective actions

STRUCTURE AND CONTENT OF A MANAGEMENT LETTER

A typical management letter or report includes:

  1. Introduction – Disclaimer that the letter covers only matters noted; not a comprehensive review of all controls.
  2. List of significant deficiencies – Each issue is described, with its implications and possible impact on the financial statements.
  3. Recommendations – Practical suggestions for addressing each deficiency.
  4. Call for management responses – Inviting written replies or planned actions.

The letter is private and confidential, addressed to the board or audit committee, and not released externally without permission.

Worked Example 1.2

The auditor finds that, in the client’s purchasing department, only one person is able to both approve suppliers and authorize payments. This has led to several instances of incorrect payments. How should this be communicated?

Answer:
This lack of segregation of duties is a significant deficiency. The auditor should describe the issue in writing, explain why payments may not be valid, and recommend that payment authorization and supplier approval roles be separated. The report should be sent to the audit committee and copied to relevant management.

Exam Warning

A common error is for candidates to assume that all control deficiencies must be reported only to management. In fact, significant deficiencies must be communicated in writing to those charged with governance, not just management. Failure to do so is a breach of ISA 265.

OTHER COMMUNICATION POINTS

  • Auditors should discuss findings with management before issuing formal communications. This ensures accuracy and encourages prompt response.
  • Minor control flaws that do not rise to the level of significant deficiency can still be communicated in a separate document or meeting.
  • The management letter is not a substitute for the audit opinion and does not diminish auditor independence or objectivity.

Revision Tip

For the exam, memorize the definition of a significant deficiency and understand the minimum content requirements of the management letter or report to management.

Summary

Auditors must communicate significant deficiencies in internal control discovered during audits, generally via a written management letter. Only those weaknesses serious enough to risk material error need be raised to those charged with governance. Written communications must clearly describe each issue, its likely effects, and often suggest improvements.

Key Point Checklist

This article has covered the following key knowledge points:

  • Define control deficiency and significant deficiency
  • Describe ISA 265 requirements for communicating deficiencies in internal control
  • Explain who must receive communications of significant deficiencies and in what format
  • List the main components of a formal management letter (report to management)
  • Apply professional judgement to assess deficiency severity
  • Understand the confidentiality and purpose of the auditor’s management letter

Key Terms and Concepts

  • control deficiency
  • significant deficiency
  • those charged with governance

Assistant

How can I help you?
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode

Responses can be incorrect. Please double check.