2222 Determination of significant deficiencies

Oct-2012

CAS Guidance

In determining whether the auditor has identified one or more deficiencies in internal control, the auditor may discuss the relevant facts and circumstances of the auditor's findings with the appropriate level of management. This discussion provides an opportunity for the auditor to alert management on a timely basis to the existence of deficiencies of which management may not have been previously aware. The level of management with whom it is appropriate to discuss the findings is one that is familiar with the internal control area concerned and that has the authority to take remedial action on any identified deficiencies in internal control. In some circumstances, it may not be appropriate for the auditor to discuss the auditor's findings directly with management, for example, if the findings appear to call management's integrity or competence into question (CAS 265.A1).

In discussing the facts and circumstances of the auditor's findings with management, the auditor may obtain other relevant information for further consideration, such as (CAS 265.A2):

• management's understanding of the actual or suspected causes of the deficiencies;

• exceptions arising from the deficiencies that management may have noted, for example, misstatements that were not prevented by the relevant information technology (IT) controls; and

• a preliminary indication from management of its response to the findings.

CAS Guidance

While the concepts underlying controls in the control activities component in smaller entities are likely to be similar to those in larger entities, the formality with which they operate will vary. Further, smaller entities may find that certain types of controls are not necessary because of controls applied by management. For example, management's sole authority for granting credit to customers and approving significant purchases can provide effective control over important account balances and transactions, lessening or removing the need for more detailed controls (CAS 265.A3).

Also, smaller entities often have fewer employees which may limit the extent to which segregation of duties is practicable. However, in a small owner-managed entity, the owner-manager may be able to exercise more effective oversight than in a larger entity. This higher level of management oversight needs to be balanced against the greater potential for management override of controls (CAS 265.A4).

CAS Guidance

The significance of a deficiency or a combination of deficiencies in internal control depends not only on whether a misstatement has actually occurred, but also on the likelihood that a misstatement could occur and the potential magnitude of the misstatement. Significant deficiencies may therefore exist even though the auditor has not identified misstatements during the audit (CAS 265.A5).

Examples of matters that the auditor may consider in determining whether a deficiency or combination of deficiencies in internal control constitutes a significant deficiency include (CAS 265.A6):

• the likelihood of the deficiencies leading to material misstatements in the financial statements in the future;

• the susceptibility to loss or fraud of the related asset or liability;

• the subjectivity and complexity of determining estimated amounts, such as fair value accounting estimates;

• the financial statement amounts exposed to the deficiencies;

• the volume of activity that has occurred or could occur in the account balance or class of transactions exposed to the deficiency or deficiencies;

• the importance of the controls to the financial reporting process; for example:

  • general monitoring controls (such as oversight of management),
  • controls over the prevention and detection of fraud,
  • controls over the selection and application of significant accounting policies,
  • controls over significant transactions with related parties,
  • controls over significant transactions outside the entity's normal course of business, and
  • controls over the period-end financial reporting process (such as controls over non-recurring journal entries).

• the cause and frequency of the exceptions detected as a result of the deficiencies in the controls; and

• the interaction of the deficiency with other deficiencies in internal control.

Indicators of significant deficiencies in internal control include, for example (CAS 265.A7):

• evidence of ineffective aspects of the control environment, such as:
  • indications that significant transactions in which management is financially interested are not being appropriately scrutinized by those charged with governance;
  • identification of management fraud, whether or not material, that was not prevented by the entity's internal control; and
  • management's failure to implement appropriate remedial action on significant deficiencies previously communicated.

• absence of a risk assessment process within the entity where such a process would ordinarily be expected to have been established;

• evidence of an ineffective entity risk assessment process, such as management's failure to identify a risk of material misstatement that the auditor would expect the entity's risk assessment process to have identified;

• evidence of an ineffective response to identified significant risks (for example, absence of controls over such a risk);

• misstatements detected by the auditor's procedures that were not prevented, or detected and corrected, by the entity's internal control;

• restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud; and

• evidence of management's inability to oversee the preparation of the financial statements.

Controls may be designed to operate individually or in combination to effectively prevent, or detect and correct, misstatements. For example, controls over accounts receivable may consist of both automated and manual controls designed to operate together to prevent, or detect and correct, misstatements in the account balance. A deficiency in internal control on its own may not be sufficiently important to constitute a significant deficiency. However, a combination of deficiencies affecting the same account balance or disclosure, assertion, or component of the entity’s system of internal control may increase the risks of misstatement to such an extent as to give rise to a significant deficiency (CAS 265.A8).

Law or regulation in some jurisdictions may establish a requirement (particularly for audits of listed entities) for the auditor to communicate to those charged with governance or to other relevant parties (such as regulators) one or more specific types of deficiency in internal control that the auditor has identified during the audit. Where law or regulation has established specific terms and definitions for these types of deficiency and requires the auditor to use these terms and definitions for the purpose of the communication, the auditor uses such terms and definitions when communicating in accordance with the legal or regulatory requirement (CAS 265.A9).

Where the jurisdiction has established specific terms for the types of deficiency in internal control to be communicated but has not defined such terms, it may be necessary for the auditor to use judgment to determine the matters to be communicated further to the legal or regulatory requirement. In doing so, the auditor may consider it appropriate to have regard to the requirements and guidance in this CAS. For example, if the purpose of the legal or regulatory requirement is to bring to the attention of those charged with governance certain internal control matters of which they should be aware, it may be appropriate to regard such matters as being generally equivalent to the significant deficiencies required by this CAS to be communicated to those charged with governance (CAS 265.A10).

The requirements of this CAS remain applicable notwithstanding that law or regulation may require the auditor to use specific terms or definitions (CAS 265.A11).