2222 Determination of significant deficiencies
Oct-2012

Overview

This section discusses:

  • Determination of deficiencies in internal control
  • Determining if the deficiencies constitute significant deficiencies
Deficiencies in internal control

CAS Requirement

The auditor shall determine whether, on the basis of the audit work performed, the auditor has identified one or more deficiencies in internal control (CAS 265.7).

CAS Guidance

In determining whether the auditor has identified one or more deficiencies in internal control, the auditor may discuss the relevant facts and circumstances of the auditor's findings with the appropriate level of management. This discussion provides an opportunity for the auditor to alert management on a timely basis to the existence of deficiencies of which management may not have been previously aware. The level of management with whom it is appropriate to discuss the findings is one that is familiar with the internal control area concerned and that has the authority to take remedial action on any identified deficiencies in internal control. In some circumstances, it may not be appropriate for the auditor to discuss the auditor's findings directly with management, for example, if the findings appear to call management's integrity or competence into question (CAS 265.A1).

In discussing the facts and circumstances of the auditor's findings with management, the auditor may obtain other relevant information for further consideration, such as (CAS 265.A2):

  • management's understanding of the actual or suspected causes of the deficiencies;

  • exceptions arising from the deficiencies that management may have noted, for example, misstatements that were not prevented by the relevant information technology (IT) controls; and

  • a preliminary indication from management of its response to the findings.

OAG Guidance

Issues and conditions may come to our attention through the scoping and understanding process, as well as through testing of controls and substantiating other audit evidence.

Audit tip

For each item posted to the SUM and proposed audit adjustments recorded by management, evaluate whether any potential underlying internal control deficiencies exist.

Look to use this information as a way to share insights and observations when discussing with management and reporting to those charged with governance.

Considerations specific to smaller entities

CAS Guidance

While the concepts underlying controls in the control activities component in smaller entities are likely to be similar to those in larger entities, the formality with which they operate will vary. Further, smaller entities may find that certain types of controls are not necessary because of controls applied by management. For example, management's sole authority for granting credit to customers and approving significant purchases can provide effective control over important account balances and transactions, lessening or removing the need for more detailed controls (CAS 265.A3).

Also, smaller entities often have fewer employees which may limit the extent to which segregation of duties is practicable. However, in a small owner-managed entity, the owner-manager may be able to exercise more effective oversight than in a larger entity. This higher level of management oversight needs to be balanced against the greater potential for management override of controls (CAS 265.A4).

Significant deficiencies

CAS Requirement

If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on the basis of the audit work performed, whether, individually or in combination, they constitute significant deficiencies (CAS 265.8).

CAS Guidance

The significance of a deficiency or a combination of deficiencies in internal control depends not only on whether a misstatement has actually occurred, but also on the likelihood that a misstatement could occur and the potential magnitude of the misstatement. Significant deficiencies may therefore exist even though the auditor has not identified misstatements during the audit (CAS 265.A5).

Examples of matters that the auditor may consider in determining whether a deficiency or combination of deficiencies in internal control constitutes a significant deficiency include (CAS 265.A6):

  • the likelihood of the deficiencies leading to material misstatements in the financial statements in the future;

  • the susceptibility to loss or fraud of the related asset or liability;

  • the subjectivity and complexity of determining estimated amounts, such as fair value accounting estimates;

  • the financial statement amounts exposed to the deficiencies;

  • the volume of activity that has occurred or could occur in the account balance or class of transactions exposed to the deficiency or deficiencies;

  • the importance of the controls to the financial reporting process; for example:

    • general monitoring controls (such as oversight of management),
    • controls over the prevention and detection of fraud,
    • controls over the selection and application of significant accounting policies,
    • controls over significant transactions with related parties,
    • controls over significant transactions outside the entity's normal course of business, and
    • controls over the period-end financial reporting process (such as controls over non-recurring journal entries).
  • the cause and frequency of the exceptions detected as a result of the deficiencies in the controls; and

  • the interaction of the deficiency with other deficiencies in internal control.

Indicators of significant deficiencies in internal control include, for example (CAS 265.A7):

  • evidence of ineffective aspects of the control environment, such as:
    • indications that significant transactions in which management is financially interested are not being appropriately scrutinized by those charged with governance;
    • identification of management fraud, whether or not material, that was not prevented by the entity's internal control; and
    • management's failure to implement appropriate remedial action on significant deficiencies previously communicated.
  • absence of a risk assessment process within the entity where such a process would ordinarily be expected to have been established;

  • evidence of an ineffective entity risk assessment process, such as management's failure to identify a risk of material misstatement that the auditor would expect the entity's risk assessment process to have identified;

  • evidence of an ineffective response to identified significant risks (for example, absence of controls over such a risk);

  • misstatements detected by the auditor's procedures that were not prevented, or detected and corrected, by the entity's internal control;

  • restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud; and

  • evidence of management's inability to oversee the preparation of the financial statements.

Controls may be designed to operate individually or in combination to effectively prevent, or detect and correct, misstatements. For example, controls over accounts receivable may consist of both automated and manual controls designed to operate together to prevent, or detect and correct, misstatements in the account balance. A deficiency in internal control on its own may not be sufficiently important to constitute a significant deficiency. However, a combination of deficiencies affecting the same account balance or disclosure, assertion, or component of the entity’s system of internal control may increase the risks of misstatement to such an extent as to give rise to a significant deficiency (CAS 265.A8).

Law or regulation in some jurisdictions may establish a requirement (particularly for audits of listed entities) for the auditor to communicate to those charged with governance or to other relevant parties (such as regulators) one or more specific types of deficiency in internal control that the auditor has identified during the audit. Where law or regulation has established specific terms and definitions for these types of deficiency and requires the auditor to use these terms and definitions for the purpose of the communication, the auditor uses such terms and definitions when communicating in accordance with the legal or regulatory requirement (CAS 265.A9).

Where the jurisdiction has established specific terms for the types of deficiency in internal control to be communicated but has not defined such terms, it may be necessary for the auditor to use judgment to determine the matters to be communicated further to the legal or regulatory requirement. In doing so, the auditor may consider it appropriate to have regard to the requirements and guidance in this CAS. For example, if the purpose of the legal or regulatory requirement is to bring to the attention of those charged with governance certain internal control matters of which they should be aware, it may be appropriate to regard such matters as being generally equivalent to the significant deficiencies required by this CAS to be communicated to those charged with governance (CAS 265.A10).

The requirements of this CAS remain applicable notwithstanding that law or regulation may require the auditor to use specific terms or definitions (CAS 265.A11).

OAG Guidance

We communicate our audit findings through different means. We usually do it in writing in the Report to the Audit Committee—Annual Audit Results and the Management Letter, or we do it verbally depending on the significance of the finding and the CAS requirements.

Audit Findings Categories

To provide a framework for ranking of financial audit findings according to the risk they represent to the audit and the entity, and to improve consistency of reporting to management and to those charged with governance, audit findings are categorised into three categories using the following criteria:

Category A:

1) those matters that the CAS and/or Office policies require to be communicated irrespective of their significance, and

2) those matters which pose significant business or financial risk (including financial reporting risk and significant non-compliance with applicable legislation) to the audit or to the audit entity and should be addressed as a matter of urgency. This assessment has taken account of both the likelihood and consequences of the risk materializing.

Category B:

Those matters which pose moderate business or financial risk, including financial reporting risk, to the audit or to the audit entity, or matters referred to management in the past that have not been addressed satisfactorily. These would include matters where the consequences of the issue might be significant, however, there is little likelihood of the consequences materializing.

Category C:

Those matters which are procedural in nature or minor administrative failings. These could include minor accounting issues or relatively isolated control breakdowns that need to be brought to the attention of management and could also include non-compliance with legislation that is not significant.

Report to Management

All audit findings categorised in accordance with criteria A and B are to be reported to the appropriate level of management orally first and in writing in accordance with the CAS requirements when applicable. We usually do this in writing in a Management Letter or through other more appropriate means. Judgment may need to be exercised, as some sensitive matters can’t or shouldn’t be communicated in writing.

Audit findings categorised in accordance with criteria C are to be communicated to management orally or in writing in a Management Letter.

Determining the appropriate level of management to report to requires consideration of the management structure of the entity and is a matter of professional judgment. It is preferable to communicate category A and B audit findings to the highest levels of corporate management (CEO/CFO). Category C audit findings should normally be communicated to those individuals responsible for the particular functional area. Ordinarily, it would include the CFO or another member of management reporting through the CFO and can include those who have responsibilities for corporate functions and IT systems.

Report to Those Charged with Governance

As a minimum, category A and B audit findings shall be reported to those charged with governance in writing and in accordance with CAS requirements in the Report to the Audit Committee or through other more appropriate means such as a private phone conversation with the Chair of the Audit Committee to discuss a fraud matter. Judgment may need to be exercised as some sensitive matters can’t or shouldn’t be communicated in writing.

Our Financial Audit Templates deal with the entire communication requirements from those CASs and would be used to communicate with those charged with governance unless determined otherwise.

Making management and those charged with governance aware of potential issues and risks early helps reduce surprises and allows for timely resolutions.

Format and Timing

Ideally, present this communication on audit findings prior to year-end, but the timing will vary according to client practices. The auditor should communicate matters identified during the financial statement audit on a timely basis. In determining what constitutes a timely basis, the auditor would be guided by the significance of the matter and an assessment of its urgency.

The auditor may communicate orally as soon as practicable to those charged with governance about significant deficiencies in internal control that the auditor has identified, prior to communicating these in writing as required by CAS 265. Unless unusual circumstances exist, written communication with management and those charged with governance should occur within 60 days of the date of the audit report.