2223 Communication to those charged with governance
Oct-2012

Overview

This section discusses:

  • Communication to Those Charged with Governance
Communication to those charged with governance

CAS Requirement

The auditor shall communicate in writing significant deficiencies in internal control identified during the audit to those charged with governance on a timely basis (CAS 265.9).

CAS Guidance

Communicating significant deficiencies in writing to those charged with governance reflects the importance of these matters, and assists those charged with governance in fulfilling their oversight responsibilities. CAS 260 establishes relevant considerations regarding communication with those charged with governance when all of them are involved in managing the entity (CAS 265.A12).

In determining when to issue the written communication, the auditor may consider whether receipt of such communication would be an important factor in enabling those charged with governance to discharge their oversight responsibilities. In addition, for listed entities in certain jurisdictions, those charged with governance may need to receive the auditor's written communication before the date of approval of the financial statements in order to discharge specific responsibilities in relation to internal control for regulatory or other purposes. For other entities, the auditor may issue the written communication at a later date. Nevertheless, in the latter case, as the auditor's written communication of significant deficiencies forms part of the final audit file, the written communication is subject to the overriding requirement for the auditor to complete the assembly of the final audit file on a timely basis. CAS 230 states that an appropriate time limit within which to complete the assembly of the final audit file is ordinarily not more than 60 days after the date of the auditor's report (CAS 265.A13).

Regardless of the timing of the written communication of significant deficiencies, the auditor may communicate these orally in the first instance to management and, when appropriate, to those charged with governance to assist them in taking timely remedial action to minimize the risks of material misstatement. Doing so, however, does not relieve the auditor of the responsibility to communicate the significant deficiencies in writing, as this CAS requires (CAS 265.A14).

The level of detail at which to communicate significant deficiencies is a matter of the auditor's professional judgment in the circumstances. Factors that the auditor may consider in determining an appropriate level of detail for the communication include, for example (CAS 265.A15):

  • The nature of the entity. For example, the communication required for a public interest entity may be different from that for a non-public interest entity.
  • The size and complexity of the entity. For example, the communication required for a complex entity may be different from that for an entity operating a simple business.
  • The nature of significant deficiencies that the auditor has identified.
  • The entity's governance composition. For example, more detail may be needed if those charged with governance include members who do not have significant experience in the entity's industry or in the affected areas.
  • Legal or regulatory requirements regarding the communication of specific types of deficiency in internal control.

Management and those charged with governance may already be aware of significant deficiencies that the auditor has identified during the audit and may have chosen not to remedy them because of cost or other considerations. The responsibility for evaluating the costs and benefits of implementing remedial action rests with management and those charged with governance. Accordingly, the requirement in CAS 265.9 applies regardless of cost or other considerations that management and those charged with governance may consider relevant in determining whether to remedy such deficiencies (CAS 265.A16).

The fact that the auditor communicated a significant deficiency to those charged with governance and management in a previous audit does not eliminate the need for the auditor to repeat the communication if remedial action has not yet been taken. If a previously communicated significant deficiency remains, the current year's communication may repeat the description from the previous communication, or simply reference the previous communication. The auditor may ask management or, where appropriate, those charged with governance, why the significant deficiency has not yet been remedied. A failure to act, in the absence of a rational explanation, may in itself represent a significant deficiency (CAS 265.A17).

OAG Guidance

Significant deficiencies identified by all engagement team members involved in the audit (i.e., IT Audit specialists, actuary, etc.) need to be reported.

We communicate our audit findings through different means. We usually do it in writing in the Report to the Audit Committee—Annual Audit Results and the Management Letter or we do it verbally depending on the significance of the finding and the CAS requirements.

Incorporating management's response in our report to the Audit Committee or those charged with governance is considered good practice.

Audit Findings Categories

To provide a framework for ranking of financial audit findings according to the risk they represent to the audit and the entity, and to improve consistency of reporting to management and to those charged with governance, audit findings are categorised into three categories using the following criteria:

Category A:

1) those matters that the CAS and/or Office policies require be communicated irrespective of their significance, and

2) those matters which pose significant business or financial risk (including financial reporting risk and significant non-compliance with applicable legislation) to the audit or to the audit entity and should be addressed as a matter of urgency. This assessment has taken account of both the likelihood and consequences of the risk materializing.

Category B:

Those matters which pose moderate business or financial risk, including financial reporting risk, to the audit or to the audit entity, or matters referred to management in the past that have not been addressed satisfactorily. These would include matters where the consequences of the issue might be significant, however, there is little likelihood of the consequences materializing.

Category C:

Those matters which are procedural in nature or minor administrative failings. These could include minor accounting issues or relatively isolated control breakdowns which need to be brought to the attention of management and could also include non-compliance with legislation that is not significant.

Report to Those Charged with Governance

As a minimum, category A and B audit findings shall be reported to those charged with governance in writing and in accordance with CAS requirements in the Report to the Audit Committee or through other more appropriate means such as a private phone conversation with the Chair of the Audit Committee to discuss a fraud matter. Judgment may need to be exercised as some sensitive matters can’t or shouldn’t be communicated in writing.

Our Financial Audit Templates deal with the entire communication requirements from those CAS and would be used to communicate with those charged with governance unless determined otherwise.

Making management and those charged with governance aware of potential issues and risks early helps reduce surprises and allows for timely resolutions.

Format and Timing

Ideally, present this communication on audit findings prior to year-end, but the timing will vary according to client practices. The auditor should communicate matters identified during the financial statement audit on a timely basis. In determining what constitutes a timely basis, the auditor would be guided by the significance of the matter and an assessment of its urgency.

The auditor may communicate orally as soon as practicable to those charged with governance about significant deficiencies in internal control that the auditor has identified, prior to communicating these in writing as required by CAS 265. Unless unusual circumstances exist, written communication with management and those charged with governance should occur within 60 days of the date of the audit report.

Audit tip

Make sure all control deficiencies to be included in reports to management and those charged with governance have been discussed at the appropriate levels in the entity, gathering all facts and listening to points of view. This will allow the process owners an opportunity to consider their response internally within the entity when the issue is raised at higher levels. By taking early accountability for discussion of findings and taking steps to confirm facts and circumstances prior to formal reporting, the client's confidence in our judgments and our handling of issues will be enhanced.

Use the opportunity to demonstrate understanding of the entity's business, strategy and industry in how observations, issues and recommendations are framed.

Considerations specific to smaller entities

CAS Guidance

In the case of audits of smaller entities, the auditor may communicate in a less structured manner with those charged with governance than in the case of larger entities (CAS 265.A18).