2224 Communication to management
Apr-2015

In This Section

Communication to management

Overview

This section discusses:

  • Communication to Management

Communication to management

CAS Requirement

The auditor shall also communicate to management at an appropriate level of responsibility on a timely basis (CAS 265.10):

(a)   In writing, significant deficiencies in internal control that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances

(b)   Other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor's professional judgment, are of sufficient importance to merit management's attention

CAS Guidance

Ordinarily, the appropriate level of management is the one that has responsibility and authority to evaluate the deficiencies in internal control and to take the necessary remedial action. For significant deficiencies, the appropriate level is likely to be the chief executive officer or chief financial officer (or equivalent) as these matters are also required to be communicated to those charged with governance. For other deficiencies in internal control, the appropriate level may be operational management with more direct involvement in the control areas affected and with the authority to take appropriate remedial action (CAS 265.A19).

Certain identified significant deficiencies in internal control may call into question the integrity or competence of management. For example, there may be evidence of fraud or intentional non-compliance with laws and regulations by management, or management may exhibit an inability to oversee the preparation of adequate financial statements that may raise doubt about management's competence. Accordingly, it may not be appropriate to communicate such deficiencies directly to management (CAS 265.A20).

CAS 250 establishes requirements and provides guidance on the reporting of identified or suspected non-compliance with laws and regulations, including when those charged with governance are themselves involved in such noncompliance. CAS 240 establishes requirements and provides guidance regarding communication to those charged with governance when the auditor has identified fraud or suspected fraud involving management (CAS 265.A21).

During the audit, the auditor may identify other deficiencies in internal control that are not significant deficiencies but that may be of sufficient importance to merit management's attention. The determination as to which other deficiencies in internal control merit management's attention is a matter of professional judgment in the circumstances, taking into account the likelihood and potential magnitude of misstatements that may arise in the financial statements as a result of those deficiencies (CAS 265.A22).

The communication of other deficiencies in internal control that merit management's attention need not be in writing but may be oral. Where the auditor has discussed the facts and circumstances of the auditor's findings with management, the auditor may consider an oral communication of the other deficiencies to have been made to management at the time of these discussions. Accordingly, a formal communication need not be made subsequently (CAS 265.A23).

If the auditor has communicated deficiencies in internal control other than significant deficiencies to management in a prior period and management has chosen not to remedy them for cost or other reasons, the auditor need not repeat the communication in the current period. The auditor is also not required to repeat information about such deficiencies if it has been previously communicated to management by other parties, such as the internal audit function or regulators. It may, however, be appropriate for the auditor to re-communicate these other deficiencies if there has been a change of management, or if new information has come to the auditor's attention that alters the prior understanding of the auditor and management regarding the deficiencies. Nevertheless, the failure of management to remedy other deficiencies in internal control that were previously communicated may become a significant deficiency requiring communication with those charged with governance. Whether this is the case depends on the auditor's judgment in the circumstances (CAS 265.A24).

In some circumstances, those charged with governance may wish to be made aware of the details of other deficiencies in internal control the auditor has communicated to management, or be briefly informed of the nature of the other deficiencies. Alternatively, the auditor may consider it appropriate to inform those charged with governance of the communication of the other deficiencies to management. In either case, the auditor may report orally or in writing to those charged with governance as appropriate (CAS 265.A25).

CAS 260 establishes relevant considerations regarding communication with those charged with governance when all of them are involved in managing the entity (CAS 265.A26).

OAG Guidance

Discuss the comments we deliver to those charged with governance first with management, and identify our observations (including description, implication, and related risk) and recommendations (including suggestions for improvement). Focus our discussion with management on the facts and circumstances to confirm that the information is accurate.

Management letter

Management letters should normally be prepared under the signature of the engagement leader. Management letters that are not timely do not serve the interests of the entity or meet our own expectations. A draft management letter should normally be issued within one month of the date of the Auditor’s Report. Matters significant enough to be reported should be followed up in a subsequent audit.

Audit Findings Categories

To provide a framework for ranking of financial audit findings according to the risk they represent to the audit and the entity, and to improve consistency of reporting to management and to those charged with governance, audit findings are categorised into three categories using the following criteria:

Category A:

1) those matters that the CAS and/or Office policies require to be communicated irrespective of their significance, and

2) those matters which pose significant business or financial risk (including financial reporting risk and significant non-compliance with applicable legislation) to the audit or to the audit entity and should be addressed as a matter of urgency. This assessment has taken account of both the likelihood and consequences of the risk materializing.

Category B:

Those matters which pose moderate business or financial risk, including financial reporting risk, to the audit or to the audit entity, or matters referred to management in the past that have not been addressed satisfactorily. These would include matters where the consequences of the issue might be significant, however, there is little likelihood of the consequences materializing.

Category C:

Those matters which are procedural in nature or minor administrative failings. These could include minor accounting issues or relatively isolated control breakdowns that need to be brought to the attention of management, and could also include non-compliance with legislation that is not significant.

Report to Management

All audit findings categorised in accordance with criteria A and B are to be reported to the appropriate level of management orally first and in writing in accordance with the CAS requirements when applicable. We usually do this in writing in a Management Letter or through other more appropriate means. Judgment may need to be exercised, as some sensitive matters can’t or shouldn’t be communicated in writing.

Audit findings categorised in accordance with criteria C are to be communicated to management orally or in writing in a Management Letter.

Determining the appropriate level of management to report to requires consideration of the management structure of the entity and is a matter of professional judgment. It is preferable to communicate category A and B audit findings to the highest levels of corporate management (CEO/CFO). Category C audit findings should normally be communicated to those individuals responsible for the particular functional area. Ordinarily, it would include the CFO or another member of management reporting through the CFO and can include those who have responsibilities for corporate functions and IT systems.

Format and Timing

Ideally, present this communication on audit findings prior to year-end, but the timing will vary according to client practices. The auditor should communicate matters identified during the financial statement audit on a timely basis. In determining what constitutes a timely basis, the auditor would be guided by the significance of the matter and an assessment of its urgency.

Unless unusual circumstances exist, written communication with management and those charged with governance should occur within 60 days of the date of the audit report.

Communications other than significant deficiencies may be oral, depending on the nature and size of the client and the nature, sensitivity, and significance of the issues being communicated. Include oral communications and related client discussions in the audit documentation.