Printer Friendly

Statement on auditing standards - communicating internal control related matters identified in an audit (redrafted).

Statement on Auditing Standards (SAS) Communicating Internal Control Related Matters Identified in an Audit (Redrafted) supersedes SAS No. 115, Communicating Internal Control Related Matters Identified in an Audit (AICPA, Professional Standards, vol. 1, AU sec. 325).
CONTENTS

Introduction
Scope of This Statement on Auditing
 Standards/1-4
Effective Date/5
Objective/6
Definitions/7
Requirements
Determination of Whether Deficiencies in
 Internal Control Have Been Identified/8
Evaluating Identified Deficiencies in Internal
 Control/9-10
Communication of Deficiencies in Internal
Control/11-16
Application and Other Explanatory Material
Determination of Whether Deficiencies in
 Internal Control Have Been Identified/A1-A4
Evaluating Identified Deficiencies in Internal
 Control/AS-A14
Communication of Deficiencies in Internal
 Control/A15-A36
Exhibit A: Illustrative Written
 Communication/A37
Exhibit B: Illustrative No Material Weakness
 Communication/A38
Exhibit C: Examples of Circumstances That May
 Be Deficiencies, Significant Deficiencies, or
 Material Weaknesses/A39
Exhibit D: Comparison of Statement on Auditing
 Standards Communicating Internal Control
 Related Matters Identified in an Audit
 (Redrafted) With International Standard on
 Auditing 265, Communicating Deficiencies in
 Internal Control to Those Charged with
 Governance and Management/A40


INTRODUCTION

Scope of This Statement on Auditing Standards

1. This Statement on Auditing Standards (SAS) addresses the auditor's responsibility to appropriately communicate to those charged with governance and management deficiencies in internal control that the auditor has identified in an audit of financial statements. This SAS does not impose additional responsibilities on the auditor regarding obtaining an understanding of internal control or designing and performing tests of controls over and above the requirements of the clarified SASs Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Redrafted) and Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Redrafted). The clarified SAS The Auditor's Communication With Those Charged With Governance (Redrafted) establishes further requirements and provides guidance regarding the auditor's responsibility to communicate with those charged with governance in relation to the audit.

2. The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. (1) In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of internal control. The auditor may identify deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. This SAS specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management.

3. Nothing in this SAS precludes the auditor from communicating to those charged with governance or management other internal control matters that the auditor has identified during the audit.

4. This SAS is not applicable if the auditor is engaged to report on the effectiveness of an entity's internal control over financial reporting under AT section 501, An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (A1CPA, Professional Standards, vol. 1).

Effective Date

5. This SAS is effective for audits of financial statements for periods ending on or after December 15, 2012.

OBJECTIVE

6. The objective of the auditor is to appropriately communicate to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor's professional judgment, are of sufficient importance to merit their respective attentions.

DEFINITIONS

7. For purposes of generally accepted auditing standards, the following terms have the meanings attributed as follows:

Deficiency in internal control. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively

Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.

Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

REQUIREMENTS

Determination of Whether Deficiencies in Internal Control Have Been Identified

8. The auditor should determine whether, on the basis of the audit work performed, the auditor has identified one or more deficiencies in internal control. (Ref: par. A1-A4)

Evaluating Identified Deficiencies in Internal Control (Ref: par. A5-A14)

9. If the auditor has identified one or more deficiencies in internal control, the auditor should evaluate each deficiency to determine, on the basis of the audit work performed, whether, individually or in combination, they constitute significant deficiencies or material weaknesses.

10. If the auditor determines that a deficiency, or a combination of deficiencies, in internal control is not a material weakness, the auditor should consider whether prudent officials, having knowledge of the same facts and circumstances, would likely reach the same conclusion.

Communication of Deficiencies in Internal Control

11. The auditor should communicate in writing to those charged with governance on a timely basis significant deficiencies and material weaknesses identified during the audit, including those that were remediated during the audit. (Ref: par. A15-A20, A28)

12. The auditor also should communicate to management at an appropriate level of responsibility, on a timely basis (Ref: par. A21 and A28)

a. in writing, significant deficiencies and material weaknesses that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances. (Ref: par. A16, A22-A23)

b. in writing or orally, other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor's professional judgment, are of sufficient importance to merit management's attention. If other deficiencies in internal control are communicated orally, the auditor should document the communication. (Ref: par. A24-A27)

13. The communications referred to in paragraphs 11-12 should be made no later than 60 days following the report release date. (Ref: par. A16-A17)

14. The auditor should include in the written communication of significant deficiencies and material weaknesses (Ref: par. A29-A33)

a. the definition of the term material weakness and, when relevant, the definition of the term significant deficiency.

b. a description of the significant deficiencies and material weaknesses and an explanation of their potential effects. (Ref: par. A29)

c. sufficient information to enable those charged with governance and management to understand the context of the communication. In particular, the auditor should include in the communication the following elements that explain that (Ref: par. A30-A31)

i. the purpose of the audit was for the auditor to express an opinion on the financial statements.

ii. the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of internal control.

iii. the auditor is not expressing an opinion on the effectiveness of internal control.

iv. the auditor's consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified.

d. in accordance with the proposed SAS Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor's Report, (2) a restriction regarding the use of the communication to management, those charged with governance, others within the organization, and any governmental authority to which the auditor is required to report. (Ref: par. A32)

15. When the auditor issues a written communication stating that no material weaknesses were identified during the audit, the communication should include the matters in paragraph 14(a), (c), and (d). (Ref: par. A34-A36)

16. The auditor should not issue a written communication stating that no significant deficiencies were identified during the audit. (Ref: par. A34)

APPLICATION AND OTHER EXPLANATORY MATERIAL

Determination of Whether Deficiencies in Internal Control Have Been Identified (Ref: par. 8)

A1. In determining whether the auditor has identified one or more deficiencies in internal control, the auditor may discuss the relevant facts and circumstances of the auditor's findings with the appropriate level of management. This discussion provides an opportunity for the auditor to alert management on a timely basis to the existence of deficiencies of which management may not have been previously aware. The level of management with whom it is appropriate to discuss the findings is one that is familiar with the internal control area concerned and that has the authority to take remedial action on any identified deficiencies in internal control. In some circumstances, it may not be appropriate for the auditor to discuss the auditor's findings directly with management (for example, if the findings appear to call management's integrity or competence into question [see paragraph A22]).

A2. In discussing the facts and circumstances of the auditor's findings with management, the auditor may obtain other relevant information for further consideration, such as

* management's understanding of the actual or suspected causes of the deficiencies.

* exceptions arising from the deficiencies that management may have noted (for example, misstatements that were not prevented by the relevant 1T controls).

* a preliminary indication from management of its response to the findings.

Considerations Specific to Smaller, Less Complex Entities

A3. Although the concepts underlying control activities in smaller entities are likely to be similar to those in larger entities, the formality with which controls operate will vary Further, smaller entities may find that certain types of control activities are not necessary because of controls applied by management. For example, management's sole authority for granting credit to customers and approving significant purchases can provide effective control over important account balances and transactions, lessening or removing the need for more detailed control activities.

A4. Also, smaller entities often have fewer employees, which may limit the extent to which segregation of duties is practicable. However, in a small owner-managed entity, the owner-manager may be able to exercise more effective oversight than in a larger entity On the other hand, such increased management oversight also may increase the risk of management override of controls.

Evaluating Identified Deficiencies in Internal Control (Ref: par. 9-10)

A5. The severity of a deficiency, or a combination of deficiencies, in internal control depends not only on whether a misstatement has actually occurred but also on

* the magnitude of the potential misstatement resulting from the deficiency or deficiencies and

* whether there is a reasonable possibility that the entity's controls will fail to prevent, or detect and correct, a misstatement of an account balance or disclosure. A reasonable possibility exists when the chance of the future event or events occurring is more than remote.

Significant deficiencies and material weaknesses may exist even though the auditor has not identified misstatements during the audit.

A6. Factors that affect the magnitude of a misstatement that might result from a deficiency, or deficiencies, in internal control include, but are not limited to, the following:

* The financial statement amounts or total of transactions exposed to the deficiency

* The volume of activity (in the current period or expected in future periods) in the account or class of transactions exposed to the deficiency

A7. In evaluating the magnitude of the potential misstatement, the maximum amount by which an account balance or total of transactions can be overstated generally is the recorded amount, whereas understatements could be larger.

A8. Risk factors affect whether there is a reasonable possibility that a deficiency, or a combination of deficiencies, in internal control will result in a misstatement of an account balance or disclosure. The factors include, but are not limited to, the following:

* The nature of the financial statement accounts, classes of transactions, disclosures, and assertions involved

* The cause and frequency of the exceptions detected as a result of the deficiency, or deficiencies, in internal control

* The susceptibility of the related asset or liability to loss or fraud

* The subjectivity, complexity, or extent of judgment required to determine the amount involved

* The interaction or relationship of the control(s) with other controls

* The interaction with other deficiencies in internal control

* The possible future consequences of the deficiency, or deficiencies, in internal control

* The importance of the controls to the financial reporting process--for example--general monitoring controls (such as oversight of management)

--controls over the prevention and detection of fraud

--controls over the selection and application of significant accounting policies

--controls over significant transactions with related parties

--controls over significant transactions outside the entity's normal course of business

--controls over the period-end financial reporting process (such as controls over nonrecurring journal entries)

A9. The evaluation of whether a deficiency in internal control presents a reasonable possibility of misstatement may be made without quantifying the probability of occurrence as a specific percentage or range. Also, in many cases, the probability of a small misstatement will be greater than the probability of a large misstatement.

A10. Controls may be designed to operate individually, or in combination, to effectively prevent, or detect and correct, misstatements. (3) For example, controls over accounts receivable may consist of both automated and manual controls designed to operate together to prevent, or detect and correct, misstatements in the account balance. A deficiency in internal control on its own may not be sufficiently important to constitute a significant deficiency or a material weakness. However, a combination of deficiencies affecting the same significant account or disclosure, relevant assertion, or component of internal control may increase the risks of misstatement to such an extent to give rise to a significant deficiency or material weakness.

A11. Indicators of material weaknesses in internal control include

* identification of fraud, whether or not material, on the part of senior management;

* restatement of previously issued financial statements to reflect the correction of a material misstatement due to fraud or error;

* identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected by the entity's internal control; and

* ineffective oversight of the entity's financial reporting and internal control by those charged with governance.

Considerations Specific to Governmental Entities

A12. Law or regulation may require the auditor to communicate to those charged with governance or other relevant parties (such as regulators) deficiencies in internal control that the auditor has identified during the audit using specific terms and definitions that differ from those in this SAS. In such circumstances, the auditor uses such terms and definitions when communicating deficiencies in internal control in accordance with the requirements of the law or regulation and in accordance with this SAS.

A13. When law or regulation requires the auditor to communicate deficiencies in internal control that the auditor has identified during the audit using specific terms, but such terms have not been defined, the auditor may use the definitions, requirements, and guidance in this SAS to comply with the law or regulation.

A14. The requirements of this SAS remain applicable, notwithstanding that law or regulation may require the auditor to use specific terms or definitions.

Communication of Deficiencies in Internal Control (Ref: par. 11-16)

Communication of Significant Deficiencies and Material Weaknesses to Those Charged With Governance (Ref: par. 11)

A15. Communicating significant deficiencies and material weaknesses in writing to those charged with governance reflects the importance of these matters and assists those charged with governance in fulfilling their oversight responsibilities. The clarified SAS The Auditor's Communication With Those Charged With Governance (Redrafted) establishes relevant considerations regarding communication with those charged with governance when all of them are involved in managing the entity. (4)

A16. Although the auditor is required by paragraph 13 to make the communications referred to in paragraphs 11-12 no later than 60 days following the report release date, the communication is best made by the report release date because receipt of such communication may be an important factor in enabling those charged with governance to discharge their oversight responsibilities. Nevertheless, because the auditor's written communication of significant deficiencies and material weaknesses forms part of the final audit file, the written communication is subject to the overriding requirement for the auditor to complete the assembly of the final audit file on a timely basis, no later than 60 days following the report release date. (5)

A17. Early communication to those charged with governance or management may be important for some matters because of their relative significance and the urgency for corrective follow-up action. Regardless of the timing of the written communication of significant deficiencies and material weaknesses, the auditor may communicate these orally in the first instance to management and, when appropriate, those charged with governance to assist them in taking timely remedial action to minimize the risks of material misstatement. However, oral communication does not relieve the auditor of the responsibility to communicate the significant deficiencies and material weaknesses in writing, as this SAS requires.

A18. The level of detail at which to communicate significant deficiencies and material weaknesses is a matter of the auditor's professional judgment in the circumstances. Factors that the auditor may consider in determining an appropriate level of detail for the communication include, for example, the following:

* The nature of the entity. For example, the communication required for a governmental entity may be different from that for a nongovernmental entity.

* The size and complexity of the entity For example, the communication required for a complex entity may be different from that for an entity operating a simple business.

* The nature of significant deficiencies and material weaknesses that the auditor has identified.

* The entity's governance composition. For example, more detail may be needed if those charged with governance include members who do not have significant experience in the entity's industry or in the affected areas.

* Legal or regulatory requirements regarding the communication of specific types of deficiencies in internal control.

A19. Management and those charged with governance may already be aware of significant deficiencies and material weaknesses that the auditor has identified during the audit and may have chosen not to remedy them because of cost or other considerations. The responsibility for evaluating the costs and benefits of implementing remedial action rests with management and those charged with governance. Accordingly, the requirements to communicate significant deficiencies and material weaknesses in paragraphs 11-12 apply, regardless of cost or other considerations that management and those charged with governance may consider relevant in determining whether to remedy such deficiencies.

A20. The fact that the auditor communicated a significant deficiency or material weakness to those charged with governance and management in a previous audit does not eliminate the need for the auditor to repeat the communication if remedial action has not yet been taken. If a previously communicated significant deficiency or material weakness remains, the current year's communication may repeat the description from the previous communication or simply reference the previous communication and the date of that communication. The auditor may ask management or, when appropriate, those charged with governance why the significant deficiency or material weakness has not yet been remedied. A failure to act, in the absence of a rational explanation, may in itself represent a significant deficiency or material weakness.

Communication of Deficiencies in Internal Control to Management (Ref: par. 12)

A21. Ordinarily, the appropriate level of management is the one that has responsibility and authority to evaluate the deficiencies in internal control and to take the necessary remedial action. For significant deficiencies and material weaknesses, the appropriate level is likely to be the CEO or CFO (or equivalent) because these matters also are required to be communicated to those charged with governance. For other deficiencies in internal control, the appropriate level may be operational management with more direct involvement in the control areas affected and with the authority to take appropriate remedial action.

Communication of Significant Deficiencies and Material Weaknesses in Internal Control to Management (Ref: par. 12(a))

A22. Certain identified significant deficiencies or material weaknesses in internal control may call into question the integrity or competence of management. For example, there may be evidence of fraud or intentional noncompliance with laws and regulations by management or management may exhibit an inability to oversee the preparation of adequate financial statements, which may raise doubt about management's competence. Accordingly, it may not be appropriate to communicate such deficiencies directly to management.

A23. The clarified SAS Consideration of Laws and Regulations in an Audit of Financial Statements establishes requirements and provides guidance on the reporting of identified or suspected noncompliance with laws and regulations, including when those charged with governance are themselves involved in such noncompliance. (6) The proposed SAS Consideration of Fraud in a Financial Statement Audit (Redrafted) establishes requirements and provides guidance regarding communication to those charged with governance when the auditor has identified fraud or suspected fraud involving management. (7)

Communication of Other Deficiencies in Internal Control to Management (Ref: par. 12(b))

A24. During the audit, the auditor may identify other deficiencies in internal control that are not significant deficiencies or material weaknesses but that may be of sufficient importance to merit management's attention. The determination regarding which other deficiencies in internal control merit management's attention is a matter of the auditor's professional judgment in the circumstances, taking into account the likelihood and potential magnitude of misstatements that may arise in the financial statements as a result of those deficiencies.

A25. The communication of other deficiencies in internal control that merit management's attention need not be in writing. When the auditor has discussed the facts and circumstances of the auditor's findings with management, the auditor may consider an oral communication of the other deficiencies to have been made to management at the time of these discussions. Accordingly, a formal communication need not be made subsequently.

A26. If the auditor has communicated deficiencies in internal control, other than significant deficiencies or material weaknesses, to management in a prior period and management has chosen not to remedy them for cost or other reasons, the auditor need not repeat the communication in the current period. The auditor also is not required to repeat information about such deficiencies if the information has been previously communicated to management by other parties, such as internal auditors or regulators. However, the auditor may consider it appropriate to recommunicate these other deficiencies if there has been a change of management or if new information has come to the auditor's attention that alters the prior understanding of the auditor and management regarding the deficiencies. Nevertheless, the failure of management to remedy other deficiencies in internal control that were previously communicated may become a significant deficiency requiring communication with those charged with governance. Whether this is the case depends on the auditor's judgment in the circumstances.

A27. In some circumstances, those charged with governance may wish to be made aware of the details of other deficiencies in internal control that the auditor has communicated to management or be briefly informed of the nature of the other deficiencies. Alternatively, the auditor may inform those charged with governance when a communication of other deficiencies has been made to management. In either case, the auditor may report orally or in writing to those charged with governance, as appropriate.

Considerations Specific to Governmental Entities (Ref: par. 11-12)

A28. Auditors performing audits of governmental entities may have additional responsibilities to communicate deficiencies in internal control that the auditor identified during the audit, in a different format, at a level of detail or to parties not envisioned in this SAS. For example, significant deficiencies and material weaknesses may have to be communicated to a governmental authority, and such communications may be required to be made publicly available. Law or regulation also may require auditors to report deficiencies in internal control, irrespective of their severity. Further, law or regulation may require auditors to report on broader internal control-related matters (for example, controls related to compliance with law, regulation, or provisions of contracts or grant agreements). (8)

Content of Written Communication of Significant Deficiencies and Material Weaknesses in Internal Control (Ref: par. 14-16)

A29. In explaining the potential effects of the significant deficiencies and material weaknesses, the auditor need not quantify those effects. The potential effects may be described in terms of the control objectives and types of errors the control was designed to prevent, or detect and correct, or in terms of the risk(s) of misstatement that the control was designed to address. The potential effects may be evident from the description of the significant deficiencies or material weaknesses.

A30. The significant deficiencies or material weaknesses may be grouped together for reporting purposes when it is appropriate to do so. The auditor also may include in the written communication suggestions for remedial action on the deficiencies, management's actual or proposed responses, and a statement about whether the auditor has undertaken any steps to verify whether management's responses have been implemented (see paragraph A33).

A31. The auditor may consider it appropriate to include the following information as additional context for the communication:

* The general inherent limitations of internal control, including the possibility of management override of controls

* The specific nature and extent of the auditor's consideration of internal control during the audit

Restriction on Use (Ref: par. 14(d))

A32. Law or regulation may require the auditor or management to furnish a copy of the auditor's written communication on significant deficiencies and material weaknesses to governmental authorities. When this is the case, the auditor's written communication may identify such governmental authorities in the restricted use paragraph. Because the written communication is a by-product of the audit, the proposed SAS Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor's Report does not permit the auditor to add parties, other than those identified in paragraph 14(d), as specified parties. (9) In some instances, the restricted-use communication may be included in a document that also contains a general-use report. The restricted-use communication remains restricted as to use, and the general-use report continues to be for general use.

Management's Written Response

A33. Management may wish to or may be required by a regulator to prepare a written response to the auditor's communication regarding significant deficiencies or material weaknesses identified during the audit. Such management communications may include a description of corrective actions taken by the entity, the entity's plans to implement new controls, or a statement indicating that management believes the cost of correcting a significant deficiency or material weakness would exceed the benefits to be derived from doing so. If such a written response is included in a document containing the auditor's written communication to management and those charged with governance concerning identified significant deficiencies or material weaknesses, the auditor may add a paragraph to the written communication disclaiming an opinion on such information.

The following is an example of such a paragraph:
 ABC Company's written response to the significant
 deficiencies [and material weaknesses]
 identified in our audit was not subjected
 to the auditing procedures applied in the
 audit of the financial statements and,
 accordingly, we express no opinion on it.


No Material Weakness Communications (Ref: par. 15-16)

A34. Management or those charged with governance may request a written communication indicating that no material weaknesses were identified during the audit. A written communication indicating that no material weaknesses were identified during the audit does not provide any assurance about the effectiveness of an entity's internal control over financial reporting. However, an auditor is not precluded from issuing such a communication, provided that the communication includes the matters required by paragraph 15 of this SAS. However, a written communication indicating that no significant deficiencies were identified during the audit is precluded by paragraph 16 because such a communication has the potential to be misunderstood or misused.

A35. Exhibit B, "Illustrative No Material Weakness Communication," includes an illustrative communication indicating that no material weaknesses were identified during the audit.

Considerations Specific to Governmental Entities

A36. A written communication indicating that no material weaknesses were identified during the audit may be required to be furnished to governmental authorities. As described in paragraph A32, the auditor's written communication may identify the governmental authority as a specified party in the restricted use paragraph. The auditor is not permitted to add other parties as specified parties. (10)

A37.

EXHIBIT A: ILLUSTRATIVE WRITTEN COMMUNICATION

The following is an illustrative written communication encompassing the requirements in paragraph 14 of this Statement on Auditing Standards.

To Management and [identify the body or individuals charged with governance, such as the entity's Board of Directors] of ABC Company

In planning and performing our audit of the financial statements of ABC Company (the "Company") as of and for the year ended December 31, 20XX, in accordance with auditing standards generally accepted in the United States of America, we considered the Company's internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company's internal control. Accordingly, we do not express an opinion on the effectiveness of the Company's internal control.

Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be [material weaknesses or material weaknesses or significant deficiencies] and therefore, [material weaknesses or material weaknesses or significant deficiencies] may exist that were not identified. However, as discussed below, we identified certain deficiencies in internal control that we consider to be [material weaknesses or significant deficiencies or material weaknesses and significant deficiencies].

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. [We consider the following deficiencies in the Company's internal control to be material weaknesses:]

[Describe the material weaknesses that were identified and an explanation of their potential effects.]

[A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the following deficiencies in the Company's internal control to be significant deficiencies:]

[Describe the significant deficiencies that were identified and an explanation of their potential effects.]

[If the auditor is communicating significant deficiencies and did not identify any material weaknesses, the auditor may state that none of the identified significant deficiencies are considered to be material weaknesses.]

This communication is intended solely for the information and use of management, [identify the body or individuals charged with governance], others within the organization, and [identify any governmental authorities to which the auditor is required to report] and is not intended to be, and should not be, used by anyone other than these specified parties.

[Auditor's Signature] [Date]

A38.

EXHIBIT B: ILLUSTRATIVE NO MATERIAL WEAKNESS COMMUNICATION

The following is an illustrative written communication indicating that no material weaknesses were identified during the audit.

To Management and [identify the body or individuals charged with governance, such as the entity's Board of Directors] of ABC Company

In planning and performing our audit of the financial statements of ABC Company (the "Company") as of and for the year ended December 31, 20XX, in accordance with auditing standards generally accepted in the United States of America, we considered the Company's internal control over financial reporting (internal control) as a basis for designing audit procedures that are appropriate in the circumstances for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company's internal control. Accordingly, we do not express an opinion on the effectiveness of the Company's internal control.

A deficiency in internal control exists when the design or operation

of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.

Our consideration of internal control was for the limited purpose described in the first paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. However, material weaknesses may exist that have not been identified.

[If one or more significant deficiencies have been identified, the auditor may add the following: Our audit was also not designed to identify deficiencies in internal control that might be significant deficiencies. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We communicated the significant deficiencies identified during our audit in a separate communication dated [date].]

This communication is intended solely for the information and use of management, [identify the body or individuals charged with governance], others within the organization, and [identify any governmental authorities to which the auditor is required to report] and is not intended to be, and should not be, used by anyone other than these specified parties.

[Auditor's Signature] [Date]

A39.

EXHIBIT C: EXAMPLES OF CIRCUMSTANCES THAT MAY BE DEFICIENCIES, SIGNIFICANT DEFICIENCIES, OR MATERIAL WEAKNESSES

Paragraph All of this Statement on Auditing Standards identifies indicators of material weaknesses in internal control. The following are examples of circumstances that may be deficiencies, significant deficiencies, or material weaknesses.

Deficiencies in the Design of Controls

The following are examples of circumstances that may be deficiencies, significant deficiencies, or material weaknesses related to the design of controls:

* Inadequate design of controls over the preparation of the financial statements being audited.

* Inadequate design of controls over a significant account or process.

* Inadequate documentation of the components of internal control.

* Insufficient control consciousness within the organization (for example, the tone at the top and the control environment).

* Evidence of ineffective aspects of the control environment, such as indications that significant transactions in which management is financially interested are not being appropriately scrutinized by those charged with governance.

* Evidence of an ineffective entity risk assessment process, such as management's failure to identify a risk of material misstatement that the auditor would expect the entity's risk assessment process to have identified.

* Evidence of an ineffective response to identified significant risks (for example, absence of controls over such a risk).

* Absent or inadequate segregation of duties within a significant account or process.

* Absent or inadequate controls over the safeguarding of assets (this applies to controls that the auditor determines would be necessary for effective internal control over financial reporting).

* Inadequate design of IT general and application controls that prevents the information system from providing complete and accurate information consistent with financial reporting objectives and current needs.

* Employees or management who lack the qualifications and training to fulfill their assigned functions. For example, in an entity that prepares financial statements in accordance with generally accepted accounting principles (GAAP), the person responsible for the accounting and reporting function lacks the skills and knowledge to apply GAAP in recording the entity's financial transactions or preparing its financial statements.

* Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity's internal control over time.

* Absence of an internal process to report deficiencies in internal control to management on a timely basis.

* Absence of a risk assessment process within the entity when such a process would ordinarily be expected to have been established.

Failures in the Operation of Controls

The following are examples of circumstances that may be deficiencies, significant deficiencies, or material weaknesses related to the operation of controls:

* Failure in the operation of effectively designed controls over a significant account or process (for example, the failure of a control such as dual authorization for significant disbursements within the purchasing process).

* Failure of the information and communication component of internal control to provide complete and accurate output because of deficiencies in timeliness, completeness, or accuracy (for example, the failure to obtain timely and accurate consolidating information from remote locations that is needed to prepare the financial statements).

* Failure of controls designed to safeguard assets from loss, damage, or misappropriation. This circumstance may need careful consideration before it is evaluated as a significant deficiency or material weakness. For example, assume that a company uses security devices to safeguard its inventory (preventive controls) and also performs timely periodic physical inventory counts (detective control) in relation to its financial reporting. Although the physical inventory count does not safeguard the inventory from theft or loss, it prevents a material misstatement of the financial statements if performed effectively and timely Therefore, given that the definitions of material weakness and significant deficiency relate to the likelihood of misstatement of the financial statements, the failure of a preventive control, such as inventory tags, will not result in a significant deficiency or material weakness if the detective control (physical inventory counts) prevents a misstatement of the financial statements. Material weaknesses relating to controls over the safeguarding of assets would only exist if the company does not have effective controls (considering both safeguarding and other controls) to prevent, or detect and correct, a material misstatement of the financial statements.

* Failure to perform reconciliations of significant accounts. For example, accounts receivable subsidiary ledgers are not reconciled to the general ledger account in a timely or accurate manner.

* Undue bias or lack of objectivity by those responsible for accounting decisions (for example, consistent understatement of expenses or overstatement of allowances at the direction of management).

* Misrepresentation by entity personnel to the auditor (an indicator of fraud).

* Management override of controls.

* Failure of an application control caused by a deficiency in the design or operation of an 1T general control.

* An observed deviation rate that exceeds the number of deviations expected by the auditor in a test of the operating effectiveness of a control. For example, if the auditor designs a test in which he or she selects a sample and expects no deviations, the finding of one deviation is a nonnegligible deviation rate because based on the results of the auditor's test of the sample, the desired level of confidence was not obtained.

A40.

EXHIBIT D: COMPARISON OF STATEMENT ON AUDITING STANDARDS COMMUNICATING INTERNAL CONTROL RELATED MATTERS IDENTIFIED IN AN AUDIT (REDRAFTED) WITH INTERNATIONAL STANDARD ON AUDITING 265, COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT

This analysis was prepared by the Audit and Attest Standards staff to highlight substantive differences between Statement on Auditing Standards (SAS) Communicating Internal Control Related Matters Identified in an Audit (Redrafted) and International Standard on Auditing (ISA) 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management, and the rationale therefore. This analysis is not authoritative and is prepared for informational purposes only It has not been acted on or reviewed by the Auditing Standards Board (ASB).

Objective and Definitions

The SAS Communicating Internal Control Related Matters Identified in an Audit (Redrafted) includes and defines the term material weakness, whereas ISA 265 does not. The distinction between significant deficiencies and material weaknesses is essential in the United States due to legal and regulatory requirements, including those pertaining to the evaluation of the effectiveness of an entity's internal control over financial reporting.

The definitions of deficiency in internal control and significant deficiency in internal control have been modified to align with the definitions of these terms in Statement on Standards for Attestation Engagements No. 15, An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AICPA, Professional Standards, vol. 1, AT sec. 501). The ASB believes that the definitions are consistent with the intent of ISA 265 and that the modifications do not create differences between ISA 265 and the SAS.

Requirements

The SAS requires the auditor to evaluate each deficiency to determine, on the basis of the audit work performed, whether, individually or in combination, they constitute significant deficiencies or material weaknesses. ISA 265 does not explicitly refer to the auditor's evaluation in making this determination. The ASB believes that the requirement in the SAS is consistent with the intent of ISA 265.

The SAS requires the auditor to communicate significant deficiencies and material weaknesses to management and those charged with governance. Because ISA 265 does not include or define the term material weakness, 1SA 265 does not contain a requirement to separately identify or communicate material weaknesses.

The SAS also includes additional requirements for the auditor to

* consider, if the auditor determines that a deficiency, or a combination of deficiencies, in internal control is not a material weakness, whether prudent officials, having knowledge of the same facts and circumstances, would likely reach the same conclusion (paragraph i0 of the SAS).

* document the communication of other deficiencies in internal control that are communicated orally to management (paragraph 12(b) of the SAS).

Paragraphs 9-10 of ISA 265 require the auditor to communicate to those charged with governance and management on a timely basis. Paragraph 13 of the SAS requires the communication to be made no later than 60 days following the report release date. ISA 265 recognizes in paragraph A13 that the written communication of significant deficiencies forms part of the final audit file and is subject to the overriding requirement for the auditor to complete the assembly of the final audit file on a timely basis. ISA 230, Audit Documentation, states that an appropriate time limit within which to complete the assembly of the final audit file is ordinarily not more than 60 days after the date of the auditor's report.

Paragraph 11 of ISA 265, which lists the required elements of the written communication, has been modified in paragraph 14 of the SAS to include the following additional items:

* The definition of the term material weakness and, when relevant, the definition of the term significant deficiency

* An explanation that the auditor is not expressing an opinion on the effectiveness of internal control

* An explanation that the auditor's consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies

* A statement restricting the use of the communication to management, those charged with governance, others within the organization, and any governmental authority to which the auditor is required to report

Paragraph 15 of the SAS includes reporting requirements when the auditor issues a written communication stating that no material weaknesses were identified during the audit of the financial statements. Paragraph 16 of the SAS prohibits the issuance of a written communication stating that no significant deficiencies were identified during the audit. ISA 265 does not address the issuance of no material weakness or no significant deficiency communications.

(1.) Paragraph 13 of the clarified Statement on Auditing Standards (SAS) Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements (Redrafted) Paragraphs A61-A67 provide guidance on controls relevant to the audit.

(2.) Paragraphs 9-11 of the proposed SAS Emphasis of Matter Paragraphs and Other Mattel Paragraphs in the Independent Auditor's Report.

(3.) Paragraph A68 of the clarified SAS Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements (Redrafted).

(4.) Paragraph 9 of the clarified SAS The Auditor's Communication With Those Charged With Governance (Redrafted)

(5.) Paragraph 16 of the clarified SAS Audit Documentation

(6.) Paragraphs 21-27 of the clarified SAS Consideration of Laws and Regulations in an Audit of Financial Statements

(7.) Paragraph 40 of the proposed SAS Consideration of Fraud in a Financial Statement Audit (Redrafted)

(8.) see SAS No. 117, Compliance Audits (AICPA, Professional Standards, vol. 1, AU sec 801).

(9.) Paragraph 11 of the proposed SAS Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor's Report

(10.) See footnote 9
COPYRIGHT 2010 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2010 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Journal of Accountancy
Date:Nov 1, 2010
Words:7476
Previous Article:Statement on auditing standards - audit sampling (redrafted).
Next Article:The last word.
Topics:

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters