Communicating Internal Control Related Matters Identified in an Audit

Communicating Internal Control Related Matters 247

AU-C Section 265

Communicating Internal Control Related

Matters Identiﬁed in an Audit

Source: SAS No. 122; SAS No. 125; SAS No. 128; SAS No. 130; SAS

No. 135.

See section 9265 for interpretations of this section.

Effective for audits of nancial statements for periods ending on or

after December 15, 2012, unless otherwise indicated.

Introduction

Scope of This Section

.01 This section addresses the auditor's responsibility to appropriately

communicate to those charged with governance and management deciencies

in internal control that the auditor has identied in an audit of nancial state-

ments. This section does not impose additional responsibilities on the auditor

regarding obtaining an understanding of internal control or designing and per-

forming tests of controls over and above the requirements of section 315, Un-

derstanding the Entity and Its Environment and Assessing the Risks of Mate-

rial Misstatement, and section 330, Performing Audit Procedures in Response to

Assessed Risks and Evaluating the Audit Evidence Obtained. Section 260, The

Auditor's Communication With Those Charged With Governance, establishes

further requirements and provides guidance regarding the auditor's responsi-

bility to communicate with those charged with governance regarding the audit.

.02 The auditor is required to obtain an understanding of internal con-

trol relevant to the audit when identifying and assessing the risks of mate-

rial misstatement.

In making those risk assessments, the auditor considers

internal control in order to design audit procedures that are appropriate in the

circumstances but not for the purpose of expressing an opinion on the effec-

tiveness of internal control. The auditor may identify deciencies in internal

control not only during this risk assessment process but also at any other stage

of the audit. This section species which identied deciencies the auditor is

required to communicate to those charged with governance and management.

.03 Nothing in this section precludes the auditor from communicating to

those charged with governance or management other internal control matters

that the auditor has identied during the audit.

.04 This section is not applicable if the auditor is engaged to perform an

audit of internal control over nancial reporting that is integrated with an au-

dit of nancial statements. In such circumstances, section 940, An Audit of In-

ternal Control Over Financial Reporting That Is Integrated With an Audit of

Its Financial Statements, applies. [As amended, effective for audits for periods

Paragraph .13 of section 315, Understanding the Entity and Its Environment and Assessing the

Risks of Material Misstatement. Paragraphs .A61–.A67 of section 315 provide guidance on obtaining

an understanding of internal control relevant to the audit.

248 General Principles and Responsibilities

ending on or after December 15, 2016, by SAS No. 130. Revised, December 2016,

to reect conforming changes necessary to reect the issuance of SAS No. 130.]

Effective Date

.05 This section is effective for audits of nancial statements for periods

ending on or after December 15, 2012.

Objective

.06 The objective of the auditor is to appropriately communicate to those

charged with governance and management deciencies in internal control that

the auditor has identied during the audit and that, in the auditor's professional

judgment, are of sufcient importance to merit their respective attentions.

Deﬁnitions

.07 For purposes of generally accepted auditing standards, the following

terms have the meanings attributed as follows:

Deciency in internal control. A deciency in internal control

over nancial reporting exists when the design or operation of

a control does not allow management or employees, in the nor-

mal course of performing their assigned functions, to prevent, or

detect and correct, misstatements on a timely basis. A deciency

in design exists when (a) a control necessary to meet the control

objective is missing, or (b) an existing control is not properly de-

signed so that, even if the control operates as designed, the control

objective would not be met. A deciency in operation exists when

a properly designed control does not operate as designed or when

the person performing the control does not possess the necessary

authority or competence to perform the control effectively.

Material weakness. A deciency, or a combination of deciencies, in

internal control over nancial reporting, such that there is a rea-

sonable possibility that a material misstatement of the entity's

nancial statements will not be prevented, or detected and cor-

rected, on a timely basis. A reasonable possibility exists when the

likelihood of an event occurring is either reasonably possible or

probable as dened as follows:

Reasonably possible. The chance of the future event or

events occurring is more than remote but less than likely.

Probable. The future event or events are likely to occur.

Signicant deciency. A deciency, or a combination of decien-

cies, in internal control over nancial reporting that is less severe

than a material weakness yet important enough to merit atten-

tion by those charged with governance.

[As amended, effective for audits for periods ending on or after December 15,

2016, by SAS No. 130.]

Requirements

Determination of Whether Deﬁciencies in Inter nal Control Have

Been Identiﬁed

.08 The auditor should determine whether, on the basis of the audit work

performed, the auditor has identied one or more deciencies in internal con-

trol. (Ref: par. .A1–.A4)

Communicating Internal Control Related Matters 249

Evaluating Identiﬁed Deﬁciencies in Internal Control

(Ref: par. .A5–.A14)

.09 If the auditor has identied one or more deciencies in internal control,

the auditor should evaluate each deciency to determine, on the basis of the

audit work performed, whether, individually or in combination, they constitute

signicant deciencies or material weaknesses.

.10 If the auditor initially determines that a deciency, or a combina-

tion of deciencies, in internal control is not a material weakness, the audi-

tor should consider whether prudent ofcials, having knowledge of the same

facts and circumstances, would likely reach the same conclusion. [As amended,

effective for audits for periods ending on or after December 15, 2016, by SAS

No. 130.]

Communication of Deﬁciencies in Inter nal Control

.11 The auditor should communicate in writing to those charged with gov-

ernance on a timely basis signicant deciencies and material weaknesses

identied during the audit, including those that were remediated during the

audit. (Ref: par. .A15–.A20 and .A28)

.12 The auditor also should communicate to management at an appropri-

ate level of responsibility, on a timely basis (Ref: par. .A21 and .A28)

a. in writing, signicant deciencies and material weaknesses that

the auditor has communicated or intends to communicate to those

charged with governance, unless it would be inappropriate to com-

municate directly to management in the circumstances. (Ref: par.

.A16 and .A22–.A23)

b. in writing or orally, other deciencies in internal control identi-

ed during the audit that have not been communicated to man-

agement by other parties and that, in the auditor's professional

judgment, are of sufcient importance to merit management's at-

tention. If other deciencies in internal control are communicated

orally, the auditor should document the communication. (Ref: par.

.A24–.A27)

.13 The communications referred to in paragraphs .11–.12 should be made

no later than 60 days following the report release date. (Ref: par. .A16–.A17)

.14 The auditor should include in the auditor's written communication of

signicant deciencies and material weaknesses (Ref: par. .A29–.A33)

a. the denition of the term material weakness and, when relevant,

the denition of the term signicant deciency.

b. a description of the signicant deciencies and material weak-

nesses and an explanation of their potential effects. (Ref: par.

.A29)

c. sufcient information to enable those charged with governance

and management to understand the context of the communica-

tion. In particular, the auditor should include in the communica-

tion the following elements that explain that (Ref: par. .A30–.A31)

i. the purpose of the audit was for the auditor to express an

opinion on the nancial statements.

ii. the audit included consideration of internal control over

nancial reporting in order to design audit procedures

that are appropriate in the circumstances but not for the

250 General Principles and Responsibilities

purpose of expressing an opinion on the effectiveness of

internal control.

iii. the auditor is not expressing an opinion on the effective-

ness of internal control.

iv. the auditor's consideration of internal control was not de-

signed to identify all deciencies in internal control that

might be material weaknesses or signicant deciencies,

and therefore, material weaknesses or signicant decien-

cies may exist that were not identied.

d. an appropriate alert, in accordance with section 905, Alert That

Restricts the Use of the Auditor's Written Communication.

(Ref:

par. .A32)

[As amended, effective for the auditor's written communications related to au-

dits of nancial statements for periods ending on or after December 15, 2012,

by SAS No. 125.]

.15 When the auditor issues a written communication stating that no ma-

terial weaknesses were identied during the audit, the communication should

include the matters in paragraph .14a and c–d. (Ref: par. .A34–.A36)

.16 The auditor should not issue a written communication stating that no

signicant deciencies were identied during the audit. (Ref: par. .A34)

Application and Other Explanatory Material

Determination of Whether Deﬁciencies in Inter nal Control Have

Been Identiﬁed (Ref: par. .08)

.A1 In determining whether the auditor has identied one or more de-

ciencies in internal control, the auditor may discuss the relevant facts and cir-

cumstances of the auditor's ndings with the appropriate level of management.

This discussion provides an opportunity for the auditor to alert management

on a timely basis to the existence of deciencies of which management may not

have been previously aware. The level of management with whom it is appropri-

ate to discuss the ndings is one that is familiar with the internal control area

concerned and that has the authority to take remedial action on any identied

deciencies in internal control. In some circumstances, it may not be appropri-

ate for the auditor to discuss the auditor's ndings directly with management

(for example, if the ndings appear to call management's integrity or compe-

tence into question [see paragraph .A22]).

.A2 In discussing the facts and circumstances of the auditor's ndings with

management, the auditor may obtain other relevant information for further

consideration, such as

•

management's understanding of the actual or suspected causes of

the deciencies.

•

exceptions arising from the deciencies that management may

have noted (for example, misstatements that were not prevented

by the relevant IT controls).

•

a preliminary indication from management of its response to the

ndings.

Paragraphs .06c, .07, and .11 of section 905, Alert That Restricts the Use of the Auditor's Written

Communication. [Footnote added, effective for the auditor's written communications related to audits

of nancial statements for periods ending on or after December 15, 2012, by SAS No. 125.]

Communicating Internal Control Related Matters 251

Considerations Speciﬁc to Smaller, Less Complex Entities

.A3 Although the concepts underlying control activities in smaller entities

are likely to be similar to those in larger entities, the formality with which con-

trols operate will vary. Further, smaller entities may nd that certain types of

control activities are not necessary because of controls applied by management.

For example, management's sole authority for granting credit to customers and

approving signicant purchases can provide effective control over important

account balances and transactions, lessening or removing the need for more

detailed control activities.

.A4 Also, smaller entities often have fewer employees, which may limit the

extent to which segregation of duties is practicable. However, in a small owner-

managed entity, the owner-manager may be able to exercise more effective over-

sight than in a larger entity. On the other hand, such increased management

oversight also may increase the risk of management override of controls.

Evaluating Identiﬁed Deﬁciencies in Internal Control

(Ref: par. .09–.10)

.A5 The severity of a deciency, or a combination of deciencies, in internal

control depends not only on whether a misstatement has actually occurred but

also on

•

the magnitude of the potential misstatement resulting from the

deciency or deciencies and

•

whether there is a reasonable possibility that the entity's controls

will fail to prevent, or detect and correct, a misstatement of an

account balance or disclosure.

Signicant deciencies and material weaknesses may exist even though the

auditor has not identied misstatements during the audit. [As amended, ef-

fective for audits for periods ending on or after December 15, 2016, by SAS

No. 130.]

.A6 Factors that affect the magnitude of a misstatement that might result

from a deciency, or deciencies, in internal control include, but are not limited

to, the following:

•

The nancial statement amounts or total of transactions exposed

to the deciency

•

The volume of activity (in the current period or expected in future

periods) in the class of transactions or account balance exposed to

the deciency

[As amended, effective for audits for periods ending on or after December 15,

2016, by SAS No. 130.]

.A7 In evaluating the magnitude of the potential misstatement, the maxi-

mum amount by which an account balance or total of transactions can be over-

stated generally is the recorded amount, whereas understatements could be

larger.

.A8 Risk factors affect whether there is a reasonable possibility that a de-

ciency, or a combination of deciencies, in internal control will result in a mis-

statement of an account balance or disclosure. The factors include, but are not

limited to, the following:

•

The nature of the nancial statement classes of transactions, ac-

count balances, disclosures, and assertions involved

252 General Principles and Responsibilities

•

The cause and frequency of the exceptions detected as a result of

the deciency, or deciencies, in internal control

•

The susceptibility of the related asset or liability to loss or fraud

•

The subjectivity, complexity, or extent of judgment required to de-

termine the amount involved

•

The interaction or relationship of the control(s) with other controls

•

The interaction with other deciencies in internal control

•

The possible future consequences of the deciency, or deciencies,

in internal control

•

The importance of the controls, such as the following, to the nan-

cial reporting process:

— General monitoring controls (such as oversight of manage-

ment)

— Controls over the prevention and detection of fraud

— Controls over the selection and application of signicant

accounting policies

— Controls over signicant transactions with related parties

— Controls over signicant unusual transactions

— Controls over the period-end nancial reporting process

(such as controls over nonrecurring journal entries)

[As amended, effective for audits for periods ending on or after December 15,

2016, by SAS No. 130. As amended, effective for audits of nancial statements

for periods ending on or after December 15, 2021, by SAS No. 135.]

.A9 The evaluation of whether a deciency in internal control presents a

reasonable possibility of misstatement may be made without quantifying the

probability of occurrence as a specic percentage or range. Also, in many cases,

the probability of a small misstatement will be greater than the probability of

a large misstatement.

.A10 Controls may be designed to operate individually, or in combination,

to effectively prevent, or detect and correct, misstatements.

For example, con-

trols over accounts receivable may consist of both automated and manual con-

trols designed to operate together to prevent, or detect and correct, misstate-

ments in the account balance. A deciency in internal control on its own may

not be sufciently important to constitute a signicant deciency or a material

weakness. However, a combination of deciencies affecting the same class of

transactions, account balance, or disclosure, relevant assertion, or component

of internal control may increase the risks of misstatement to such an extent

to give rise to a signicant deciency or material weakness. [As amended, ef-

fective for audits for periods ending on or after December 15, 2016, by SAS

No. 130.]

.A11 Indicators of material weaknesses in internal control include

•

identication of fraud, whether or not material, on the part of se-

nior management. For the purpose of this indicator, the term "se-

nior management" includes the principal executive and nancial

ofcers as well as any other members of senior management who

play a signicant role in the entity's nancial reporting process;

Paragraph .A68 of section 315. [Footnote renumbered by the issuance of SAS No. 125, December

2011.]

Communicating Internal Control Related Matters 253

•

restatement of previously issued nancial statements to reect

the correction of a material misstatement due to fraud or error;

•

identication by the auditor of a material misstatement of the

nancial statements under audit in circumstances that indicate

that the misstatement would not have been detected and corrected

by the entity's internal control; and

•

ineffective oversight of the entity's nancial reporting and inter-

nal control by those charged with governance.

[As amended, effective for audits for periods ending on or after December 15,

2016, by SAS No. 130.]

Considerations Speciﬁc to Governmental Entities

.A12 Law or regulation may require the auditor to communicate to those

charged with governance or other relevant parties (such as regulators) decien-

cies in internal control that the auditor has identied during the audit using

specic terms and denitions that differ from those in this section. In such cir-

cumstances, the auditor uses such terms and denitions when communicating

deciencies in internal control in accordance with the requirements of the law

or regulation and in accordance with this section.

.A13 When law or regulation requires the auditor to communicate de-

ciencies in internal control that the auditor has identied during the audit us-

ing specic terms, but such terms have not been dened, the auditor may use

the denitions, requirements, and guidance in this section to comply with the

law or regulation.

.A14 The requirements of this section remain applicable, notwithstanding

that law or regulation may require the auditor to use specic terms or deni-

tions.

Communication of Deﬁciencies in Inter nal Control

(Ref: par. .11–.16)

Communication of Signiﬁcant Deﬁciencies and Material Weaknesses

to Those Charged With Governance (Ref: par. .11)

.A15 Communicating signicant deciencies and material weaknesses in

writing to those charged with governance reects the importance of these mat-

ters and assists those charged with governance in fullling their oversight re-

sponsibilities. Section 260 establishes relevant considerations regarding com-

munication with those charged with governance when all of them are involved

in managing the entity.

.A16 Although the auditor is required by paragraph .13 to make the com-

munications referred to in paragraphs .11–.12 no later than 60 days following

the report release date, the communication is best made by the report release

date because receipt of such communication may be an important factor in en-

abling those charged with governance to discharge their oversight responsibil-

ities. Nevertheless, because the auditor's written communication of signicant

deciencies and material weaknesses forms part of the nal audit le, the writ-

ten communication is subject to the overriding requirement for the auditor to

Paragraph .09 of section 260, The Auditor's Communication With Those Charged With Gover-

nance. [Footnote renumbered by the issuance of SAS No. 125, December 2011.]

254 General Principles and Responsibilities

complete the assembly of the nal audit le on a timely basis, no later than 60

days following the report release date.

.A17 Early communication to those charged with governance or manage-

ment may be important for some matters because of their relative signicance

and the urgency for corrective follow-up action. Regardless of the timing of the

written communication of signicant deciencies and material weaknesses, the

auditor may communicate these orally in the rst instance to management

and, when appropriate, those charged with governance to assist them in taking

timely remedial action to minimize the risks of material misstatement. How-

ever, oral communication does not relieve the auditor of the responsibility to

communicate the signicant deciencies and material weaknesses in writing,

as this section requires.

.A18 The level of detail at which to communicate signicant deciencies

and material weaknesses is a matter of the auditor's professional judgment

in the circumstances. Factors that the auditor may consider in determining

an appropriate level of detail for the communication include, for example, the

following:

•

The nature of the entity. For example, the communication required

for a governmental entity may be different from that for a non-

governmental entity.

•

The size and complexity of the entity. For example, the communi-

cation required for a complex entity may be different from that for

an entity operating a simple business.

•

The nature of signicant deciencies and material weaknesses

that the auditor has identied.

•

The entity's governance composition. For example, more detail

may be needed if those charged with governance include members

who do not have signicant experience in the entity's industry or

in the affected areas.

•

Legal or regulatory requirements regarding the communication of

specic types of deciencies in internal control.

.A19 Management and those charged with governance may already be

aware of signicant deciencies and material weaknesses that the auditor has

identied during the audit and may have chosen not to remedy them because

of cost or other considerations. The responsibility for evaluating the costs and

benets of implementing remedial action rests with management and those

charged with governance. Accordingly, the requirements to communicate sig-

nicant deciencies and material weaknesses in paragraphs .11–.12 apply, re-

gardless of cost or other considerations that management and those charged

with governance may consider relevant in determining whether to remedy such

deciencies.

.A20 The fact that the auditor communicated a signicant deciency or

material weakness to those charged with governance and management in a

previous audit does not eliminate the need for the auditor to repeat the com-

munication if remedial action has not yet been taken. If a previously commu-

nicated signicant deciency or material weakness remains, the current year's

communication may repeat the description from the previous communication

or simply reference the previous communication and the date of that communi-

cation. The auditor may ask management or, when appropriate, those charged

Paragraph .16 of section 230, Audit Documentation. [Footnote renumbered by the issuance of

SAS No. 125, December 2011.]

Communicating Internal Control Related Matters 255

with governance why the signicant deciency or material weakness has not

yet been remedied. A failure to act, in the absence of a rational explanation,

may in itself represent a signicant deciency or material weakness.

Communication of Deﬁciencies in Internal Control to Management

(Ref: par. .12)

.A21 Ordinarily, the appropriate level of management is the one that has

responsibility and authority to evaluate the deciencies in internal control and

to take the necessary remedial action. For signicant deciencies and material

weaknesses, the appropriate level is likely to be the CEO or CFO (or equivalent)

because these matters also are required to be communicated to those charged

with governance. For other deciencies in internal control, the appropriate level

may be operational management with more direct involvement in the control

areas affected and with the authority to take appropriate remedial action.

Communication of Signicant Deciencies and Material Weaknesses in Internal

Control to Management (Ref: par. .12a)

.A22 Certain identied signicant deciencies or material weaknesses in

internal control may call into question the integrity or competence of manage-

ment. For example, there may be evidence of fraud or intentional noncompli-

ance with laws and regulations by management or management may exhibit

an inability to oversee the preparation of adequate nancial statements, which

may raise doubt about management's competence. Accordingly, it may not be

appropriate to communicate such deciencies directly to management.

.A23 Section 250, Consideration of Laws and Regulations in an Audit of

Financial Statements, establishes requirements and provides guidance on the

reporting of identied or suspected noncompliance with laws and regulations,

including when those charged with governance are themselves involved in such

noncompliance.

Section 240, Consideration of Fraud in a Financial Statement

Audit, establishes requirements and provides guidance regarding communica-

tion to those charged with governance when the auditor has identied fraud or

suspected fraud involving management.

Communication of Other Deciencies in Internal Control to Management (Ref:

par. .12b)

.A24 During the audit, the auditor may identify other deciencies in in-

ternal control that are not signicant deciencies or material weaknesses but

that may be of sufcient importance to merit management's attention. The de-

termination regarding which other deciencies in internal control merit man-

agement's attention is a matter of the auditor's professional judgment in the

circumstances, taking into account the likelihood and potential magnitude of

misstatements that may arise in the nancial statements as a result of those

deciencies.

.A25 The communication of other deciencies in internal control that

merit management's attention need not be in writing. When the auditor has

discussed the facts and circumstances of the auditor's ndings with manage-

ment, the auditor may consider an oral communication of the other deciencies

to have been made to management at the time of these discussions. Accordingly,

a formal communication need not be made subsequently.

Paragraphs .21–.27 of section 250, Consideration of Laws and Regulations in an Audit of Fi-

nancial Statements. [Footnote renumbered by the issuance of SAS No. 125, December 2011.]

Paragraph .40 of section 240, Consideration of Fraud in a Financial Statement Audit. [Footnote

renumbered by the issuance of SAS No. 125, December 2011.]

256 General Principles and Responsibilities

.A26 If the auditor has communicated deciencies in internal control,

other than signicant deciencies or material weaknesses, to management in a

prior period and management has chosen not to remedy them for cost or other

reasons, the auditor need not repeat the communication in the current period.

The auditor also is not required to repeat information about such deciencies

if the information has been previously communicated to management by other

parties, such as the internal audit function or regulators. However, the audi-

tor may consider it appropriate to recommunicate these other deciencies if

there has been a change of management or if new information has come to the

auditor's attention that alters the prior understanding of the auditor and man-

agement regarding the deciencies. Nevertheless, the failure of management

to remedy other deciencies in internal control that were previously communi-

cated may become a signicant deciency requiring communication with those

charged with governance. Whether this is the case depends on the auditor's

professional judgment in the circumstances. [As amended, effective for audits

of nancial statements for periods ending on or after December 15, 2014, by

SAS No. 128.]

.A27 In some circumstances, those charged with governance may wish to

be made aware of the details of other deciencies in internal control that the

auditor has communicated to management or be briey informed of the nature

of the other deciencies. Alternatively, the auditor may inform those charged

with governance when a communication of other deciencies has been made to

management. In either case, the auditor may communicate orally or in writing

to those charged with governance, as appropriate.

Considerations Speciﬁc to Governmental Entities (Ref: par. .11–.12)

.A28 Auditors performing audits of governmental entities may have addi-

tional responsibilities to communicate deciencies in internal control that the

auditor identied during the audit, in a different format, at a level of detail or to

parties not envisioned in this section. For example, signicant deciencies and

material weaknesses may have to be communicated to a governmental author-

ity, and such communications may be required to be made publicly available.

Law or regulation also may require auditors to report deciencies in internal

control, irrespective of their severity. Further, law or regulation may require au-

ditors to report on broader internal control-related matters (for example, con-

trols related to compliance with law, regulation, or provisions of contracts or

grant agreements).

Content of Written Communication of Signiﬁcant Deﬁciencies and Material

Weaknesses in Internal Control (Ref: par. .14–.16)

.A29 In explaining the potential effects of the signicant deciencies and

material weaknesses, the auditor need not quantify those effects. The potential

effects may be described in terms of the control objectives and types of errors

the control was designed to prevent, or detect and correct, or in terms of the

risk(s) of misstatement that the control was designed to address. The potential

effects may be evident from the description of the signicant deciencies or

material weaknesses.

.A30 The signicant deciencies or material weaknesses may be grouped

together for reporting purposes when it is appropriate to do so. The auditor

also may include in the written communication suggestions for remedial action

See section 935, Compliance Audits. [Footnote renumbered by the issuance of SAS No. 125,

December 2011.]

Communicating Internal Control Related Matters 257

on the deciencies, management's actual or proposed responses, and a state-

ment about whether the auditor has undertaken any steps to verify whether

management's responses have been implemented (see paragraph .A33).

.A31 The auditor may consider it appropriate to include the following in-

formation as additional context for the communication:

•

The general inherent limitations of internal control, including the

possibility of management override of controls

•

The specic nature and extent of the auditor's consideration of

internal control during the audit

Restriction on Use (Ref: par. .14d)

.A32 In certain cases not involving Government Auditing Standards,law

or regulation may require the auditor or management to furnish a copy of the

auditor's written communication on signicant deciencies and material weak-

nesses to governmental authorities. When this is the case, the auditor's written

communication may identify such governmental authorities in the paragraph

containing the alert that restricts the use of the auditor's written communica-

tion. Section 905 does not permit the auditor to add parties, other than those

identied in paragraph .07b of that section.

[As amended, effective for the au-

ditor's written communications related to audits of nancial statements for pe-

riods ending on or after December 15, 2012, by SAS No. 125.]

Management’s Written Response

.A33 Management may wish to or may be required by a regulator to pre-

pare a written response to the auditor's communication regarding signicant

deciencies or material weaknesses identied during the audit. Such manage-

ment communications may include a description of corrective actions taken by

the entity, the entity's plans to implement new controls, or a statement indicat-

ing that management believes the cost of correcting a signicant deciency or

material weakness would exceed the benets to be derived from doing so. If such

a written response is included in a document containing the auditor's written

communication to management and those charged with governance concern-

ing identied signicant deciencies or material weaknesses, the auditor may

add a paragraph to the written communication disclaiming an opinion on such

information. The following is an example of such a paragraph:

ABC Company's written response to the signicant deciencies [and material

weaknesses] identied in our audit was not subjected to the auditing procedures

applied in the audit of the nancial statements and, accordingly, we express no

opinion on it.

No Material Weakness Communications (Ref: par. .15–.16)

.A34 Management or those charged with governance may request a writ-

ten communication indicating that no material weaknesses were identied dur-

ing the audit. A written communication indicating that no material weaknesses

were identied during the audit does not provide any assurance about the ef-

fectiveness of an entity's internal control over nancial reporting. However, an

auditor is not precluded from issuing such a communication, provided that the

communication includes the matters required by paragraph .15. However, a

Paragraph .08 of section 905. [Footnote added, effective for the auditor's written communications

related to audits of nancial statements for periods ending on or after December 15, 2012, by SAS No.

125.]

258 General Principles and Responsibilities

written communication indicating that no signicant deciencies were identi-

ed during the audit is precluded by paragraph .16 because such a communi-

cation has the potential to be misunderstood or misused.

.A35 Exhibit B, "Illustrative No Material Weakness Communication," in-

cludes an illustrative communication indicating that no material weaknesses

were identied during the audit.

Considerations Specic to Governmental Entities

.A36 A written communication indicating that no material weaknesses

were identied during the audit may be required to be furnished to govern-

mental authorities. As described in paragraph .A32, the auditor's written com-

munication may identify the governmental authority as a specied party in the

restricted use paragraph. The auditor is not permitted to add other parties as

specied parties.

Communicating Internal Control Related Matters 259

.A37

Appendix—Examples of Circumstances That May Be

Deﬁciencies, Signiﬁcant Deﬁciencies, or Material

Weaknesses

Paragraph .A11 identies indicators of material weaknesses in internal control.

The following are examples of circumstances that may be deciencies, signi-

cant deciencies, or material weaknesses.

Deﬁciencies in the Design of Controls

The following are examples of circumstances that may be deciencies, signi-

cant deciencies, or material weaknesses related to the design of controls:

•

Inadequate design of controls over the preparation of the nancial

statements being audited.

•

Inadequate design of controls over a signicant account or process.

•

Inadequate documentation of the components of internal control.

•

Insufcient control consciousness within the organization (for ex-

ample, the tone at the top and the control environment).

•

Evidence of ineffective aspects of the control environment, such as

indications that signicant transactions in which management is

nancially interested are not being appropriately scrutinized by

those charged with governance.

•

Evidence of an ineffective entity risk assessment process, such as

management's failure to identify a risk of material misstatement

that the auditor would expect the entity's risk assessment process

to have identied.

•

Evidence of an ineffective response to identied signicant risks

(for example, absence of controls over such a risk).

•

Absent or inadequate segregation of duties within a signicant

account or process.

•

Absent or inadequate controls over the safeguarding of assets (this

applies to controls that the auditor determines would be necessary

for effective internal control over nancial reporting).

•

Inadequate design of IT general and application controls that pre-

vents the information system from providing complete and ac-

curate information consistent with nancial reporting objectives

and current needs.

•

Employees or management who lack the qualications and train-

ing to fulll their assigned functions. For example, in an entity

that prepares nancial statements in accordance with generally

accepted accounting principles (GAAP), the person responsible for

the accounting and reporting function lacks the skills and knowl-

edge to apply GAAP in recording the entity's nancial transac-

tions or preparing its nancial statements.

•

Inadequate design of monitoring controls used to assess the design

and operating effectiveness of the entity's internal control over

time.

260 General Principles and Responsibilities

•

Absence of an internal process to report deciencies in internal

control to management on a timely basis.

•

Absence of a risk assessment process within the entity when such

a process would ordinarily be expected to have been established.

Failures in the Operation of Controls

The following are examples of circumstances that may be deciencies, signi-

cant deciencies, or material weaknesses related to the operation of controls:

•

Failure in the operation of effectively designed controls over a sig-

nicant account or process (for example, the failure of a control

such as dual authorization for signicant disbursements within

the purchasing process).

•

Failure of the information and communication component of in-

ternal control to provide complete and accurate output because of

deciencies in timeliness, completeness, or accuracy (for example,

the failure to obtain timely and accurate consolidating informa-

tion from remote locations that is needed to prepare the nancial

statements).

•

Failure of controls designed to safeguard assets from loss, damage,

or misappropriation. This circumstance may need careful consid-

eration before it is evaluated as a signicant deciency or material

weakness. For example, assume that a company uses security de-

vices to safeguard its inventory (preventive controls) and also per-

forms timely periodic physical inventory counts (detective control)

with regard to its nancial reporting. Although the physical inven-

tory count does not safeguard the inventory from theft or loss, it

prevents a material misstatement of the nancial statements if

performed effectively and timely. Therefore, given that the deni-

tions of material weakness and signicant deciency relate to the

likelihood of misstatement of the nancial statements, the failure

of a preventive control, such as inventory tags, will not result in a

signicant deciency or material weakness if the detective control

(physical inventory counts) prevents a misstatement of the nan-

cial statements. Material weaknesses relating to controls over the

safeguarding of assets would only exist if the company does not

have effective controls (considering both safeguarding and other

controls) to prevent, or detect and correct, a material misstate-

ment of the nancial statements.

•

Failure to perform reconciliations of signicant accounts. For ex-

ample, accounts receivable subsidiary ledgers are not reconciled

to the general ledger account in a timely or accurate manner.

•

Undue bias or lack of objectivity by those responsible for account-

ing decisions (for example, consistent understatement of expenses

or overstatement of allowances at the direction of management).

•

Misrepresentation by entity personnel to the auditor (an indicator

of fraud).

•

Management override of controls.

•

Failure of an application control caused by a deciency in the de-

sign or operation of an IT general control.

•

An observed deviation rate that exceeds the number of deviations

expected by the auditor in a test of the operating effectiveness of

Communicating Internal Control Related Matters 261

a control. For example, if the auditor designs a test in which he

or she selects a sample and expects no deviations, the nding of

one deviation is a nonnegligible deviation rate because based on

the results of the auditor's test of the sample, the desired level of

condence was not obtained.

262 General Principles and Responsibilities

.A38

Exhibit A—Illustrative Auditor’s Written

Communication

The following is an illustrative auditor's written communication encompassing

the requirements in paragraph .14.

To Management and [identify the body or individuals charged with governance,

such as the entity's Board of Directors] of ABC Company

In planning and performing our audit of the nancial statements of ABC Com-

pany (the "Company") as of and for the year ended December 31, 20XX, in ac-

cordance with auditing standards generally accepted in the United States of

America, we considered the Company's internal control over nancial report-

ing (internal control) as a basis for designing audit procedures that are appro-

priate in the circumstances for the purpose of expressing our opinion on the

nancial statements, but not for the purpose of expressing an opinion on the

effectiveness of the Company's internal control. Accordingly, we do not express

an opinion on the effectiveness of the Company's internal control.

Our consideration of internal control was for the limited purpose described in

the preceding paragraph and was not designed to identify all deciencies in

internal control that might be [material weaknesses or material weaknesses or

signicant deciencies] and therefore, [material weaknesses or material weak-

nesses or signicant deciencies] may exist that were not identied. However,

as discussed below, we identied certain deciencies in internal control that

we consider to be [material weaknesses or signicant deciencies or material

weaknesses and signicant deciencies].

A deciency in internal control exists when the design or operation of a control

does not allow management or employees, in the normal course of performing

their assigned functions, to prevent, or detect and correct, misstatements on a

timely basis. A material weakness is a deciency, or a combination of decien-

cies, in internal control, such that there is a reasonable possibility that a mate-

rial misstatement of the entity's nancial statements will not be prevented, or

detected and corrected, on a timely basis. [We consider the following deciencies

in the Company's internal control to be material weaknesses:]

[Describe the material weaknesses that were identied and an explanation of

their potential effects.]

[A signicant deciency is a deciency, or a combination of deciencies, in inter-

nal control that is less severe than a material weakness, yet important enough

to merit attention by those charged with governance. We consider the following

deciencies in the Company's internal control to be signicant deciencies:]

[Describe the signicant deciencies that were identied and an explanation of

their potential effects.]

[If the auditor is communicating signicant deciencies and did not identify any

material weaknesses, the auditor may state that none of the identied signicant

deciencies are considered to be material weaknesses.]

This communication is intended solely for the information and use of man-

agement, [identify the body or individuals charged with governance], others

within the organization, and [identify any governmental authorities to which

Communicating Internal Control Related Matters 263

the auditor is required to report] and is not intended to be, and should not be,

used by anyone other than these specied parties.

[Auditor's signature]

[Auditor's city and state]

[Date]

[As amended, effective for the auditor's written communications related to

audits of nancial statements for periods ending on or after December 15,

2012, by SAS No. 125.]

When the engagement is also performed in accordance with Government Auditing Standards,

the alert required by paragraph .14d may read as follows: "The purpose of this communication is solely

to describe the scope of our testing of internal control over nancial reporting and the results of that

testing. This communication is an integral part of an audit performed in accordance with Government

Auditing Standards in considering the Company's internal control over nancial reporting. Accord-

ingly, this communication is not suitable for any other purpose." The AICPA Audit Guide Government

Auditing Standards and Circular A-133 Audits provides additional interpretative guidance, includ-

ing illustrative reports. [Footnote added, effective for the auditor's written communications related to

audits of nancial statements for periods ending on or after December 15, 2012, by SAS No. 125.]

264 General Principles and Responsibilities

.A39

Exhibit B—Illustrative No Material Weakness

Communication

The following is an illustrative auditor's written communication indicating that

no material weaknesses were identied during the audit of a not-for-prot or-

ganization.

To Management and [identify the body or individuals charged with governance,

such as the entity's Board of Directors] of NPO Organization

In planning and performing our audit of the nancial statements of NPO Orga-

nization (the "Organization") as of and for the year ended December 31, 20XX,

in accordance with auditing standards generally accepted in the United States

of America, we considered the Organization's internal control over nancial

reporting (internal control) as a basis for designing audit procedures that are

appropriate in the circumstances for the purpose of expressing our opinion on

the nancial statements, but not for the purpose of expressing an opinion on

the effectiveness of the Organization's internal control. Accordingly, we do not

express an opinion on the effectiveness of the Organization's internal control.

A deciency in internal control exists when the design or operation of a control

does not allow management or employees, in the normal course of performing

their assigned functions, to prevent, or detect and correct, misstatements on a

timely basis. A material weakness is a deciency, or a combination of decien-

cies, in internal control, such that there is a reasonable possibility that a ma-

terial misstatement of the entity's nancial statements will not be prevented,

or detected and corrected, on a timely basis.

Our consideration of internal control was for the limited purpose described in

the rst paragraph and was not designed to identify all deciencies in internal

control that might be material weaknesses. Given these limitations, during our

audit we did not identify any deciencies in internal control that we consider

to be material weaknesses. However, material weaknesses may exist that have

not been identied.

[If one or more signicant deciencies have been identied, the auditor may

add the following: Our audit was also not designed to identify deciencies in

internal control that might be signicant deciencies. A signicant deciency

is a deciency, or a combination of deciencies, in internal control that is less

severe than a material weakness, yet important enough to merit attention by

those charged with governance. We communicated the signicant deciencies

identied during our audit in a separate communication dated [date].]

This communication is intended solely for the information and use of manage-

ment, [identify the body or individuals charged with governance], others within

the organization, and [identify any governmental authorities to which the audi-

tor is required to report] and is not intended to be, and should not be, used by

anyone other than these specied parties.