264 General Principles and Responsibilities
.A39
Exhibit B—Illustrative No Material Weakness
Communication
The following is an illustrative auditor's written communication indicating that
no material weaknesses were identied during the audit of a not-for-prot or-
ganization.
To Management and [identify the body or individuals charged with governance,
such as the entity's Board of Directors] of NPO Organization
In planning and performing our audit of the nancial statements of NPO Orga-
nization (the "Organization") as of and for the year ended December 31, 20XX,
in accordance with auditing standards generally accepted in the United States
of America, we considered the Organization's internal control over nancial
reporting (internal control) as a basis for designing audit procedures that are
appropriate in the circumstances for the purpose of expressing our opinion on
the nancial statements, but not for the purpose of expressing an opinion on
the effectiveness of the Organization's internal control. Accordingly, we do not
express an opinion on the effectiveness of the Organization's internal control.
A deciency in internal control exists when the design or operation of a control
does not allow management or employees, in the normal course of performing
their assigned functions, to prevent, or detect and correct, misstatements on a
timely basis. A material weakness is a deciency, or a combination of decien-
cies, in internal control, such that there is a reasonable possibility that a ma-
terial misstatement of the entity's nancial statements will not be prevented,
or detected and corrected, on a timely basis.
Our consideration of internal control was for the limited purpose described in
the rst paragraph and was not designed to identify all deciencies in internal
control that might be material weaknesses. Given these limitations, during our
audit we did not identify any deciencies in internal control that we consider
to be material weaknesses. However, material weaknesses may exist that have
not been identied.
[If one or more signicant deciencies have been identied, the auditor may
add the following: Our audit was also not designed to identify deciencies in
internal control that might be signicant deciencies. A signicant deciency
is a deciency, or a combination of deciencies, in internal control that is less
severe than a material weakness, yet important enough to merit attention by
those charged with governance. We communicated the signicant deciencies
identied during our audit in a separate communication dated [date].]
This communication is intended solely for the information and use of manage-
ment, [identify the body or individuals charged with governance], others within
the organization, and [identify any governmental authorities to which the audi-
tor is required to report] and is not intended to be, and should not be, used by
anyone other than these specied parties.
1
1
When the engagement is also performed in accordance with Government Auditing Standards,
the alert required by paragraph .14d may read as follows: "The purpose of this communication is solely
to describe the scope of our testing of internal control over nancial reporting and the results of that
testing. This communication is an integral part of an audit performed in accordance with Government
Auditing Standards in considering the Company's internal control over nancial reporting. Accord-
ingly, this communication is not suitable for any other purpose." The AICPA Audit Guide Government
Auditing Standards and Circular A-133 Audits provides additional interpretative guidance, includ-
ing illustrative reports. [Footnote added, effective for the auditor's written communications related to
audits of nancial statements for periods ending on or after December 15, 2012, by SAS No. 125.]
AU-C §265.A39 ©2021, AICPA