Session 13

Communication on
Internal Control

FOCUS
This session covers the following content from the ACCA Study Guide.

C. Internal Control
2. The use and evaluation of internal control systems by auditors
b) Evaluate internal control components, including deficiencies and significant
deficiencies in internal control.
4. Communication on internal control
a) Discuss and provide examples of how the reporting of significant
deficiencies in internal control and recommendations to overcome those
significant deficiencies are provided to management.

Session 13 Guidance
Learn the terms "deficiency" and "significant deficiency," and attempt Example 1 (s.1).
Understand the auditor's responsibilities for reporting deficiencies (s.2).
Attempt Examples 2 and 3 before reading the sample letter.

F8 Audit and Assurance (INT) Becker Professional Education | ACCA Study System

Ali Niaz - [email protected]

VISUAL OVERVIEW
Objective: To outline how significant deficiencies in internal control and recommendations
to fix those deficiencies are provided to management.

DEFICIENCIES IN INTERNAL
CONTROL
• Deficiencies
• Significant Deficiencies

COMMUNICATING DEFICIENCIES
• Requirement to Report
• Report to Management
• Content
• Supporting Detail
• Follow-up
• Interested Third Parties

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-1

Ali Niaz - [email protected]

Session 13 • Communication on Internal Control F8 Audit and Assurance (INT)

1 Deficiencies in Internal Control

1.1 Deficiencies
 The relevant standard is ISA 265 Communicating Deficiencies
in Internal Control to Those Charged With Governance and
Management.

A deficiency in internal control exists when:

 A control is designed, implemented or operated in such a way that
it is unable to prevent, or to detect and correct, misstatements in
the financial statements on a timely basis; or
 A control necessary to prevent, or to detect and correct, mis-
statements in the financial statements on a timely basis is missing.

1.2 Significant Deficiencies

A significant deficiency in internal control is a deficiency (or

combination of deficiencies) that, in the auditor's professional
judgement, is of sufficient importance to merit the attention of those
charged with governance.

 Examples of matters that the auditor may consider in

determining whether a deficiency or combination of deficiencies
in internal control constitutes a significant deficiency include:
 The likelihood of the deficiencies leading to material
misstatements in the financial statements in the future.
 The susceptibility to loss or fraud of the related asset or
liability (Session 11).
 The subjectivity and complexity of determining estimated
amounts (Session 17).
 The financial statement amounts exposed to the deficiencies.
 The volume of activity that has occurred or could occur in
the account balance or class of transactions exposed to the
deficiency or deficiencies.

13-2 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - [email protected]

F8 Audit and Assurance (INT) Session 13 • Communication on Internal Control

 The importance of the controls to the financial reporting

process, for example:
—General monitoring (such as oversight of management).
—Prevention and detection of fraud.
—Selection and application of significant accounting policies.
—Significant transactions with related parties.
—Significant transactions outside the entity's normal course
of business.
—Period-end financial reporting process (e.g. non-recurring
journal entries).
 The cause and frequency of the exceptions detected as a
result of the deficiencies.
 The interaction of the deficiency with other control
deficiencies.

Example 1 Indicators of Significant Deficiencies

Suggest FOUR examples of indicators of significant deficiencies in internal controls.

Solution

1.

2.

3.

4.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-3

Ali Niaz - [email protected]

Session 13 • Communication on Internal Control F8 Audit and Assurance (INT)

2 Communicating Deficiencies

2.1 Requirement to Report

2.1.1 Significant Deficiencies
 All deficiencies identified as significant should be reported
in writing to those charged with governance (e.g. the whole
board and not just individual directors).
 Under many corporate governance codes, all deficiencies
should be initially discussed with the audit committee before
the issue of a formal report on significant deficiencies.
 Similarly, significant deficiencies should also be reported
to those with the appropriate related management *Great care must
responsibilities (e.g. with operational rights over the control be taken by the
auditor not to breach
and authority to make amendments; the CFO or CEO) if not
legal requirements
part of the governance structure.* that restrict such
communications.
For example, non-
compliance with
controls that may
indicate money
*Where certain identified significant deficiencies in internal control laundering
may call into question the integrity or competence of management, (Session 11).
the auditor may decide to only report such matters to those charged
with governance rather than both those charged with governance
and management.

 Those charged with governance must be made aware (by the

auditor) of all matters discussed with management relating to
deficiencies.
 Where the entity is subject to a specific regulatory regime,
it may be a requirement for the auditor to report certain
control deficiencies directly to the regulators. In some cases,
this may be without the awareness of those charged with
governance.*

13-4 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - [email protected]

F8 Audit and Assurance (INT) Session 13 • Communication on Internal Control

2.1.2 Other Deficiencies

 Deficiencies identified that are not significant, but (using
professional judgement) the auditor considers should be
drawn to the attention of management, may be:*
 discussed with those charged with governance, if they wish
to be made aware of such matters (e.g. under corporate
governance regulations); and/or
 included as a subsection in the written report on significant
deficiencies if required by those charged with governance;
and/or
 reported (orally or in writing) only to management where
considered to be of use to management.

*Where the auditors note that other deficiencies previously reported

have not been acted upon, there is no need to repeat them in the
current year. But should the auditor consider the non-action to be
a significant deficiency in control, this should be reported to those
charged with governance.

2.2 Report to Management

 The most common way of communicating in writing significant
deficiencies to those charged with governance and management
is through the use of a letter to management (also called a
letter of weakness, internal control memorandum, letter of
recommendation, constructive service letter or post-audit letter).
 The requirement of ISA 265 to inform those charged with
governance of significant deficiencies in writing is explained to
those charged with governance through the engagement letter
(see Session 5).

As well as reporting control weaknesses, the report to management

may be used:
 to provide constructive advice on business systems, risk systems
and risk management (e.g. by benchmarking the client's systems
against expected norms as part of the auditor's understanding the
entity and environment);
 to indicate areas in which audit efficiency could be improved
and thereby reduce audit costs (e.g. extended use of CAATs,
preparation of documents by the client);
 to protect the auditor against potential litigation by showing
that significant deficiencies had been identified and drawn to the
attention of those charged with governance and management.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-5

Ali Niaz - [email protected]

Session 13 • Communication on Internal Control F8 Audit and Assurance (INT)

2.3 Content
 The letter to management must be addressed to those
charged with governance (e.g. the board) and not to an
individual director. The auditor should ensure that its contents
have been fully discussed by those charged with governance
(e.g. as shown by minutes of a board meeting).
 The report should be clear, concise, constructive and
structured. It will usually consist of two elements:
 a covering letter; and
 supporting detail and possible effect of the deficiency,
suggestions for corrective action and management response.
 The detail in the letter should not conflict with the opinion
expressed in the audit report (e.g. matters in the report
indicate that proper books and records have not been kept,
yet the audit report is unmodified).
 The covering letter should contain statements that:
 The purpose of the audit was for the auditor to express an
opinion on the financial statements;
 Accounting and internal control systems were considered
only to the extent necessary to determine the auditing
procedures (i.e. design/implementation plus effectiveness if
deemed appropriate to obtain audit assurance) and not to
determine the adequacy of internal control for management
purposes or to provide assurance or express an opinion on
the accounting and internal control systems;
 Only deficiencies in internal control which have come to the
auditor's attention as a result of audit procedures and that
are considered to be of sufficient (significant) importance to
be reported are included;
 If the auditor had performed more extensive procedures on
internal control he might have identified more deficiencies
to be reported; and
 The report is provided for use only by those charged with
governance and management in the context of the audit
and may not be suitable for other purposes.

Example 2 Qualities
Suggest SIX qualities that an audit manager might look for when reviewing a letter to
management regarding significant deficiencies in internal control drafted by an audit senior.

Solution

1.

2.

3.

4.

5.

6.

13-6 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - [email protected]

F8 Audit and Assurance (INT) Session 13 • Communication on Internal Control

2.4 Form and Presentation of Supporting Detail

 Matters may be included in the body of the covering letter, or as
a separate appendix. They will usually be prioritised (e.g. high
risk first, lower risk following; in other words, significant matters
first, and then other matters). They may also be categorised
into audit sections (e.g. sales, inventory, receivables).
 A common structure of the recommendations covers:

Explanation/details • The description of each deficiency is concise, but specific,

and the extent of the error is quantified where appropriate.

Consequence/impact • Expressed in terms of the financial statements (e.g. they

could contain errors in the future) and/or the entity's assets
(e.g. future financial loss may result). Care must be taken
not to imply that such errors have actually lead to financial
loss, unless such loss has been quantified or that any
employee has taken advantage of the weakness, unless such
action has been quantified.

Recommendation • How each deficiency could be eliminated. Recommendations

must be practical, beneficial and cost-effective to encourage
management to adopt them.

Management • If points have already been discussed with those charged

response with governance/management, include actions agreed upon.
Otherwise, request a reply to points raised.

 All matters raised should normally be in writing. However, if

a written report is considered unnecessary, inappropriate or
not cost-effective (e.g. if there's only one matter of note) the
matter should be discussed with the client and fully recorded
as audit evidence in the working papers. Ideally, a copy of the
note should be sent to the client for confirmation and response.

2.5 Follow-up
 Once issued, the response of those charged with governance/
management should be obtained as quickly as possible and
assessed for its effect on the next stage of the audit (e.g. if
recommendations can be implemented before the year-end
and final audits).*

*In any case, all matters that would affect those charged with
governance/management carrying out their duties should
be resolved before the financial statements are approved by
management. Similarly, any matters affecting the audit opinion
must be resolved before the opinion can be issued. All other issues
should be documented as part of the working papers within 60 days
of the issue of the audit report (ISA 230 Session 6).

 Prior-year communications should be reviewed as part of

the planning for the current audit. If controls have been
implemented, their design, implementation and potential for
testing must be assessed.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-7

Ali Niaz - [email protected]

Session 13 • Communication on Internal Control F8 Audit and Assurance (INT)

Example 3 Report to Management

You are the auditor of Homecontrols, a company which manufactures components for
domestic appliances. The company operates a perpetual inventory system and also
performs quarterly physical inventory counts, amending the perpetual inventory records
where appropriate to reflect actual quantities counted.
During your interim visit, you review the results of the last physical count. It appears
that a number of high-value items included in the records were not in inventory. Also,
returns from customers are added into physical inventory but are not recorded in the
perpetual inventory records.
Required:
Draft, for inclusion in a report to management, the deficiencies identified, their
possible implications and recommendations to address them.
Solution
Deficiencies

Implications

Recommendations

13-8 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - [email protected]

F8 Audit and Assurance (INT) Session 13 • Communication on Internal Control

2.6 Interested Third Parties

 The auditor cannot disclose the detail of the report to
management to any third party without the client's consent,
as it is confidential information. A disclaimer/caveat would
normally be included in the report, stating that:
 the report has been prepared for use by those charged with
governance/management (or other specific named party);
 the written consent of the auditor is required for the client
to disclose the information to another party;
 the auditor has no responsibility to third parties.

Illustration 1
Specimen Letter

The Board of Directors Per. Schorsa, 777

Revup Automotives Oceanana, 030598
Rada Str, 56A 21 May 20XY
Oceanana, 010145

To those charged with governance and management.

20XY Interim Audit

During our recent interim audit for the year ending 30 June 20XY, we examined
the controls and procedures that you have established to provide reasonable
assurance about the achievement of the company's objectives with regard
to the reliability of financial reporting, the effectiveness and efficiency of its
operations, and compliance with laws and regulations.
As stated in our engagement letter of 1 August 20XX, and reaffirmed at our
meeting on 26 April 20XY, we are writing to you in order to draw your attention
to those matters that have come to our attention as a result of our audit
procedures and that we consider to be of sufficient importance to be formally
reported to you. These matters are set out in the attached appendix together
with our suggestions as to how the internal control systems could
be improved.
It must be appreciated that the matters dealt with in this letter came to our
notice during the conduct of our normal audit procedures which are designed
primarily to enable us to express an independent opinion on the financial
statements of the company. Consequently, our work did not encompass a
detailed review of all aspects of the control systems and cannot be relied
upon necessarily to disclose all defalcations or other irregularities or to include
all possible improvements in internal control. In particular, our work does
not determine the adequacy of internal control for management purposes or
provide separate assurance, or enable us to express an opinion, specifically on
the accounting and internal control systems.
As confirmed by the finance director and chief accountant in our meeting with
them on 15 May 20XY, all of these matters have been discussed by us with
them, and they are in broad agreement with the recommendations made.
This report has been prepared for the sole use of those charged with
governance and management (i.e. the board and audit committee) of Revup
Automotives in the context of our audit of the company's financial statements.
No responsibility is accepted to yourselves or other third parties without prior
knowledge and agreement with yourselves and those parties in writing, for any
alternative use of this report.
We look forward to formally hearing from you regarding the action that you
intend to take concerning the matters raised in this report.
Finally, we should like to take this opportunity to thank your staff for their co-
operation and assistance during the course of our audit.

Yours faithfully
A, B & C Chartered Certified Accountants & Registered Auditors

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-9

Ali Niaz - [email protected]

Session 13 • Communication on Internal Control
Weakness
Hours Worked by Service Employees
• The total hours worked
by service employees
(including overtime) are not
independently verified and
authorised.
Goods Received
• Goods received notes are
not always authorised to
show that details have been
agreed to purchase orders
and that the quantity and
quality of the goods have
been checked.
Data Security
• There is no access security
for the computer terminals
in the wages department.
13-10
Impact
• Employees may be paid
for work that they have
not done (e.g. if other
employees input their time
card and code on arriving
and leaving the premises on
their behalf).
• Financial loss would occur
if, for example, the goods
received were not ordered or
were not of the right quality.
Using poor quality goods
may result in customer
claims against the firm.
From our tests carried out,
we estimate that 60% of
goods received are not being
agreed to purchase orders or
physically checked.
• Because the password
facility has been disabled,
anybody can access the
system without authority
and, for example, change
or corrupt data (e.g. add
non-existent employees or
increase wage rates).
© 2014 DeVry/Becker Educational Development Corp. All rights reserved.
Ali Niaz - [email protected]
F8 Audit and Assurance (INT)
Recommendations
• The service manager should
review and authorise the
computer time schedules as
an accurate record of time
spent working by service
employees.
• He should also regularly
review the security
recordings that show
employees inputting their
time card and code to check
for potential abuse of the
system (e.g. more than one
card being used).
• All goods received should
be checked for quantity,
quality and agreement to
the purchase orders.
• Any goods received note
sent to accounts (to await
the purchase invoice)
should be returned to
goods received department
if not authorised or not in
agreement with the copy
purchase order already held
by accounts. The financial
accountant should follow
up any such instances to
ensure appropriate action
has been taken (e.g.
correctly authorised or poor
quality goods returned to
the supplier).
• Although our tests did
not find any errors, the
password system should
be reactivated immediately
following the recommended
approach of the system
designers (e.g. at least
ten characters in length,
a mix of upper and lower
case, alpha and numeric
characters, not a dictionary
word or date).
• Passwords should be
remembered and users
should avoid writing them
down, especially where they
can easily be found (e.g.
under the keyboard or on
the side of the computer
monitor).
 Session 13

Summary
 A deficiency in internal control exists when a control is missing or unable to prevent or
detect and correct material misstatements on a timely basis.
 A significant deficiency is one of such importance that it merits the attention of those
charged with governance. All significant deficiencies should be reported in writing in a letter
to management.
 The letter to management generally includes a covering letter and supporting detail
that describes the significant deficiencies, the possible effects of the deficiencies,
recommendations for corrective action and management response.
 The letter to management should not be disclosed to third parties without management's
consent.

Session 13 Quiz
Estimated time: 15 minutes

1. Define deficiency and significant deficiency. (1)

2. Describe the typical form of the letter to management regarding significant deficiencies in
internal control. (2.3, 2.4)

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-11

Ali Niaz - [email protected]

EXAMPLE SOLUTIONS
Solution 1—Indicators of Significant Deficiencies
 Significant transactions in which management is financially interested
are not being appropriately scrutinised by those charged with
governance.
 Management fraud, whether or not material, that was not prevented
by the entity's internal control.
 Management's failure to implement appropriate remedial action on
significant deficiencies previously communicated.
 Lack of, or ineffective, risk assessment processes.
 Ineffective response to identified significant risks (e.g. absence of
controls over such a risk).
 Misstatements detected by the auditor's procedures that were
not prevented, or not detected and corrected, by the entity's
internal control.
 Restatement of previously issued financial statements to reflect the
correction of a material misstatement due to error or fraud.
 Evidence of management's inability to oversee the preparation of the
financial statements.

Solution 2—Qualities

 Timeliness: as soon as possible after completion of audit procedures.

 Use of specific examples to illustrate weaknesses/deficiencies.
 Clear explanations of implications/risks.
 Commercial awareness of the client's expectations.
 Practicable recommendations for improvements.
 Inclusion of prior year points not acted upon, suitably amended.
 Clear, constructive and concise.
 Careful presentation (e.g. "tiered" structure).
 Factual accuracy.
 Evidence of discussion (e.g. inclusion of client's comments).
 No remarks of a personal nature.

13-12 © 2014 DeVry/Becker Educational Development Corp. All rights reserved.

Ali Niaz - [email protected]

Solution 3—Report to Management
Deficiencies
 Authorised inventory movements (e.g. customer returns) may not
be recorded.
 Possibility of unauthorised inventory movements/misappropriation/
theft.
Implications
 Records unreliable for year-end inventory figures.
 Management decisions (e.g. to place orders/make sales) are based on
unreliable figures.
 Receivables will be overstated if returns not accounted for.
 Unexplained inventory losses represent financial loss.
Recommendations
 Improve physical security (e.g. with gate controls).
 All movements to be accompanied by a sequentially numbered
document.
 Prohibit unauthorised movements: need responsible person in charge
of stores.
 Monthly physical counts until problem is resolved.

© 2014 DeVry/Becker Educational Development Corp. All rights reserved. 13-13

Ali Niaz - [email protected]