Internatinal Standard n Auditing (Ireland) 265 Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management
MISSION T cntribute t Ireland having a strng regulatry envirnment in which t d business by supervising and prmting high quality financial reprting, auditing and effective regulatin f the accunting prfessin in the public interest This publicatin cntains cpyright material f bth the Internatinal Federatin f Accuntants and the Financial Reprting Cuncil Limited. All rights reserved. Reprduced and mdified by the Irish Auditing and Accunting Supervisry Authrity with the permissin f the Internatinal Federatin f Accuntants and the Financial Reprting Cuncil Limited. N permissin granted t third parties t reprduce r distribute.
INTERNATIONAL STANDARD ON AUDITING (IRELAND) 265 COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT (Effective fr the audits f financial statements fr perids cmmencing n r after 17 June 2016, fr Intrductin which pinins are issued n r after 1 February 2017) CONTENTS Paragraph Scpe f this ISA (Ireland)... 1 3 Effective Date... 4 Objective... 5 Definitins... 6 Requirements... 7 11 Applicatin and Other Explanatry Material Determinatin f Whether Deficiencies in Internal Cntrl Have Been Identified... Significant Deficiencies in Internal Cntrl... Cmmunicatin f Deficiencies in Internal Cntrl... A1 A4 A5 A11 A12 A30 Internatinal Standard n Auditing (Ireland) (ISA (Ireland)) 265, Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management shuld be read in cnjunctin with ISA (Ireland) 200, Overall Objectives f the Independent Auditr and the Cnduct f an Audit in Accrdance with Internatinal Standards n Auditing (Ireland).
Intrductin Scpe f this ISA (Ireland) 1. This Internatinal Standard n Auditing (Ireland) (ISA (Ireland)) deals with the auditr s respnsibility t cmmunicate apprpriately t thse charged with gvernance and management deficiencies in internal cntrl 1 that the auditr has identified in an audit f financial statements. This ISA (Ireland) des nt impse additinal respnsibilities n the auditr regarding btaining an understanding f internal cntrl and designing and perfrming tests f cntrls ver and abve the requirements f ISA (Ireland) 315 and ISA (Ireland) 330. 2 ISA (Ireland) 260 3 establishes further requirements and prvides guidance regarding the auditr s respnsibility t cmmunicate with thse charged with gvernance in relatin t the audit. 2. The auditr is required t btain an understanding f internal cntrl relevant t the audit when identifying and assessing the risks f material misstatement. 4 In making thse risk assessments, the auditr cnsiders internal cntrl in rder t design audit prcedures that are apprpriate in the circumstances, but nt fr the purpse f expressing an pinin n the effectiveness f internal cntrl. The auditr may identify deficiencies in internal cntrl nt nly during this risk assessment prcess but als at any ther stage f the audit. This ISA (Ireland) specifies which identified deficiencies the auditr is required t cmmunicate t thse charged with gvernance and management. 3. Nthing in this ISA (Ireland) precludes the auditr frm cmmunicating t thse charged with gvernance and management ther internal cntrl matters that the auditr has identified during the audit. Effective Date 4. This ISA (Ireland) is effective fr the audits f financial statements fr perids cmmencing n r after 17 June 2016, fr which pinins are issued n r after 1 February 2017. Objective 5. The bjective f the auditr is t cmmunicate apprpriately t thse charged with gvernance and management deficiencies in internal cntrl that the auditr has identified during the audit and that, in the auditr s prfessinal judgment, are f sufficient imprtance t merit their respective attentins. Definitins 6. Fr purpses f the ISAs (Ireland), the fllwing terms have the meanings attributed belw: (a) Deficiency in internal cntrl This exists when: 1 2 3 4 ISA (Ireland) 315, Identifying and Assessing the Risks f Material Misstatement thrugh Understanding the Entity and Its Envirnment, paragraphs 4 and 12. ISA (Ireland) 330, The Auditr s Respnses t Assessed Risks. ISA (Ireland) 260, Cmmunicatin with Thse Charged with Gvernance. ISA (Ireland) 315, paragraph 12. Paragraphs A60-A65 prvide guidance n cntrls relevant t the audit. 1
(i) (ii) A cntrl is designed, implemented r perated in such a way that it is unable t prevent, r detect and crrect, misstatements in the financial statements n a timely basis; r A cntrl necessary t prevent, r detect and crrect, misstatements in the financial statements n a timely basis is missing. (b) Requirements Significant deficiency in internal cntrl A deficiency r cmbinatin f deficiencies in internal cntrl that, in the auditr s prfessinal judgment, is f sufficient imprtance t merit the attentin f thse charged with gvernance. (Ref: Para. A5) 7. The auditr shall determine whether, n the basis f the audit wrk perfrmed, the auditr has identified ne r mre deficiencies in internal cntrl. (Ref: Para. A1-A4) 8. If the auditr has identified ne r mre deficiencies in internal cntrl, the auditr shall determine, n the basis f the audit wrk perfrmed, whether, individually r in cmbinatin, they cnstitute significant deficiencies. (Ref: Para. A5-A11) 9. The auditr shall cmmunicate in writing significant deficiencies in internal cntrl identified during the audit t thse charged with gvernance n a timely basis. (Ref: Para. A12-A18, A27) 10. The auditr shall als cmmunicate t management at an apprpriate level f respnsibility n a timely basis: (Ref: Para. A19, A27) (a) (b) In writing, significant deficiencies in internal cntrl that the auditr has cmmunicated r intends t cmmunicate t thse charged with gvernance, unless it wuld be inapprpriate t cmmunicate directly t management in the circumstances; and (Ref: Para. A14, A20-A21) Other deficiencies in internal cntrl identified during the audit that have nt been cmmunicated t management by ther parties and that, in the auditr s prfessinal judgment, are f sufficient imprtance t merit management s attentin. (Ref: Para. A22-A26) 11. The auditr shall include in the written cmmunicatin f significant deficiencies in internal cntrl: (a) (b) A descriptin f the deficiencies and an explanatin f their ptential effects; and (Ref: Para. A28) Sufficient infrmatin t enable thse charged with gvernance and management t understand the cntext f the cmmunicatin. In particular, the auditr shall explain that: (Ref: Para. A29-A30) (i) (ii) The purpse f the audit was fr the auditr t express an pinin n the financial statements; The audit included cnsideratin f internal cntrl relevant t the preparatin f the financial statements in rder t design audit prcedures that are apprpriate in the circumstances, but nt fr the purpse f expressing an pinin n the effectiveness f internal cntrl; and 2
(iii) The matters being reprted are limited t thse deficiencies that the auditr has identified during the audit and that the auditr has cncluded are f sufficient imprtance t merit being reprted t thse charged with gvernance. *** Applicatin and Other Explanatry Material Determinatin f Whether Deficiencies in Internal Cntrl Have Been Identified (Ref: Para. 7) A1. In determining whether the auditr has identified ne r mre deficiencies in internal cntrl, the auditr may discuss the relevant facts and circumstances f the auditr s findings with the apprpriate level f management. This discussin prvides an pprtunity fr the auditr t alert management n a timely basis t the existence f deficiencies f which management may nt have been previusly aware. The level f management with whm it is apprpriate t discuss the findings is ne that is familiar with the internal cntrl area cncerned and that has the authrity t take remedial actin n any identified deficiencies in internal cntrl. In sme circumstances, it may nt be apprpriate fr the auditr t discuss the auditr s findings directly with management, fr example, if the findings appear t call management s integrity r cmpetence int questin (see paragraph A20). A2. In discussing the facts and circumstances f the auditr s findings with management, the auditr may btain ther relevant infrmatin fr further cnsideratin, such as: Management s understanding f the actual r suspected causes f the deficiencies. Exceptins arising frm the deficiencies that management may have nted, fr example, misstatements that were nt prevented by the relevant infrmatin technlgy (IT) cntrls. A preliminary indicatin frm management f its respnse t the findings. Cnsideratins Specific t Smaller Entities A3. While the cncepts underlying cntrl activities in smaller entities are likely t be similar t thse in larger entities, the frmality with which they perate will vary. Further, smaller entities may find that certain types f cntrl activities are nt necessary because f cntrls applied by management. Fr example, management s sle authrity fr granting credit t custmers and apprving significant purchases can prvide effective cntrl ver imprtant accunt balances and transactins, lessening r remving the need fr mre detailed cntrl activities. A4. Als, smaller entities ften have fewer emplyees which may limit the extent t which segregatin f duties is practicable. Hwever, in a small wner-managed entity, the wner-manager may be able t exercise mre effective versight than in a larger entity. This higher level f management versight needs t be balanced against the greater ptential fr management verride f cntrls. Significant Deficiencies in Internal Cntrl (Ref: Para. 6(b), 8) A5. The significance f a deficiency r a cmbinatin f deficiencies in internal cntrl depends nt nly n whether a misstatement has actually ccurred, but als n the 3
likelihd that a misstatement culd ccur and the ptential magnitude f the misstatement. Significant deficiencies may therefre exist even thugh the auditr has nt identified misstatements during the audit. A6. Examples f matters that the auditr may cnsider in determining whether a deficiency r cmbinatin f deficiencies in internal cntrl cnstitutes a significant deficiency include: The likelihd f the deficiencies leading t material misstatements in the financial statements in the future. The susceptibility t lss r fraud f the related asset r liability. The subjectivity and cmplexity f determining estimated amunts, such as fair value accunting estimates. The financial statement amunts expsed t the deficiencies. The vlume f activity that has ccurred r culd ccur in the accunt balance r class f transactins expsed t the deficiency r deficiencies. The imprtance f the cntrls t the financial reprting prcess; fr example: General mnitring cntrls (such as versight f management). Cntrls ver the preventin and detectin f fraud. Cntrls ver the selectin and applicatin f significant accunting plicies. Cntrls ver significant transactins with related parties. Cntrls ver significant transactins utside the entity s nrmal curse f business. Cntrls ver the perid-end financial reprting prcess (such as cntrls ver nn-recurring jurnal entries). The cause and frequency f the exceptins detected as a result f the deficiencies in the cntrls. The interactin f the deficiency with ther deficiencies in internal cntrl. A7. Indicatrs f significant deficiencies in internal cntrl include, fr example: Evidence f ineffective aspects f the cntrl envirnment, such as: Indicatins that significant transactins in which management is financially interested are nt being apprpriately scrutinized by thse charged with gvernance. Identificatin f management fraud, whether r nt material, that was nt prevented by the entity s internal cntrl. Management s failure t implement apprpriate remedial actin n significant deficiencies previusly cmmunicated. Absence f a risk assessment prcess within the entity where such a prcess wuld rdinarily be expected t have been established. 4
Evidence f an ineffective entity risk assessment prcess, such as management s failure t identify a risk f material misstatement that the auditr wuld expect the entity s risk assessment prcess t have identified. Evidence f an ineffective respnse t identified significant risks (fr example, absence f cntrls ver such a risk). Misstatements detected by the auditr s prcedures that were nt prevented, r detected and crrected, by the entity s internal cntrl. Restatement f previusly issued financial statements t reflect the crrectin f a material misstatement due t errr r fraud. Evidence f management s inability t versee the preparatin f the financial statements. A8. Cntrls may be designed t perate individually r in cmbinatin t effectively prevent, r detect and crrect, misstatements. 5 Fr example, cntrls ver accunts receivable may cnsist f bth autmated and manual cntrls designed t perate tgether t prevent, r detect and crrect, misstatements in the accunt balance. A deficiency in internal cntrl n its wn may nt be sufficiently imprtant t cnstitute a significant deficiency. Hwever, a cmbinatin f deficiencies affecting the same accunt balance r disclsure, relevant assertin, r cmpnent f internal cntrl may increase the risks f misstatement t such an extent as t give rise t a significant deficiency. A9. Law r regulatin in sme jurisdictins may establish a requirement (particularly fr audits f listed entities) fr the auditr t cmmunicate t thse charged with gvernance r t ther relevant parties (such as regulatrs) ne r mre specific types f deficiency in internal cntrl that the auditr has identified during the audit. Where law r regulatin has established specific terms and definitins fr these types f deficiency and requires the auditr t use these terms and definitins fr the purpse f the cmmunicatin, the auditr uses such terms and definitins when cmmunicating in accrdance with the legal r regulatry requirement. A10. Where the jurisdictin has established specific terms fr the types f deficiency in internal cntrl t be cmmunicated but has nt defined such terms, it may be necessary fr the auditr t use judgment t determine the matters t be cmmunicated further t the legal r regulatry requirement. In ding s, the auditr may cnsider it apprpriate t have regard t the requirements and guidance in this ISA (Ireland). Fr example, if the purpse f the legal r regulatry requirement is t bring t the attentin f thse charged with gvernance certain internal cntrl matters f which they shuld be aware, it may be apprpriate t regard such matters as being generally equivalent t the significant deficiencies required by this ISA (Ireland) t be cmmunicated t thse charged with gvernance. A11. The requirements f this ISA (Ireland) remain applicable ntwithstanding that law r regulatin may require the auditr t use specific terms r definitins. 5 ISA (Ireland) 315, paragraph A66. 5
Cmmunicatin f Deficiencies in Internal Cntrl Cmmunicatin f Significant Deficiencies in Internal Cntrl t Thse Charged with Gvernance (Ref: Para. 9) A12. Cmmunicating significant deficiencies in writing t thse charged with gvernance reflects the imprtance f these matters, and assists thse charged with gvernance in fulfilling their versight respnsibilities. ISA (Ireland) 260 establishes relevant cnsideratins regarding cmmunicatin with thse charged with gvernance when all f them are invlved in managing the entity. 6 A12-1. In Ireland, where applicable, timely cmmunicatin f significant deficiencies, in writing, t directrs f listed entities can assist them t cmply with the prvisins f the UK Crprate Gvernance Cde relating t internal cntrl and reprting t sharehlders. A13. In determining when t issue the written cmmunicatin, the auditr may cnsider whether receipt f such cmmunicatin wuld be an imprtant factr in enabling thse charged with gvernance t discharge their versight respnsibilities. In additin, fr listed entities in certain jurisdictins, thse charged with gvernance may need t receive the auditr s written cmmunicatin befre the date f apprval f the financial statements in rder t discharge specific respnsibilities in relatin t internal cntrl fr regulatry r ther purpses. Fr ther entities, the auditr may issue the written cmmunicatin at a later date. Nevertheless, in the latter case, as the auditr s written cmmunicatin f significant deficiencies frms part f the final audit file, the written cmmunicatin is subject t the verriding requirement 7 fr the auditr t cmplete the assembly f the final audit file n a timely basis. ISA (Ireland) 230 states that an apprpriate time limit within which t cmplete the assembly f the final audit file is rdinarily nt mre than 60 days after the date f the auditr s reprt. 8 A13-1. Fr audits f financial statements f public interest entities, ISA (Ireland) 260 8a requires the auditr t cmmunicate in the additinal reprt t the audit cmmittee any significant deficiencies in the entity s internal financial cntrl system r in the accunting system, and whether r nt the deficiencies reprted have been reslved by management. A14. Regardless f the timing f the written cmmunicatin f significant deficiencies, the auditr may cmmunicate these rally in the first instance t management and, when apprpriate, t thse charged with gvernance t assist them in taking timely remedial actin t minimize the risks f material misstatement. Ding s, hwever, des nt relieve the auditr f the respnsibility t cmmunicate the significant deficiencies in writing, as this ISA (Ireland) requires. A15. The level f detail at which t cmmunicate significant deficiencies is a matter f the auditr s prfessinal judgment in the circumstances. Factrs that the auditr may 6 7 8 8a ISA (Ireland) 260, paragraph 13. ISA (Ireland) 230, Audit Dcumentatin, paragraph 14. ISA (Ireland) 230, paragraph A21. ISA (Ireland) 260, paragraph 16R-2(j). 6
cnsider in determining an apprpriate level f detail fr the cmmunicatin include, fr example: The nature f the entity. Fr instance, the cmmunicatin required fr a public interest entity may be different frm that fr a nn-public interest entity. The size and cmplexity f the entity. Fr instance, the cmmunicatin required fr a cmplex entity may be different frm that fr an entity perating a simple business. The nature f significant deficiencies that the auditr has identified. The entity s gvernance cmpsitin. Fr instance, mre detail may be needed if thse charged with gvernance include members wh d nt have significant experience in the entity s industry r in the affected areas. Legal r regulatry requirements regarding the cmmunicatin f specific types f deficiency in internal cntrl. A16. Management and thse charged with gvernance may already be aware f significant deficiencies that the auditr has identified during the audit and may have chsen nt t remedy them because f cst r ther cnsideratins. The respnsibility fr evaluating the csts and benefits f implementing remedial actin rests with management and thse charged with gvernance. Accrdingly, the requirement in paragraph 9 applies regardless f cst r ther cnsideratins that management and thse charged with gvernance may cnsider relevant in determining whether t remedy such deficiencies. A17. The fact that the auditr cmmunicated a significant deficiency t thse charged with gvernance and management in a previus audit des nt eliminate the need fr the auditr t repeat the cmmunicatin if remedial actin has nt yet been taken. If a previusly cmmunicated significant deficiency remains, the current year s cmmunicatin may repeat the descriptin frm the previus cmmunicatin, r simply reference the previus cmmunicatin. The auditr may ask management r, where apprpriate, thse charged with gvernance, why the significant deficiency has nt yet been remedied. A failure t act, in the absence f a ratinal explanatin, may in itself represent a significant deficiency. Cnsideratins Specific t Smaller Entities A18. In the case f audits f smaller entities, the auditr may cmmunicate in a less structured manner with thse charged with gvernance than in the case f larger entities. Cmmunicatin f Deficiencies in Internal Cntrl t Management (Ref: Para. 10) A19. Ordinarily, the apprpriate level f management is the ne that has respnsibility and authrity t evaluate the deficiencies in internal cntrl and t take the necessary remedial actin. Fr significant deficiencies, the apprpriate level is likely t be the chief executive fficer r chief financial fficer (r equivalent) as these matters are als required t be cmmunicated t thse charged with gvernance. Fr ther deficiencies in internal cntrl, the apprpriate level may be peratinal management with mre direct invlvement in the cntrl areas affected and with the authrity t take apprpriate remedial actin. 7
Cmmunicatin f Significant Deficiencies in Internal Cntrl t Management (Ref: Para. 10(a)) A20. Certain identified significant deficiencies in internal cntrl may call int questin the integrity r cmpetence f management. Fr example, there may be evidence f fraud r intentinal nn-cmpliance with laws and regulatins by management, r management may exhibit an inability t versee the preparatin f adequate financial statements that may raise dubt abut management s cmpetence. Accrdingly, it may nt be apprpriate t cmmunicate such deficiencies directly t management. A21. ISA (Ireland) 250 establishes requirements and prvides guidance n the reprting f identified r suspected nn-cmpliance with laws and regulatins, including when thse charged with gvernance are themselves invlved in such nn-cmpliance. 9 ISA (Ireland) 240 establishes requirements and prvides guidance regarding cmmunicatin t thse charged with gvernance when the auditr has identified fraud r suspected fraud invlving management. 10 Cmmunicatin f Other Deficiencies in Internal Cntrl t Management (Ref: Para. 10(b)) A22. During the audit, the auditr may identify ther deficiencies in internal cntrl that are nt significant deficiencies but that may be f sufficient imprtance t merit management s attentin. The determinatin as t which ther deficiencies in internal cntrl merit management s attentin is a matter f prfessinal judgment in the circumstances, taking int accunt the likelihd and ptential magnitude f misstatements that may arise in the financial statements as a result f thse deficiencies. A23. The cmmunicatin f ther deficiencies in internal cntrl that merit management s attentin need nt be in writing but may be ral. Where the auditr has discussed the facts and circumstances f the auditr s findings with management, the auditr may cnsider an ral cmmunicatin f the ther deficiencies t have been made t management at the time f these discussins. Accrdingly, a frmal cmmunicatin need nt be made subsequently. A24. If the auditr has cmmunicated deficiencies in internal cntrl ther than significant deficiencies t management in a prir perid and management has chsen nt t remedy them fr cst r ther reasns, the auditr need nt repeat the cmmunicatin in the current perid. The auditr is als nt required t repeat infrmatin abut such deficiencies if it has been previusly cmmunicated t management by ther parties, such as the internal audit functin r regulatrs. It may, hwever, be apprpriate fr the auditr t re-cmmunicate these ther deficiencies if there has been a change f management, r if new infrmatin has cme t the auditr s attentin that alters the prir understanding f the auditr and management regarding the deficiencies. Nevertheless, the failure f management t remedy ther deficiencies in internal cntrl that were previusly cmmunicated may becme a significant deficiency requiring cmmunicatin with thse charged with 9 10 ISA (Ireland) 250, Cnsideratin f Laws and Regulatins in an Audit f Financial Statements, paragraphs 22-28. ISA (Ireland) 240, The Auditr s Respnsibilities Relating t Fraud in an Audit f Financial Statements, paragraph 41. 8
gvernance. Whether this is the case depends n the auditr s judgment in the circumstances. A25. In sme circumstances, thse charged with gvernance may wish t be made aware f the details f ther deficiencies in internal cntrl the auditr has cmmunicated t management, r be briefly infrmed f the nature f the ther deficiencies. Alternatively, the auditr may cnsider it apprpriate t infrm thse charged with gvernance f the cmmunicatin f the ther deficiencies t management. In either case, the auditr may reprt rally r in writing t thse charged with gvernance as apprpriate. A26. ISA (Ireland) 260 establishes relevant cnsideratins regarding cmmunicatin with thse charged with gvernance when all f them are invlved in managing the entity. 11 Cnsideratins Specific t Public Sectr Entities (Ref: Para. 9-10) A27. Public sectr auditrs may have additinal respnsibilities t cmmunicate deficiencies in internal cntrl that the auditr has identified during the audit, in ways, at a level f detail and t parties nt envisaged in this ISA (Ireland). Fr example, significant deficiencies may have t be cmmunicated t the legislature r ther gverning bdy. Law, regulatin r ther authrity may als mandate that public sectr auditrs reprt deficiencies in internal cntrl, irrespective f the significance f the ptential effects f thse deficiencies. Further, legislatin may require public sectr auditrs t reprt n brader internal cntrl-related matters than the deficiencies in internal cntrl required t be cmmunicated by this ISA (Ireland), fr example, cntrls related t cmpliance with legislative authrities, regulatins, r prvisins f cntracts r grant agreements. Cntent f Written Cmmunicatin f Significant Deficiencies in Internal Cntrl (Ref: Para. 11) A28. In explaining the ptential effects f the significant deficiencies, the auditr need nt quantify thse effects. The significant deficiencies may be gruped tgether fr reprting purpses where it is apprpriate t d s. The auditr may als include in the written cmmunicatin suggestins fr remedial actin n the deficiencies, management s actual r prpsed respnses, and a statement as t whether r nt the auditr has undertaken any steps t verify whether management s respnses have been implemented. A29. The auditr may cnsider it apprpriate t include the fllwing infrmatin as additinal cntext fr the cmmunicatin: An indicatin that if the auditr had perfrmed mre extensive prcedures n internal cntrl, the auditr might have identified mre deficiencies t be reprted, r cncluded that sme f the reprted deficiencies need nt, in fact, have been reprted. An indicatin that such cmmunicatin has been prvided fr the purpses f thse charged with gvernance, and that it may nt be suitable fr ther purpses. 11 ISA (Ireland) 260, paragraph 13. 9
A30. Law r regulatin may require the auditr r management t furnish a cpy f the auditr s written cmmunicatin n significant deficiencies t apprpriate regulatry authrities. Where this is the case, the auditr s written cmmunicatin may identify such regulatry authrities. 10