| Key ISAs* |
| ISA 260 (Revised) Communication with those charged with governance |
| ISA 265 Communicating deficiencies in internal control to those charged with governance and management |
| * The guidance below focuses on key issues in implementing ISAs as issued by the International Auditing and Assurance Standards Board. It does not address all ISA requirements. |
Why is it important?
ISA 260 (Revised) provides an overarching framework for the auditor’s communication with those charged with governance and includes specific matters that need to be communicated to them. The ISA recognises that those charged with governance are an important source of information for the conduct of an effective audit because they can provide information that helps enhance the auditor’s understanding of the entity, its environment, its business risks and information about specific transactions or events. In return, the auditor can also assist those charged with governance in fulfilling their oversight responsibilities.
In addition, a further standard, ISA 265 includes specific requirements regarding communicating significant deficiencies in internal controls identified by the auditor in the course of the audit.
Requirements and challenges
Communication: a two-way street?
ISA 260 (Revised) recognises two-way communication in its objectives and imposes a specific obligation on the auditor to promote effective two-way communication. The auditor is required to take steps to achieve effective two-way communication. If it is inadequate, the auditor must evaluate the effect on risk assessment and evidence gathering and take appropriate steps.
The ISA stops short of imposing an obligation on those charged with governance to communicate in a particular way; that is not the role of an auditing standard. Rather, it is for the auditor to assess the effectiveness of two-way communication and act appropriately based on that assessment.
How can the requirements be applied to smaller entities?
ISA 260 (Revised), like the other ISAs, is designed to be scalable. It can be applied to audits of listed companies and owner managed businesses alike. To make this work, the standard makes it clear that, if those charged with governance are involved in managing the entity, matters communicated with them in a management capacity need not be re-iterated with them in a governance role. But it is important that communication with individuals with management responsibilities reaches all of those who have a governance role.
Generally, oral communication is adequate, provided it is on a timely basis. However, the auditor does need to communicate significant audit findings in writing if, in the auditor’s professional judgement, oral communication would not be adequate. In all other respects, oral communication is acceptable, but it is necessary for matters communicated to be included within the audit documentation, including when and to whom they were communicated.
What needs to be communicated?
Firstly, the auditor must communicate the responsibility for forming and expressing an opinion on the financial statements that have been prepared by management with the oversight of those charged with governance. The auditor must make it clear that the audit of the financial statements does not relieve management or those charged with governance of their responsibilities. An overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor is necessary. An outline of the form, timing and expected general content of planned communication is also required.
As the audit approaches completion, the auditor comments on significant qualitative aspects of the entity’s accounting practices, including:
- why a significant accounting practice is not the most appropriate in the circumstances;
- circumstances that required significant modification of the auditor’s planned approach to the audit;
- any significant difficulties arising during the audit; and
- any significant matters arising during the audit that were discussed with management.
The auditor also uses professional judgement to determine whether there are any other significant matters that are relevant to the oversight of the financial reporting process.
For audits of listed entities, a statement addressing compliance with relevant independence requirements is also required.
Why a separate standard on communicating deficiencies in internal control?
The requirements in the old ISA 260 on communicating deficiencies in internal control were left behind by developments in practice and audit regulation. This was the case particularly in the US where the requirements of the Sarbanes-Oxley legislation resulted in integrated audits of financial statements and internal control. It also became apparent that a separate standard could help make things clearer and incorporate the communication of control deficiencies to management as well as to those charged with governance.
ISA 265 also provided an opportunity to clear up confusion (particularly in the US) over terminology by the removal of the term “material weakness” from ISAs.
How do auditors decide which deficiencies in internal control are significant?
ISA 265 requires the auditor to communicate significant deficiencies. It explains that a deficiency in internal control is where a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements to the financial statements on a timely basis, or where such a control is necessary but missing. Such deficiencies identified during the audit must be brought to the attention of management, where they are, in the auditor’s professional judgement, of sufficient importance to merit management’s attention. Accordingly, where trivial matters are identified by the auditor, they need not be communicated.
The most important of these deficiencies are termed “significant deficiencies in internal control” and they need to be brought to the attention of those charged with governance as well as management. Their communication must be in writing.
However, there is no system or methodology for the auditor to apply in determining whether deficiencies are significant deficiencies as the determination is entirely and explicitly a matter of judgement. Nor do ISAs require that the auditor should set out to find control deficiencies. The extent to which the auditor sets out to rely upon, and test the operation of controls, remains very much a matter of judgement.
When communicating significant deficiencies in writing, the auditor is obliged to describe the deficiency and give an indication of its potential effect, along with sufficient information to enable management and those charged with governance to understand the context of the communication.
More guidance on ISAs
Read our collection of guides on how to implement International Standards on Auditing (ISAs) as issued by IAASB.
Read nowCopyright notice
This guide includes extracts from the Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements, 2016-2017 Edition of the International Auditing and Assurance Standards Board (IAASB), published by the International Federation of Accountants (IFAC) in December 2016, and is used with permission of IFAC. Contact permissions@ifac.org for permission to reproduce, store or transmit, or to make other similar uses of this document. This text from the Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements, 2016-2017 Edition of the International Auditing and Assurance Standards Board (IAASB), published by IFAC in December 2016, is used by ICAEW with permission of IFAC. Such use of IFAC’s copyrighted material in no way represents an endorsement or promotion by IFAC. Any views or opinions that may be included in this guide are solely those of ICAEW, and do not express the views and opinions of IFAC or any independent standard setting board supported by IFAC.
