Communication with those charged with governance in an ISA (UK) audit

Why is it important?

ISA 260 (Revised) provides an overarching framework for the auditor’s communication with those charged with governance and includes specific matters that need to be communicated to them. The ISA recognises that those charged with governance are an important source of information for the conduct of an effective audit because they can provide information that helps enhance the auditor’s understanding of the entity, its environment, its business risks and information about specific transactions or events. In return, the auditor can also assist those charged with governance in fulfilling their oversight responsibilities.

In addition, a further standard, ISA 265 includes specific requirements regarding communicating significant deficiencies in internal controls identified by the auditor in the course of the audit.

Requirements and challenges

Communication: a two-way street?

ISA 260 (Revised) recognises two-way communication in its objectives and imposes a specific obligation on the auditor to promote effective two-way communication. The auditor is required to take steps to achieve effective two-way communication. If it is inadequate, the auditor must evaluate the effect on risk assessment and evidence gathering and take appropriate steps.

The ISA stops short of imposing an obligation on those charged with governance to communicate in a particular way; that is not the role of an auditing standard. Rather, it is for the auditor to assess the effectiveness of two-way communication and act appropriately based on that assessment.

How can the requirements be applied to smaller entities?

ISA 260 (Revised), like the other ISAs, is designed to be scalable. It can be applied to audits of listed companies and owner managed businesses alike. To make this work, the standard makes it clear that, if those charged with governance are involved in managing the entity, matters communicated with them in a management capacity need not be re-iterated with them in a governance role. But it is important that communication with individuals with management responsibilities reaches all of those who have a governance role.

Generally, oral communication is adequate, provided it is on a timely basis. However, the auditor does need to communicate significant audit findings in writing if, in the auditor’s professional judgement, oral communication would not be adequate. In all other respects, oral communication is acceptable, but it is necessary for matters communicated to be included within the audit documentation, including when and to whom they were communicated.

What needs to be communicated?

Firstly, the auditor must communicate the responsibility for forming and expressing an opinion on the financial statements that have been prepared by management with the oversight of those charged with governance. The auditor must make it clear that the audit of the financial statements does not relieve management or those charged with governance of their responsibilities. An overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor is necessary. When the auditor is required or decides to communicate key audit matters in accordance with ISA (UK) 701, the overview needs to include communicating about the most significant assessed risks of material misstatement identified by the auditor, including those that had the greatest effect on the overall audit strategy, the allocation of resources in the audit and directing the efforts of the engagement team.

An outline of the form, timing and expected general content of planned communication is also required.

As the audit approaches completion, the auditor comments on significant qualitative aspects of the entity’s accounting practices, including:

• why a significant accounting practice is not the most appropriate in the circumstances;
• circumstances that required significant modification of the auditor’s planned approach to the audit;
• any significant difficulties arising during the audit; and 
• any significant matters arising during the audit that were discussed with management. 

The auditor also uses professional judgement to determine whether there are any other significant matters that are relevant to the oversight of the financial reporting process.

For audits of listed entities, a statement addressing compliance with relevant independence requirements is also required.

There are also additional requirements in relation to listed entities, public interest entities and entities that report on application of the corporate governance code.

ISA 265 also provided an opportunity to clear up confusion (particularly in the US) over terminology by the removal of the term “material weakness” from ISAs.

How do auditors decide which deficiencies in internal control are significant?

ISA 265 requires the auditor to communicate significant deficiencies. It explains that  a deficiency in internal control is where a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements to the financial statements on a timely basis, or where such a control is necessary but missing. Such deficiencies identified during the audit must be brought to the attention of management, where they are, in the auditor’s professional judgement, of sufficient importance to merit management’s attention. Accordingly, where trivial matters are identified by the auditor, they need not be communicated.

The most important of these deficiencies are termed “significant deficiencies in internal control” and they need to be brought to the attention of those charged with governance as well as management. Their communication must be in writing.

However, there is no system or methodology for the auditor to apply in determining whether deficiencies are significant deficiencies as the determination is entirely and explicitly a matter of judgement. Nor do ISAs require that the auditor should set out to find control deficiencies. The extent to which the auditor sets out to rely upon, and test the operation of controls, remains very much a matter of judgement. 

When communicating significant deficiencies in writing, the auditor is obliged to describe the deficiency and give an indication of its potential effect, along with sufficient information to enable management and those charged with governance to understand the context of the communication.