of internal control, including the possibility of management override of those controls. It may also be acceptable to specifically describe the extent of the auditor’s consideration of internal control. (AU-C 265.A31)
The auditor may be asked to issue a communication indicating that no material weaknesses were identified, which then would be submitted to governmental authorities. The “AU-C 265 Illustrations” section contains a sample communication that may be used.
MANAGEMENT RESPONSE
Management may prepare a written response to the auditor’s communication. Such responses typically describe corrective actions taken, plans to issue new controls, or management’s belief that the cost of new controls exceeds their benefit. If this response is included in a document that also contains the auditor’s controls communication, the auditor may include a disclaimer paragraph, such as:
ABC Company’s written response to the significant deficiencies [and material weaknesses] identified in our audit was not subjected to the auditing procedures applied in the audit of the financial statements and, accordingly, we express no opinion on it.
(AU-C 265.A33)
INTERPRETATIONS
Communication of Significant Deficiencies and Material Weaknesses Prior to the Completion of the Compliance Audit for Participants in Office of Management and Budget Single-Audit Pilot Project
Section 265 permits an auditor to communicate deficiencies and material weaknesses in writing to management before completing a financial statement audit, and this also applies to a compliance audit under OMB Circular A-133. (AU-C 9265.01)
Communication of Significant Deficiencies and Material Weaknesses Prior to the Completion of the Compliance Audit for Auditors Who Are Not Participants in Office of Management and Budget Pilot Project
If the auditor decides to communicate with management regarding any significant deficiencies or material weaknesses in internal control, the auditor is encouraged to communicate promptly during the audit engagement. The auditor may do so using the guidelines in AU-C 265, Communicating Internal Control Related Matters Identified in an Audit. (AU-C 9265.04–.05)
Appropriateness of Identifying No Significant Deficiencies or No Material Weaknesses in an Interim Communication
In the scenarios in these interpretations, the auditor should not issue a written communication stating that no significant deficiencies were identified during an audit as of an interim date, only at the end of an audit. (AU-C 9265.09)
AU-C 265 ILLUSTRATIONS
Illustration 1. Examples of Circumstances That May Be Control Deficiencies, Significant Deficiencies, or Material Weaknesses
The appendix to Section 265.A37 lists the following as examples of circumstances that may be control deficiencies in the design of controls, or failures in the operation of internal control. As such, auditors should consider these matters when designing and performing risk assessment procedures to gain an understanding of the design and implementation of internal control and when performing and evaluating the results of further audit procedures.
Deficiencies in Internal Control Design
Inadequate design of internal control over the preparation of the financial statements being audited.
Inadequate design of internal control over a significant account or process.
Inadequate documentation of the components of internal control.
Insufficient control consciousness within the organization—for example, the tone at the top and the control environment.
Absent or inadequate segregation of duties within a significant account or process.
Absent or inadequate controls over the safeguarding of assets (this applies to controls that the auditor determines would be necessary for effective internal control over financial reporting).
Inadequate design of information technology (IT) general and application controls that prevents the information system from providing complete and accurate information consistent with financial reporting objectives and current needs.
Employees or management who lack the qualifications and training to fulfill their assigned functions (for example, in an entity that prepares financial statements in accordance with generally accepted accounting principles [GAAP], the person responsible for the accounting and reporting function lacks the skills and knowledge to apply GAAP in recording the entity’s financial transactions or preparing its financial statements).
Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity’s internal control over time.
The absence of any internal process to report deficiencies in internal control to management on a timely basis.
Evidence of ineffective aspects of the control environment, such as indications that significant transactions in which management is financially interested are not being appropriately scrutinized by those charged with governance.
Evidence of an ineffective entity risk assessment process, such as management’s failure to identify a risk of material misstatement that the auditor would expect the entity’s risk assessment process to have identified.
Evidence of an ineffective response to identified significant risks (for example, absence of controls over such a risk).
Absence of a risk assessment process within the entity when such a process would ordinarily be expected to have been established.
Failures in the Operation of Internal Control
Failure in the operation of effectively designed controls over a significant account or process; for example, the failure of a control such as dual authorization for significant disbursements within the purchasing process.
Failure of the information and communication component of internal control to provide complete and accurate output because of deficiencies in timeliness, completeness, or accuracy; for example, the failure to obtain timely and accurate consolidating information from remote locations that is needed to prepare the financial statements.
Failure of controls designed to safeguard assets from loss, damage, or misappropriation. This circumstance may need careful consideration before it is evaluated as a significant deficiency or material weakness. For example, assume that a company uses security devices to safeguard inventory (preventive controls) and also performs periodic physical inventory counts (detective control) timely in relation to its financial reporting. Although the physical inventory count does not safeguard the inventory from theft or loss, it prevents a material misstatement of the financial statements if performed effectively and timely. Therefore, given that the definitions of material weakness and significant deficiency relate to likelihood of misstatement of financial statements, the failure of a preventive control such as inventory tags will not result in a significant deficiency or material weakness if the detective control (physical inventory) prevents a misstatement of the financial statements. Material weaknesses relating to controls over the safeguarding of assets would exist only if the company does not have effective controls (considering both safeguarding and other controls) to prevent or detect and correct a material misstatement of the financial statements.
Failure to perform reconciliations of significant accounts. For example, accounts receivable subsidiary ledgers are not reconciled to the general ledger account in a timely or accurate