ISA 265, Communicating Deficiencies in Internal Control
Proposed International Standard on Auditing issued for comment by the International Auditing and Assurance Standards Board of the International Federation of Accountants
Comments from ACCA
April 2008
Executive Summary
ACCA welcomes the opportunity to comment on the proposed International Standard on Auditing ISA 265 Communicating Deficiencies in Internal Control (proposed ISA 265), issued for comment by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants. We also comment on related conforming amendments to six other ISAs as set out in the Exposure Draft.
We are concerned that proposed ISA 265 adopts an approach that mirrors that for misstatements, which will result in minor deficiencies being communicated. We do not believe that such a result is justifiable in terms of increased audit quality, or sensible in terms of the diversion of auditor and management time and cost.
Proposed ISA 265 introduces the term 'significant deficiency' and, through conforming amendments, withdraws the term 'material weakness' [in internal control] from ISAs. We disagree with the reasoning advanced for this change and explain why we prefer to retain the existing term.
Proposed ISA 265 is entirely new and we are not convinced that it is needed. We identify several difficulties with the text that could be remedied by transferring the material to other ISAs.
General Comments
Overall approach
We are seriously concerned that proposed ISA 265 is based on a flawed premise. The results of this will be that auditors will incur unnecessary costs trying to comply with requirements that add nothing to the quality of an audit and management will receive extensive communications of little value.
We note parallels between the treatment of deficiencies in internal control in proposed ISA 265 and the treatment of misstatements in proposed ISA 450 (Revised and Redrafted) Evaluation of Misstatements Identified during the Audit (proposed ISA 450). The parallels between the two ISA are as follows:
| Proposed ISA 265 | Proposed ISA 450 |
|---|---|
| Defines deficiency in internal control by reference to 'a control' and requires all to be communicated to management | Defines misstatement in the singular and requires all to be communicated to management |
| Requires significant deficiencies (single or aggregated deficiency in internal control) to be communicated to those charged with governance | Requires misstatements to be aggregated and, if uncorrected, communicated to those charged with governance (which may be done in aggregate) |
| Excludes deficiency in internal control that is 'clearly trivial' (by reference to financial effect | Excludes misstatements that are 'clearly trivial' (by reference to financial effect) |
Proposed ISA 265 has adopted an approach that mirrors that for misstatements but which has failed to recognise the essential differences between misstatements and deficiencies in internal control: misstatements can be identified in isolation and aggregated in monetary terms; deficiencies in internal control can only be identified in aggregate. The necessary degree of aggregation of controls will depend on the circumstances of the particular audit, it may for example be overall, by component, by transaction stream or by account balance.
It may be argued that the definition of 'controls' in paragraph 4(c) of ISA 315 (Redrafted) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA 315) is such that it can be interpreted as referring to any degree of disaggregation of internal control (into 'aspects'). As a result, it can be argued that our concerns are groundless. We do not accept that, as we do not believe it is reasonable to expect auditors using proposed ISA 265 to interpret the proposed text so as to make proper use of the theoretical flexibility that the definition of controls allows.
In reality, proposed ISA 265 has not been written in compliance with the fluidity that the definition of 'controls' allows because it introduces requirements relating to 'other controls that would prevent, or detect and correct, misstatements arising from the identified deficiencies'.
This is consistent with the manner in which ISA 315 has itself not been written in compliance with the fluidity that the definition allows. Instead of dealing with the objective of a control (which could be an 'aspect') it approaches a control as being a discrete process, for example paragraph A62 refers to 'Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.'
We do not believe it is reasonable to expect auditors using proposed ISA 265 to interpret the proposed text so as to make proper use of the theoretical flexibility that the definition of controls allows. For example, in order to render requirement 9(a) not relevant in the circumstances of the audit, the auditor should define the relevant 'control' as the aggregate of the processes (omitted or present) to address a control objective. In doing so the auditor removes the concept of 'other controls' from the practicalities of the audit.
We believe that proposed ISA 265 should be rewritten. Either to make proper use of the wide definition of 'controls' or, if the drafting continues to be similar to that currently proposed, to change certain requirements. This should recognise that control procedures generally cannot be assessed unless the wider picture is seen. This would remove the material on 'other controls' and allow a more focussed approach than is currently in the text, such that communication to management of 'all deficiencies' is actually of 'all important deficiencies' (as only those would be identified).
Clearly trivial
The Scope section of proposed ISA 265 explains that 'This ISA does not address deficiencies in internal control the potential financial effects of which are clearly trivial.' The meaning of 'clearly trivial' is cross-referenced to paragraph A1 of proposed ISA 450 where triviality is expressed in relation to materiality. There is no concept of a deficiency being assessed without reference to a financial effect.
We do not agree with the introduction of the concept of 'clearly trivial' in a manner that links it with ISA 450. We recommend elsewhere in this response that auditors should not be required to communicate unimportant deficiencies in internal control. This would remove the need for proposed ISA 265 to make reference to 'clearly trivial'. If our suggestion is not adopted, however, the comments below will remain relevant.
The need to assess the potential financial effects may make it very difficult for auditors to classify any deficiencies as 'clearly trivial', because their financial effect is uncertain.
Paragraph A1 of proposed ISA 450 states that 'When there is any uncertainty about whether one or more items are " clearly trivial," the matter is considered not "clearly trivial." ' In other words, auditors have to adopt a prudent treatment or resolve any uncertainty. This is not easy to do when, as defined in proposed ISA 265, a deficiency is not linked with others (unless considering whether it is significant) so it is not prudent to allocate any lesser financial effect to the deficiency than the full amount of transactions or balances concerned. While any control over small cash balances could be considered as clearly trivial, it would appear that no control over a material transaction stream or asset or liability can be considered to be clearly trivial.
These difficulties will lead to minor deficiencies being communicated and we do not believe that such a result is either justifiable in terms of increased audit quality or sensible in terms of the diversion of auditor and management time and cost.
Elimination of term 'material weakness'
Proposed ISA 265 introduces the term 'significant deficiency' and, through conforming amendments, withdraws the term 'material weakness' [in internal control] from ISAs. We disagree with the reasoning advanced for this change and explain why we prefer to retain the existing term.
The Explanatory Memorandum explains that 'The IAASB believes that the most important public interest consideration for the wide range of audits covered by the ISAs is to ensure that the auditor communicates identified non-trivial deficiencies in internal control ("deficiencies") to those parties within the entity who can competently deal with them on a timely basis.'
We have no difficulty with this belief as we agree with the next statement in the Explanatory Memorandum that: 'This is consistent with current practice under the ISAs whereby auditors have historically applied their judgment to determine broadly the control matters that they would consider to be "material weaknesses" for reporting to management and those charged with governance (without being required to perform specific evaluations of the level of severity of such matters).'
We see nothing in the above to justify the creation of a new term 'deficiency in internal control' nor to create a new term 'significant deficiency' . As set out more fully in the section of this response headed Definitions and in our General Comments we have concerns about the definitions of these terms and the operation of the requirements of proposed ISA 265.
As noted in the Explanatory Memorandum the term material weakness is so established that it has passed into law, such as the EU Statutory Audit Directive. Although not precisely defined, we believe that 'material weakness' is actually well understood and that there is therefore no need to clarify its meaning in order to improve the consistency with which auditors treat identified weaknesses in internal control as material, and how such matters are reported. We see no research evidence advanced to support the IAASB's view that inconsistency occurs at such a level as would make it a public interest consideration.
A 'material weakness' is one that could have a material effect on the financial statements. This is an intuitive definition as well as being long-established.
Auditors will continue to exercise judgement in relation to 'material weakness' because they are required to identify a risk of material misstatement of the financial statements in accordance with ISA 315. It seems likely that, even if removed from ISAs, the term 'material weakness' will remain in use in common language.
We believe that the use of the term 'material weakness' has underpinned current practice and that its abolition, together with the use of the new terms, will result in an overwhelming increase in the communication of trivial matters to the detriment of confidence in the audit process.
Influence of US PCAOB
The Explanatory Memorandum explains that the definition of the new term 'significant deficiency' is closely aligned with the same term used in the US PCAOB's Auditing Standard 5 and that the PCAOB's definition of 'material weakness' was not one which could be aligned with the extant IFAC term as it results in a higher threshold for purposes of reporting publicly on the effectiveness of internal control, as required by the Sarbanes-Oxley Act.
The IAASB further explains that 'The co-existence of two different definitions of the same term [material weakness] in IAASB and PCAOB standards could potentially generate confusion amongst practitioners and users of financial statements around the world and lead to attempts at reconciling their meanings for varying reporting purposes.'
We are not convinced by this argument. We have not experienced confusion around the world as a result of the choice of terms for use in Auditing Standard 5, because it is not a global standard. We fear real confusion will arise if the IAASB changes to non-intuitive terminology as proposed in ISA 265. This will extend to jurisdictions, such as the EU where there will be a need to reconcile 'material weakness' in law and the terminology in ISAs. Indeed, as ISAs would no longer use the term 'material weakness', the EU may even find transnational auditors adopting an inappropriate US definition.
Overall recommendation on terminology
We recommend retaining the term 'material weakness', as currently defined [there is no need to be more precise].
There should be a requirement to communicate material weakness in internal control to those charged with governance. In the manner suggested for paragraph A8, related guidance should be provided that: 'Law or regulation in some jurisdictions may establish requirements for the auditor to communicate to those charged with governance or to other relevant parties (such as regulators) details of specific types of material weaknesses in internal control that the auditor has identified during the audit, and may define terms such as "significant deficiency " for this purpose.'
Proposed conforming changes to other ISAs should not be finalised.
Need for proposed ISA 265
Proposed ISA 265 relies on definitions in ISA 315 and communication with those charged with governance is dealt with generally in ISA 260 (Revised and Redrafted) Communication with Those Charged with Governance (ISA 260). Even before the changes we recommend elsewhere in this response, the need for a separate ISA was not great. Indeed there is already a requirement in ISA 260 to communicate 'Material weaknesses, if any, in the design, implementation or operating effectiveness of internal control that have come to the auditor's attention and have been communicated to management as required by ISA 315 (Redrafted), or ISA 330 (Redrafted)'.
It would simplify matters considerably if the material potentially remaining in a finalised ISA 265 were to be dealt with in other ISAs.
Matters on which Specific Comments are Requested
In this section of our response we address the issues identified for specific comment in the Explanatory Memorandum forming part of the Exposure Draft.
Other controls that management may assert would prevent, or detect and correct, misstatements arising from identified deficiencies
Although we answer below the two questions set out in the Explanatory Memorandum, we have fundamental reservations about the definitions and concepts underlying these issues. This is discussed further in the section of this response headed General Comments .
The issue of 'other controls' becomes important only in the context of communicating to those charged with governance, who may not be acquainted with management's views. We recommend that the material be repositioned, so that the auditor follows it when deciding on communication of significant deficiencies.
Rewording of the material ought to take into account, however, the concerns we express about definitions and related requirements as set out elsewhere in this response.
Further investigation
We agree that the auditor should not be required to obtain audit evidence regarding the design and operating effectiveness of other controls unless otherwise necessary for the purposes of the audit.
Requirement to communicate if no evidence about operating effectiveness (1)
We disagree with the proposed requirement to communicate to management as identified deficiencies the suspected deficiencies that management asserts are addressed by other controls. This is because such communication has already taken place.
The communication of deficiencies will take place at the time management responds by providing information on other controls. The classification of deficiencies for audit purposes is not itself required to be communicated to management (the classification between 'identified' - which are required to be communicated to management - and 'suspected' - which the auditor is free to communicate or not) so a further requirement to communicate identified deficiencies is actually unnecessary (although the general requirement to communicate remains necessary and this is what drives the above discussion).
Requirement to communicate if no evidence about operating effectiveness (2)
We disagree with the proposed requirement to communicate to management suspected deficiencies that management asserts are addressed by other controls unless evidence is obtained about the operating effectiveness of the other controls. This is because such a requirement only makes sense in circumstances where the auditor is intending to rely on the operating effectiveness of controls (and so will test that).
It is acceptable for an auditor to obtain an understanding of 'internal control relevant to the audit' , which are 'those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks.' (ISA 315) The auditor is not required by ISA 315 to obtain evidence about the operating effectiveness of controls. The auditor is required to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls only when intending to rely on that, or if substantive procedures alone are not sufficient (paragraph 8, ISA 330 (Redrafted) The Auditor's Responses to Assessed Risks).
Management could find, therefore, that an auditor raises, as a suspected deficiency, a control that is apparently badly designed. Management informs the auditor of other controls that would prevent, or detect and correct, misstatements arising from the deficiency. Because the auditor is not intending to rely on controls there is no testing of operating effectiveness of either the deficiency or the other controls and at that point the auditor is required to inform management about the suspected deficiency (because the auditor has not tested the operating effectiveness of other controls) but the auditor has no obligation to inform management about other controls that similarly have not been tested for operating effectiveness. While it might be argued that the suspected deficiency has been identified by the auditor as such and other controls have not been so identified, the auditor may not have considered all controls nor indeed discussed them with management (if for example operated by other personnel).
Management may be surprised, therefore, to be informed of a deficiency that it has represented to the auditor as being addressed by other controls when the auditor has more knowledge that there is no problem in that area than in respect of other controls.
We do not believe that there needs to be a standard of proof in relation to the validity of management representations regarding controls that is higher than is applied to all other management representations. It should remain a matter of auditor judgement as to whether to rely on a management representation corroborated by work to investigate the design and operation of other controls or whether testing of operating effectiveness is necessary.
Application of the Clarity Drafting Conventions
Scope
Paragraph 1
In the section of our response headed Overall approach we refer to similarities between proposed ISA 265 and proposed ISA 450 regarding the treatment of clearly trivial matters and the need to consider individual matters in aggregate. If our suggestions are not accepted it will be necessary to consider the consistency of approach and wording of the two ISAs.
Paragraph 1 of proposed ISA 265 states that: ' This ISA does not address deficiencies in internal control the potential financial effects of which are clearly trivial.'
Proposed ISA 450 does not have a similar statement in its Scope section, although it too has a requirement restricted in its application so as to exclude clearly trivial matters [misstatements].
Paragraph 3
Paragraph 3 explains that the auditor is not prohibited from communicating important control matters that are not relevant to the audit. We do not agree with the inclusion of this paragraph. This is because:
- It is not necessary
- Its inclusion creates an expectation that auditors should communicate important control matters that are not relevant to the audit (even though proposed ISA 265 does not require it)
- It is incomplete, as there could also be an explicit statement that neither is the auditor prohibited from communicating clearly trivial deficiencies in internal control (for example, if that is requested by the client).
Objective
The objective of proposed ISA 265 is acceptable but its drafting should be simplified. We suggest:
'The objective of the auditor is to communicate to management or those charged with governance as appropriate, deficiencies identified during the audit that are of sufficient importance to merit their respective attentions.'
Definitions
As set out in the section of our response headed General Comments , we do not agree with the use of the terms ' deficiency in internal control' and 'si gnificant deficiency'. Our comments below are relevant in the event that the terms are, nevertheless, retained.
Deficiency in internal control
The definition of 'Deficiency in internal control' refers to '[a control that is] missing' . It is necessary to be more specific as, even with a 'clearly trivial' threshold, auditors could identify many omissions, especially in smaller companies. The fact that the definition is singular (a combination of deficiencies only features in the definition of 'significant deficiency' ) means that the auditor cannot take account of compensating controls. This itself is a weakness in the definition overall. Even a control that is designed, implemented or operated may not, on its own, be able to prevent, or detect and correct, misstatements in the financial statements on a timely basis.
We strongly suggest that the definition needs to be amended to make it clear that only controls that are necessary can be considered to be 'missing' . Further, when making a determination of whether a deficiency in internal control has been identified (requirement in paragraph 7), that judgement has to be informed by an overall understanding of internal control. Paragraph A62 of ISA 315 includes suitable guidance:
'A62. Evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, or detecting and correcting, material misstatements.... '
Significant deficiency
The definition of ' Significant deficiency' is unnecessary because it is, in effect, a circular definition. The term could be replaced by the words 'a deficiency the auditor decides to report to those charged with governance' . The term could be eliminated to improve the clarity of requirements as follows:
| Proposed ISA 265 | Suggested revision |
|---|---|
| 8 If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on the basis of the audit work performed, whether, individually or in combination, they constitute significant deficiencies. | Not necessary – see paragraph 10 below |
| 10 The auditor shall communicate significant deficiencies identified during the audit to those charged with governance in writing and on a timely basis. | 10 If the auditor communicates one or more deficiencies in internal control to those charged with governance the auditor shall do so in writing and on a timely basis. |
| 11 The auditor shall include in the written communication of significant deficiencies:... | including:... |
In the Application and Other Explanatory Material section, the term can be eliminated to achieve similar simplification.
Inconsistencies in definitions
The definitions of 'Deficiency in internal control' (6(a)) and 'Significant deficiency' (6(b)) are inconsistently worded in relation to:
- 'internal control' – which is omitted from 6(b) (the term should be ' significant deficiency in internal control'
- 'relevant to the audit' – which is omitted from 6(a) (paragraph 5 indicates that there is no reason for this omission)
Requirements
In our General Comments we suggest significant changes to the requirements and indeed question the need for a separate proposed ISA 265. The comments below are relatively brief and are restricted, therefore, to those that may remain relevant.
Paragraph 9
We refer to our comments under the headings Requirement to communicate if no evidence about operating effectiveness (1) and (2).
Paragraph 10
It should be made clear whether the requirement to report 'in writing and on a timely basis' is mandating only that the writing should be on a timely basis or that oral communication (in accordance with paragraph A16) is necessary to be timely.
Paragraph 11
Paragraph 11 is written on the basis that there is one [ 'the' ] written communication. If there are two or more written communications, the requirement is for the information in 11(b) to be included in each. This seems unnecessary and we suggest that the requirement be rewritten to accommodate circumstances where there are one or more written communications.
Other Matters
The Explanatory Memorandum forming part of the Exposure Draft invites comments on the following other matters:
- Special considerations in the audit of small entities
- Special considerations in the audit of public sector entities
- Developing nations
- Translation
Our response contains comments that are relevant to the above except we have not made a distinction between developing nations and others, as the audit of small entities may be present in both. We have no separate comments on public sector aspects of the proposed standard.
As set out under the heading General Comments , we are particularly concerned with the potential cost increases that will affect audits of smaller entities, as we believe that proposed ISA 265 will drive inappropriate levels of work.
Related Conforming Amendments to Other ISAs
In our General Comments , for the reasons set out under the heading Elimination of term 'material weakness', we recommend that the proposed conforming changes to other ISAs should not be made.
In the event that they go ahead, in this section of our response we comment briefly on conforming amendments to ISAs arising as a result of proposed ISA 265.
ISA 240 (Redrafted) The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements
The simple substitution of 'deficiencies' for 'weaknesses' is done in the context of the knowledge of an individual with an opportunity to commit fraud. A plain language approach would be better as such an individual would not be constrained by the auditor definition. The word 'specific' could be deleted, as that is inherent in the definition.
ISA 330 (Redrafted) The Auditor's Responses to Assessed Risks
We see no reason to delete paragraph A40, which could be rendered as: 'A material misstatement detected by the auditor's procedures may indicate the existence of a significant deficiency in internal control.'