Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / AUDIT - Standards on Auditing
Microlesson · 5-min read

SA 265 - Communicating Deficiencies in Internal Control

# SA 265 — Communicating Deficiencies in Internal Control to TCWG and Management

## Two Core Definitions

### Deficiency in IC

Exists when:

  • A control necessary to prevent, or detect and correct, misstatements in FS is missing, OR
  • A control is designed, implemented or operated so that it is unable to prevent, or detect and correct, misstatements.

### Significant Deficiency in IC

A deficiency (or combination of deficiencies) of sufficient importance to merit attention of TCWG.

> Key insight: Significance depends not only on whether misstatement actually occurred but also on the likelihood of misstatement. Therefore, a significant deficiency may exist even though the auditor has not identified any actual misstatement.

## Communication Hierarchy

  • Significant deficiencies → communicate in writing to TCWG.
  • Significant deficiencies must also be communicated to management in writing — unless inappropriate to do so directly.
  • Other (non-significant) deficiencies not communicated by other parties — communicate to management if of sufficient importance for management's attention.

## Factors to judge whether a deficiency is SIGNIFICANT

  • Likelihood of the deficiency leading to MM in FS in the future.
  • FS amounts exposed to the deficiency.
  • Volume of activity in the Class of transaction, Account balance or Disclosure (CAD) exposed.
  • Susceptibility to loss or fraud of the related asset or liability.
  • Subjectivity and complexity of estimated amounts (e.g., fair value).
  • Importance of the controls to the financial reporting process:
  • General monitoring controls (e.g., management oversight).
  • Controls over the period-end FR process.
  • Controls over fraud prevention and detection.
  • Controls over selection and application of accounting policies.
  • Controls over significant transactions with Related Parties (RP).
  • Controls over significant transactions outside the entity's normal course of business.
  • Cause and frequency of exceptions detected.
  • Interaction of the deficiency with other deficiencies in IC.

## Indicators of Significant Deficiencies (Red flags)

  • Evidence of ineffective control environment, e.g.:
  • Significant transactions in which management is financially interested are not appropriately scrutinised by TCWG.
  • Identification of management fraud not prevented by the entity's IC.
  • Management's failure to remediate previously communicated significant deficiencies.
  • Evidence of management's inability to oversee preparation of FS.
  • Absence of Risk Assessment Procedure (RAP) where it should exist.
  • Evidence of an ineffective entity RAP.
  • Misstatements detected that were not prevented or detected by IC.
  • Disclosure of MM as prior period items in the current year's P&L.
  • Evidence of ineffective response to identified significant risks.

## Contents of the Written Communication (Letter of Weakness)

The written communication of significant deficiencies must include:

1. A description of the deficiencies.

2. Their potential effects.

3. Sufficient information to enable TCWG and management to understand the context, including that:

  • The purpose of the audit was to express an opinion on the FS.
  • The audit included consideration of IC, but NOT for the purpose of expressing an opinion on the effectiveness of IC.
  • The matters being reported are limited to deficiencies the auditor has identified during the audit (i.e., the auditor has not searched for ALL deficiencies).

## Practical name

This written communication is commonly called the "Letter of Weakness" or Management Letter.

Worked example

### Example 1

Example 1 — Significant deficiency despite no misstatement: The auditor finds that no one independently reviews journal entries posted by the CFO. No misstatement has occurred this year — but the LIKELIHOOD of future MM is high. This is a significant deficiency and must be communicated in writing to TCWG.

### Example 2

Example 2 — Management fraud red flag: During the audit, the auditor discovers that the MD bypassed approval controls to expense personal travel. Management fraud not prevented by IC is an INDICATOR of significant deficiency in the control environment — communicate in writing to TCWG.

### Example 3

Example 3 — Letter of Weakness contents: The auditor identifies that there is no segregation of duties between cash receipt and bank reconciliation. The letter to TCWG must (a) describe the deficiency, (b) state potential effects (misappropriation of cash), and (c) state that audit was for opinion on FS not on IC effectiveness, and that only deficiencies identified during audit are reported.

### Example 4

Example 4 — Prior period restatement: The current year's P&L discloses a MM correction as a prior-period item. This is an INDICATOR that prior-year IC was deficient — auditor must consider it a significant deficiency.

⚠️ Common exam mistakes

  • Stating that a significant deficiency requires that an actual misstatement be found — NO, likelihood alone is enough.
  • Communicating significant deficiencies only ORALLY — they must be communicated IN WRITING to TCWG.
  • Saying the auditor expresses an opinion on the effectiveness of IC under SA 265 — NO; the audit considers IC only to support the FS opinion.
  • Forgetting to mention in the Letter of Weakness that only deficiencies IDENTIFIED during the audit are being reported.
  • Skipping communication to management when TCWG is informed — significant deficiencies must ALSO be communicated to management in writing (unless inappropriate).
  • Treating EVERY deficiency as significant — only those of sufficient importance to TCWG qualify.
Reference: — SA 265 - Communicating Deficiencies in Internal Control to TCWG and Management (ICAI)
← Previous
SA 260 - Communication with Th
Next →
SA 299 - Joint Audit of Financ
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic