Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Audit Concepts / SAs
Microlesson · 5-min read

SA 265 – Communication of Deficiencies in Internal Control to TCWG and Management

# SA 265: Communication of Deficiencies in Internal Control

## Objective of the Auditor

To communicate appropriately to TCWG and management, deficiencies in internal control that:

1. Were identified during the audit, AND

2. In the auditor's professional judgment, are of sufficient importance to merit their respective attention

---

## Key Definitions

### Deficiency in Internal Control

Exists when either:

  • A control is designed, implemented, or operated such that it cannot prevent, or detect and correct, misstatements in the FS on a timely basis, OR
  • A necessary control is missing to prevent, or detect and correct, such misstatements

### Significant Deficiency in Internal Control

A deficiency (or combination of deficiencies) in internal control that, in the auditor's professional judgment, is of sufficient importance to merit the attention of TCWG.

> Key distinction: All significant deficiencies are deficiencies, but not all deficiencies are significant.

---

## Factors for Determining Whether a Deficiency is Significant — Mnemonic: VISE AF

LetterFactorDetail
VVolume of activityVolume in the account balance or transaction class exposed to the deficiency
IImportance of controlsMonitoring controls, fraud prevention/detection, accounting policy selection, related-party transactions, unusual/non-routine transactions, period-end reporting controls
SSusceptibilitySusceptibility of the related asset or liability to loss or fraud
EEstimatesSubjectivity and complexity in determining estimated amounts (e.g., fair value)
AAmountsFS amounts exposed to the deficiency
FFuture likelihoodLikelihood the deficiency leads to material misstatements in future

---

## Indicators of Significant Deficiencies — 9 Examples

1. Significant transactions where management is financially interested — not scrutinised by TCWG

2. Management fraud identified (material or not) that internal control failed to prevent

3. Management failed to implement remedial action on significant deficiencies previously communicated

4. Absence of a risk assessment process

5. Evidence of an ineffective entity risk assessment process

6. Evidence of an ineffective response to identified significant risks

7. Misstatements detected by the auditor that internal control failed to prevent, detect, or correct

8. Material misstatement (error or fraud) disclosed as prior period items in the current year's P&L

9. Evidence of management's inability to oversee preparation of the FS

---

## Communication Requirements

### To TCWG:

  • Communicate in writing all significant deficiencies
  • Must be on a timely basis

### To Management (at appropriate level of responsibility, timely):

TypeRequirement
Significant deficienciesIn writing — those communicated (or intended to be communicated) to TCWG, unless inappropriate to communicate directly to management
Other (non-significant) deficienciesThose not communicated by other parties, if in auditor's judgment they merit management's attention

---

## Content of Written Communication of Significant Deficiencies

Must include:

  • Description of the deficiency + explanation of potential effects
  • Sufficient context for TCWG and management to understand the communication

Must clarify (to avoid misunderstanding):

1. The audit's purpose was to express an opinion on the FS — not to express an opinion on the effectiveness of internal control

2. The audit included consideration of internal control only to design appropriate audit procedures

3. Matters reported are limited to deficiencies identified during the audit that the auditor concluded merit reporting to TCWG

Worked example

### Example 1

Example 1 — Classifying a deficiency as 'significant' using VISE AF:

Scenario: During the audit of a manufacturing company, the auditor finds that there is no formal approval process for journal entries passed by the CFO at period-end. The CFO has complete access to pass adjusting entries without independent review.

Applying VISE AF:

  • I (Importance): Period-end journal entries are a high-risk area for manipulation → significant control
  • S (Susceptibility): High — CFO can record fraudulent entries
  • F (Future): Likely to lead to material misstatements if unchecked

Conclusion: This is a significant deficiency — auditor must communicate this in writing to TCWG on a timely basis.

### Example 2

Example 2 — Distinguishing what goes to TCWG vs. management:

Scenario: The auditor identifies three issues during the audit:

(A) No reconciliation of petty cash — minor, low-volume

(B) Absence of a risk assessment process across the company

(C) A prior year fraud by the accounts manager that internal control failed to catch

(A): Ordinary deficiency — communicate to management only (not to TCWG in writing)

(B): Indicator of significant deficiency (no risk assessment process) — communicate in writing to both TCWG and management

(C): Indicator of significant deficiency (management fraud not prevented) — communicate in writing to both TCWG and management, noting the audit was not designed to express an opinion on internal control effectiveness

⚠️ Common exam mistakes

  • Confusing 'deficiency in internal control' with 'significant deficiency' — every significant deficiency is a deficiency, but ordinary deficiencies only go to management, not necessarily to TCWG in writing
  • Assuming all internal control deficiencies must be communicated in writing to TCWG — only significant deficiencies require written communication to TCWG; other deficiencies go to management if they merit attention
  • Forgetting that the written communication must explicitly clarify that the audit was NOT designed to express an opinion on the effectiveness of internal control — omitting this creates misleading impressions
  • Applying VISE AF factors individually in isolation — deficiencies must be evaluated both individually AND in combination; a combination of individually minor deficiencies can constitute a significant deficiency
  • Overlooking the 'timely basis' requirement — communication must happen promptly, not just in the final audit report stage
Bare-Act text Objective and Definitions · SA 265 issued by ICAI · click to expand
The objective of the auditor is to communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor's professional judgment, are of sufficient importance to merit their respective attentions. A deficiency in internal control exists when: (a) a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or (b) a control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing. A significant deficiency in internal control means a deficiency or combination of deficiencies in internal control that, in the auditor's professional judgment, is of sufficient importance to merit the attention of those charged with governance.
← Previous
SA 260 – Communication with Th
Next →
SA 299 – Responsibility of Joi
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic