Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

SA 265 – Significant Deficiencies in Internal Control

## SA 265: Significant Deficiencies in Internal Control

### What Is a Deficiency in Internal Control?

A deficiency exists when:

  • A control is designed, implemented, or operated in a way that it cannot prevent, or detect and correct, misstatements on a timely basis; OR
  • A control necessary to prevent or detect misstatements is missing.

### What Makes a Deficiency "Significant"?

A significant deficiency is one that, in the auditor's professional judgement, is of sufficient importance to merit the attention of those charged with governance.

### Factors for Determining Significance

FactorWhat to Consider
Likelihood of future material misstatementsHow probable is it that this deficiency leads to material misstatement?
Susceptibility to loss or fraudIs the related asset/liability prone to theft or manipulation?
Complexity of estimatesDoes it involve subjective fair values or complex accounting estimates?
Financial amounts exposedHow large are the balances affected by the deficiency?
Volume of activityHow many transactions are at risk?
Importance to financial reportingDoes it affect oversight controls, fraud prevention, key accounting policies, related-party transactions, non-routine transactions, or period-end processes?
Cause and frequency of exceptionsHow often have errors been found because of this deficiency?
Interaction with other deficienciesDoes it compound other weaknesses?

### Communication Requirements Under SA 265

The auditor must communicate to both management and those charged with governance:

1. Description of the significant deficiency

2. Potential effects – what could go wrong as a result

3. Sufficient context to understand the importance of the communication

> Key principle: Simply listing that a significant deficiency exists is not enough. The auditor must explain what could go wrong and why it matters.

Worked example

### Example 1

Defective Communication — Related Party Transactions (MTP)

Auditor observed that transactions with firms in which directors were interested were not recorded in the statutory registers. The auditor issued a communication simply stating 'There is a significant deficiency in internal controls relating to recording of related-party transactions.'

Issue: This communication is incomplete under SA 265.

What the auditor should have done:

  • Described the deficiency (controls for recording related-party transactions are missing/inadequate)
  • Explained the potential effect: such a deficiency can lead to misstatement of related-party transactions in the financial statements
  • Highlighted the importance of the control
  • Recommended that responsibility be fixed on concerned persons for adhering to this control

Conclusion: Communication of significant deficiency must include description + potential effects + context — not just the bare fact of its existence.

### Example 2

Core Limited — Determining Significant Deficiency (MTP 4)

CA Sumit, statutory auditor of Core Limited, needed to determine whether a deficiency (or combination of deficiencies) constitutes a significant deficiency.

Relevant factors to consider:

  • Likelihood of leading to material misstatements in future financial statements
  • Susceptibility to loss or fraud of the related asset or liability
  • Subjectivity and complexity in determining estimated amounts (e.g., fair value estimates)
  • The financial statement amounts exposed to the deficiency
  • Volume of activity in the affected account balance or transaction class
  • Importance of the control (e.g., general monitoring controls, fraud detection controls, controls over accounting policies, related-party controls, non-routine transaction controls, period-end controls)
  • Cause and frequency of exceptions detected because of the deficiency
  • Interaction with other deficiencies in internal control

Key takeaway: No single factor is decisive. The auditor exercises professional judgement, considering all factors together.

⚠️ Common exam mistakes

  • Communicating only the description of a significant deficiency without explaining its potential effects — SA 265 requires description AND explanation of potential effects.
  • Treating a combination of individually minor deficiencies as insignificant without assessing their combined impact.
  • Communicating significant deficiencies only to management and not to those charged with governance — SA 265 requires communication to both.
  • Not considering all eight factors (likelihood, susceptibility, complexity, amounts exposed, volume, importance to reporting, frequency, interaction) when deciding if a deficiency is 'significant'.
  • Assuming that if a misstatement has not yet occurred, the deficiency cannot be significant — the likelihood of future misstatement is itself a key factor.
Bare-Act text SA 265 · SA 265 – Communicating Deficiencies in Internal Control to Those Charged with Governance and Management · click to expand
A deficiency in internal control exists when: (1) A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or (2) A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing.
← Previous
SA 265 – Communicating Deficie
Next →
SA 299 – Joint Audit of Financ
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic