1 SA 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment”, paragraphs 4 and 12.
2 SA 330, “The Auditor’s Responses to Assessed Risks”.
3 SA 260(Revised), “Communication with Those Charged with Governance”.
4 SA 315, paragraph 12.
Significant deficiency in internal control – A deficiency or combination of deficiencies in internal control that, in the auditor’s professional judgment, is of sufficient importance to merit the attention of those charged with governance. (Ref: Para. A5)
A1. In determining whether the auditor has identified one or more deficiencies in internal control, the auditor may discuss the relevant facts and circumstances of the auditor’s findings with the appropriate level of management. This discussion provides an opportunity for the auditor to alert management on a timely basis to the existence of deficiencies of which management may not have been previously aware. The level of management with whom it is appropriate to discuss the findings is one that is familiar with the internal control area concerned and that has the authority to take remedial action on any identified deficiencies in internal control. In some circumstances, it may not be appropriate for the auditor to discuss the auditor’s findings directly with management, for example, if the findings appear to call management’s integrity or competence into question (see paragraph A20).
A2. In discussing the facts and circumstances of the auditor’s findings with management, the auditor may obtain other relevant information for further consideration, such as:
Considerations Specific to Smaller Entities
A3. While the concepts underlying control activities in smaller entities are likely to be similar to those in larger entities, the formality with which they operate will vary. Further, smaller entities may find that certain types of control activities are not necessary because of controls applied by management. For example, management’s sole authority for granting credit to customers and approving significant purchases can provide effective control over important account balances and transactions, lessening or removing the need for more detailed control activities.
A4. Also, smaller entities often have fewer employees which may limit the extent to which segregation of duties is practicable. However, in a small owner- managed entity, the owner-manager may be able to exercise more effective oversight than in a larger entity. This higher level of management oversight needs to be balanced against the greater potential for management override of controls.
A5. The significance of a deficiency or a combination of deficiencies in internal control depends not only on whether a misstatement has actually occurred, but also on the likelihood that a misstatement could occur and the potential magnitude of the misstatement. Significant deficiencies may therefore exist even though the auditor has not identified misstatements during the audit.
A6. Examples of matters that the auditor may consider in determining whether a deficiency or combination of deficiencies in internal control constitutes a significant deficiency include:
A8. Controls may be designed to operate individually or in combination to effectively prevent, or detect and correct, misstatements6. For example, controls over accounts receivable may consist of both automated and manual controls designed to operate together to prevent, or detect and correct, misstatements in the account balance. A deficiency in internal control on its own may not be sufficiently important to constitute a significant deficiency. However, a combination of deficiencies affecting the same account balance or disclosure, relevant assertion, or component of internal control may increase the risks of misstatement to such an extent as to give rise to a significant deficiency.
A9. Law or regulation in some jurisdictions may establish a requirement (particularly for audits of listed entities) for the auditor to communicate to those charged with governance or to other relevant parties (such as regulators) one or more specific types of deficiency in internal control that the auditor has identified during the audit. Where law or regulation has established specific terms and definitions for these types of deficiency and requires the auditor to use these terms and definitions for the purpose of the communication, the auditor uses such terms and definitions when communicating in accordance with the legal or regulatory requirement.
A10. Where the jurisdiction has established specific terms for the types of deficiency in internal control to be communicated but has not defined such terms, it may be necessary for the auditor to use judgment to determine the matters to be communicated further to the legal or regulatory requirement. In doing so, the auditor may consider it appropriate to have regard to the requirements and guidance in this SA. For example, if the purpose of the legal or regulatory requirement is to bring to the attention of those charged with governance certain internal control matters of which they should be aware, it may be appropriate to regard such matters as being generally equivalent to the significant deficiencies required by this SA to be communicated to those charged with governance.
A11. The requirements of this SA remain applicable notwithstanding that law or regulation may require the auditor to use specific terms or definitions.
5 Accounting Standard (AS) 5, “Net Profit or Loss for the Period, Prior Period Items and Changes in Accounting Policies” requires that prior period items should be separately disclosed in the Statement of Profit and Loss in a manner that their impact on the current profit or loss can be perceived.
6 SA 315, paragraph A72.