● Management's process for making accounting estimates
● Risks of material misstatement
● Indicators of possible management bias
Financial Statement Disclosures
● The issues involved, and related judgments made, in formulating particularly sensitive financial statement disclosures (for example, disclosures related to revenue recognition, going concern, subsequent events, and contingency issues)
● The overall neutrality, consistency, and clarity of the disclosures in the financial statements
Related Matters
● The potential effect on the financial statements of significant risks and exposures, and uncertainties, such as pending litigation, that are disclosed in the financial statements.
● The extent to which the financial statements are affected by unusual transactions, including nonrecurring amounts recognized during the period, and the extent to which such transactions are separately disclosed in the financial statements.
● The factors affecting asset and liability carrying values, including the entity's bases for determining useful lives assigned to tangible and intangible assets. The communication may explain how factors affecting carrying values were selected and how alternative selections would have affected the financial statements.
● The selective correction of misstatements – for example, correcting misstatements with the effect of increasing reported earnings, but not those that have the effect of decreasing reported earnings.
Other AU-C Sections
Requirements to communicate with those charged with governance are included in other AU-C sections, and readers should refer to those sections in this book: AU-C Sections 210, 240, 250, 265, 550, 560, 570, 600, 705, 706, 720, 730, 930, and 935.
AU-C 265 COMMUNICATING INTERNAL CONTROL RELATED MATTERS IDENTIFIED IN AN AUDIT
AU-C Original Pronouncements
Technical Alert
In October 2015, the Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 130. SAS No. 130 contains amendments to this section. Any relevant changes are incorporated into the information that follows.
AU-C Definitions of Terms
Source: AU-C Section 265.07
Deficiency in internal control. A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (1) a control necessary to meet the control objective is missing, or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
Material weakness. A deficiency or a combination of deficiencies in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A reasonable possibility exists when the likelihood of an event occurring is either reasonably possible or probable as defined as follows:
a. Reasonably possible. The chance of the future event or events occurring is more than remote, but less than likely.
b. Probable. The future event or events are likely to occur.
Significant deficiency. A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
Objectives
AU-C Section 265.06 states that:
…the objective of the auditor is to appropriately communicate to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor's professional judgment, are of sufficient importance to merit their respective attentions.
Requirements
Determining Whether Deficiencies in Internal Control Have Been Identified
The auditors must determine whether, on the basis of the audit work performed, they have identified one or more deficiencies in internal control. (AU-C 265.08) The auditor must evaluate the severity of the control deficiencies identified during the audit to determine whether those deficiencies, individually or in combination, are significant deficiencies or material weaknesses. See “Definitions of Terms” for definitions of these terms. (AU-C 265.09)
NOTE: The auditor is not required to search out or have procedures in place to identify control deficiencies. In other words, when an auditor “trips across” an internal control deficiency in the course of an audit, the auditor must then evaluate the deficiency.
Determination of Deficiency Severity
The auditor must evaluate identified control deficiencies to determine whether they are – individually or in the aggregate – significant deficiencies or material weaknesses. (AU-C 265.09) When evaluating control deficiencies, the auditor should consider both the possibility and the magnitude of the misstatement that could result from the deficiency. Determining the severity of a deficiency depends on:
1. The magnitude of a misstatement resulting from the deficiency, and
2. Whether there is a reasonable possibility that the entity's controls will fail to prevent, or detect and correct, a misstatement. Notice that the determination of severity of a deficiency does not depend on whether the misstatement actually occurred.
(AU-C 265.A5)
The magnitude of a misstatement can be impacted by such factors as the amounts or transaction volume that is exposed to the deficiency. When evaluating the magnitude of a potential misstatement, the recorded amount is considered the maximum amount by which an account balance can be overstated. (AU-C 265.A6-.A7)
Risk Factors
The reasonable possibility that one or more deficiencies will result in a financial statement misstatement is affected by risk factors. Risk factors include the following:
● The nature of the financial statement, transaction types, account balances, disclosures, and assertions
● The susceptibility of assets or liabilities to loss or fraud
● The extent of judgment required to determine amounts, as well as the level of subjectivity and complexity in these decisions
● The interaction of controls with each other
● The interaction of deficiencies with each other
● The future consequences of the deficiency
● The importance of the controls to the financial reporting process
(AU-C 265.A8)
One can evaluate whether a deficiency presents a reasonable possibility of misstatement without quantifying a specific range for the probability of occurrence. It is quite possible that the probability of a small misstatement will exceed the probability of a large misstatement. (AU-C 265.A9)
Possibility of the misstatement. The possibility of a misstatement is a continuous spectrum that ranges from “remote” to “reasonably possible” to “probable.” The following diagram illustrates this range,