ISA 265 Communicating Deficiencies in Internal Control
ISA 265 requires auditors to communicate significant deficiencies in internal control to those charged with governance. This guide covers how deficiencies are classified, what must be communicated, and the format of the communication.
Identifying internal control deficiencies and communicating them clearly is one of the most valuable things an auditor does for their client. Done well, it strengthens the business. Done poorly — with vague findings and no context — it adds no value and erodes the client relationship. ISA 265 sets the floor; good auditors go further.
What Is a Significant Deficiency?
A significant deficiency is a deficiency in internal control — or combination of deficiencies — that is significant enough to merit the attention of those charged with governance. The key word is "significant" — not every control weakness qualifies. The auditor uses judgement considering: the likelihood that a misstatement could occur; the potential magnitude of the misstatement; and the interaction between deficiencies. Note that a significant deficiency does not require that a misstatement has actually occurred — it is about the potential for one.
Identifying Deficiencies During the Audit
Deficiencies are identified as a by-product of audit procedures — through tests of controls, substantive procedures, and analytical review — not through a dedicated internal controls review. When the auditor identifies a misstatement or near-miss, they should consider what control failure allowed it to occur. The aggregation of individually minor deficiencies may constitute a significant deficiency in combination.
Communication Requirements
Significant deficiencies must be communicated in writing to those charged with governance on a timely basis — typically before the audit report is signed, so that the audit committee is informed as part of the sign-off process. All deficiencies that come to the auditor's attention (not just significant ones) must be communicated to management, unless clearly insignificant.
What Good Communication Looks Like
A quality management letter does not just list deficiencies — it explains the risk each deficiency creates, provides a concrete example where possible, suggests a practical remediation, and asks management to respond with their planned action and timeline. Vague findings ("controls over the period-end process could be strengthened") are useless. Specific findings with specific recommendations are valued.
Further Reading
Study with Learnsignal: Audit CPD for qualified accountants. Browse CPD.
This page was last updated:
Learnsignal Education Team
Expert Tutor at Learnsignal
Qualified professional with years of experience in teaching and helping students achieve their accounting qualifications.
View all posts by Learnsignal Education Team
