Auditors are required to communicate to audit committees or others charged with governance “significant control deficiencies,” including “material weaknesses” [as these terms are defined in the applicable standards, i.e., AU-C section 285 or, for SEC issuers, Auditing Standards (AS) 1305 and 2201]. The standards require that these communications be written to avoid any potential for misunderstanding or denial by the intended recipient of the communication and issued before or concurrently with the audit report for SEC issuers; for others, they may be presented within 60 days thereafter.
Interim communications (required for SEC issuers), if first made orally, must be documented contemporaneously and followed up in writing within 45 days.
Classifying Control Deficiencies
In classifying control deficiencies in these communications, it is essential to focus on the definitions in the standards, which rely on the probability of a material financial statement mis-statement or omission slipping through the controls undetected, rather than the actual occurrence or detection of such. It is not relevant whether what the auditor finds is material—as many auditors often erroneously conclude—but rather whether it could have been. This determination requires the careful assessment of attendant facts and the application of professional judgment, which must be fully documented. To classify a deficiency as a material weakness, all one needs is a “reasonable possibility” that a material misstatement will not be timely prevented or detected and corrected. This distinction cannot be overemphasized. A “significant deficiency” is less severe than a material weakness but still judged to be important enough to merit attention by those charged with governance.
Drafting the Communications
It is necessary to clearly articulate significant control deficiencies (including material weaknesses) in written communications, generally as the main focus in the first sentence of each of internal control finding communicated, rather than to merely report the evidence or results of the deficiencies (i.e., the exceptions noted). In addition, it is never necessary to describe the audit procedure in progress when the deficiency was observed.
The following are some examples of the proper structure to use to introduce a control deficiency:
- “The Company does not appear to have effective control policies or procedures in place that provide management with reasonable assurance of meeting [control objective].”
- “Although the Company has certain control policies or procedures in place that are intended to provide management of reasonable assurance of meeting [control objective], they are ineffective because of the absence of adequate monitoring procedures intended to evaluate the degree of compliance or noncompliance with such control policies or procedures.”
- “The Company does not appear to have sufficiently trained or experienced personnel in its accounting department to afford reasonable assurance to management that nonroutine transactions are recorded, and financial statements are prepared, in accordance with generally accepted accounting principles [or another financial reporting framework in use].”
A recommendation for remediation also may be included with the finding, but if the deficiency is clearly articulated, it is often best omitted as redundant and unnecessary. In any case, it should not be left to the reader to turn a recommendation inside out to discern the nature of the observed deficiency.
When recommendations are contained in auditor communications (other than in formal reports issued under AS 2201), they should include specific control policies or procedures believed likely to be effective or should state clearly the control objectives for which management needs to develop control policies or procedures.
In fact, recommendations generally should be discouraged in letters to SEC issuer audit clients to avoid any question of independence impairment that might result from being seen as performing a management function, such as designing a portion of the client’s internal control policies and procedures. Rather, it is best if the auditor suggests that management develop and proposes corrective action that the auditor offers to review. For private companies with less sophisticated management, it may be preferable to include recommendations, but only in a way that makes it clear that it is up to management to evaluate and determine their acceptability.
SEC issuers that restate previously issued financial statements, as well as their auditors, should also consider whether the identification of prior-period misstatements indicates a need to revise assertions in SOX section 404 reports and audit committee communications about the effectiveness (i.e., absence of material weaknesses) of internal controls, as well as in management’s assertions in SEC filings about disclosure controls.