Page 279 - COSO Guidance Book
P. 279

Reporting deficiencies






            Definitions, communications, and specified parties

            Definitions and communications
            AU-C section 265 provides the following definitions regarding deficiencies in internal control:


                   A deficiency in internal control exists when the design or operation of a control does not allow
                   management or employees, in the normal course of performing their assigned functions, to
                   prevent or detect and correct misstatements on a timely basis.

                   A deficiency in design exists when (a) a control necessary to meet the control objective is missing
                   or (b) an existing control is not designed properly so that, even if the control operates as
                   designed, the control objective would not be met. A deficiency in operation exists when a properly
                   designed control does not operate as designed or when the person performing the control does
                   not possess the necessary authority or competence to perform the control effectively.

                   A material weakness is defined as a deficiency, or a combination of deficiencies, in internal
                   control, such that there is a reasonable possibility that a material misstatement of the entity’s
                   financial statements will not be prevented, or detected and corrected, on a timely basis.

                   A significant deficiency is defined as a deficiency, or a combination of deficiencies, in internal
                   control that is less severe than a material weakness yet important enough to merit attention by
                   those charged with governance (such as the board of directors).
            AU-C section 265 states that when law or regulation requires the auditor to communicate deficiencies in
            internal control that the auditor has identified during the audit using specific terms, but such terms have
            not been defined, the auditor may use the definitions, requirements, and guidance in AU-C section 265 to
            comply with the law or regulation. The requirements of AU-C section 265 are applicable, regardless of
            whether that law or regulation may require the auditor to use specific terms or definitions.

            The external auditor guidance in AU-C section 265 requiring the auditor to communicate significant
            deficiencies and material weaknesses in writing to those charged with governance reflects the
            importance of these matters and assists those charged with governance in fulfilling their oversight
            responsibilities. The auditor is required to make this communication no later than 60 days following the
            report release date.

            The framework uses the term “major deficiency” as a category of a deficiency in internal control.

            This term is different from that which GAAS uses. Major deficiency is defined as an internal control
            deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve
            its objectives.





            © 2020 Association of International Certified Professional Accountants. All rights reserved.    7-9
   274   275   276   277   278   279   280   281   282   283   284