AS 1305: Communicating Control Deficiencies in an Audit

Auditing Standard 1305 (AS 1305) is a standard issued by the Public Company Accounting Oversight Board (PCAOB). This standard establishes the requirements for how an independent auditor communicates internal control issues identified during a financial statement audit. It serves as a formal communication channel between the auditor and the company’s management and audit committee. The standard ensures those responsible for overseeing financial reporting are formally notified of weaknesses. While the primary objective of a financial statement audit is not to find all control issues, the process often brings them to light, and this standard dictates the subsequent communication responsibilities.

Understanding Control Deficiencies

A control deficiency exists when the design or operation of a control does not permit management or employees to prevent or detect financial misstatements in a timely manner. A deficiency in design occurs when a necessary control is missing or is structured in a way that it would not meet its objective. A deficiency in operation happens when a properly designed control is not operated as intended, or the person performing it lacks the necessary authority or competence.

Auditors evaluate the severity of a control deficiency using two factors: likelihood and magnitude. Likelihood refers to the probability that a misstatement could occur because of the deficiency, while magnitude considers the potential size of the misstatement. This evaluation is not based on whether a misstatement has actually occurred, but on the potential for one to occur.

Based on this evaluation, deficiencies are categorized by severity. A “significant deficiency” is a control deficiency, or a combination of them, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight.

The most severe classification is a “material weakness.” This is defined as a deficiency, or a combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis. The determination of whether a deficiency is significant or material is a matter of professional judgment for the auditor.

Communication Requirements for Management

Auditing Standard 1305 mandates that the auditor communicates all identified control deficiencies to the company’s management in writing. This requirement includes not only severe issues but also those that do not rise to the level of a significant deficiency or a material weakness.

The written communication must be delivered to an appropriate level of management, which is generally considered to be personnel who have the authority to take corrective action. The communication should provide enough detail for management to understand the nature of the deficiencies.

This written communication to management must occur before the auditor issues their report on the financial statements. This timing allows management to consider the implications of the deficiencies as they finalize their own reporting.

Communication Requirements for the Audit Committee

Separate from the communication to management, AS 1305 requires a distinct written communication to the company’s audit committee. This communication is focused on the more severe issues and must include all identified “significant deficiencies” and “material weaknesses.”

The content of this letter must include the definitions of the terms “material weakness” and “significant deficiency” to ensure the committee understands the context of the findings. The communication must also clearly describe each significant deficiency and material weakness and explain the potential consequences of these issues on the company’s financial reporting.

The deadline for providing this formal letter to the audit committee is on or before the date the auditor’s report on the financial statements is issued. If the auditor becomes aware that the audit committee’s oversight itself is ineffective, they must communicate this concern in writing to the full board of directors.

Prohibited Communications

Auditing Standard 1305 contains a specific prohibition regarding what an auditor can state about the absence of control deficiencies. The standard explicitly forbids an auditor from issuing a report or any other form of written communication stating that no control deficiencies were identified during the audit. Similarly, the auditor is prohibited from reporting in writing that no significant deficiencies were discovered.

The rationale for this prohibition is to avoid providing a level of assurance that the audit was not designed to deliver. A financial statement audit is not designed to provide absolute assurance on the effectiveness of a company’s internal control; its scope is limited to the work necessary to render an opinion on the financial statements.

A statement that no deficiencies were found could be misinterpreted by management, the board, or investors as a clean bill of health for the company’s entire internal control system. Since the auditor does not test every control, such a statement would be inappropriate and potentially misleading, creating a false sense of security.