ISA 265 Communicating Internal Control Deficiencies: When and How to Report

You found a control deficiency during fieldwork. The client's purchase approval process has no segregation of duties: the same person raises, approves, and records purchase orders up to €25,000. You're fairly sure this needs to go in the management letter. But does it go to management, to those charged with governance, or both? And does the timing of your communication actually matter for inspection purposes?

ISA 265 requires the auditor to communicate in writing to those charged with governance (TCWG) any significant deficiencies in internal control identified during the audit, and to communicate to management deficiencies that are of sufficient importance to merit management's attention (ISA 265.9-11). The distinction between a control deficiency and a significant deficiency determines who receives the communication and in what form.

What is a control deficiency under ISA 265?

ISA 265.7(a) defines a control deficiency as existing when a control is designed, implemented, or operated in a way that does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A deficiency also exists when a control necessary to prevent or detect misstatements is missing entirely.

The definition has two branches. The first covers controls that exist but do not work properly. A bank reconciliation is prepared monthly but nobody reviews it. The control exists (the reconciliation is prepared) but it does not operate effectively because the review step that would detect errors is absent.

The second branch covers controls that should exist but do not. If the entity processes 500 purchase transactions per month and has no approval process above a certain threshold, the absence of that control is itself a deficiency. The auditor does not need to find an actual misstatement to identify a deficiency. The control gap alone is sufficient.

ISA 265 does not require the auditor to search specifically for control deficiencies. ISA 265.7(b) is clear: the auditor communicates deficiencies that come to the auditor's attention during the audit. The identification of deficiencies is a by-product of the risk assessment procedures under ISA 315 and the tests of controls under ISA 330. If you are performing a fully substantive audit and do not test controls at all, you may still identify design deficiencies through your understanding of the entity's processes.

When does a deficiency become significant?

ISA 265.8 defines a significant deficiency as a deficiency or combination of deficiencies in internal control that, in the auditor's professional judgement, is of sufficient importance to merit the attention of those charged with governance.

The standard deliberately avoids a bright-line threshold. There is no "if the deficiency could result in a misstatement exceeding X% of materiality, it is significant" test. Instead, ISA 265.A5-A7 provides indicators that suggest a deficiency may be significant. These indicators include:

• The likelihood that the deficiency could lead to material misstatements in the financial statements in the future
• The susceptibility to loss or fraud of the related asset or liability
• The subjectivity and complexity of determining estimated amounts (relevant for accounting estimates)
• The financial statement amounts exposed to the deficiency
• The volume of activity that has occurred or could occur in the account balance or class of transactions exposed to the deficiency
• The importance of the control to the financial reporting process

ISA 265.A6 adds that a deficiency in the control environment (tone at the top, governance oversight, competence of accounting personnel) is often significant because it affects the reliability of the entire control system, not just one process.

The judgement is forward-looking. A deficiency that has not yet resulted in a misstatement can still be significant if it could lead to a material misstatement in a future period. An entity with no controls over journal entries has a deficiency that is significant regardless of whether any incorrect journal entries were actually posted during the current period.

ISA 265.A7 provides a useful negative test: a deficiency need not be significant just because it resulted in a misstatement that was detected and corrected. If the entity's own review process caught and corrected the error before the financial statements were prepared, the detection control worked. The deficiency may still be worth reporting to management, but it may not rise to the level of significant.

Who receives the communication?

ISA 265.9 requires the auditor to communicate significant deficiencies in writing to those charged with governance on a timely basis. This is not optional. If the auditor identifies a significant deficiency, it goes to TCWG in writing.

ISA 265.11 requires the auditor to communicate to management, at an appropriate level, deficiencies in internal control that the auditor has identified during the audit and that are of sufficient importance to merit management's attention. These are deficiencies that do not rise to the "significant" threshold but are still worth reporting.

The two communications can overlap. A significant deficiency communicated to TCWG should also be communicated to management (unless the deficiency relates to management's own actions, in which case communicating to management would be inappropriate). ISA 265.A14 notes that when the deficiency relates to the competence or integrity of management, the auditor communicates to TCWG only.

The hierarchy works like this:

• Significant deficiency: Written communication to TCWG (mandatory under ISA 265.9). Also communicate to management unless the deficiency implicates management.
• Other deficiency of sufficient importance: Communication to management (ISA 265.11). The standard does not require this to be in writing, but ISA 265.A14 notes that written communication is normally appropriate. In practice, include it in the management letter.
• Minor deficiency not of sufficient importance: No communication required. The auditor may choose to communicate it verbally, but ISA 265 does not require it.

Form, content, and timing

ISA 265.A14 addresses the form and timing of the communication. Significant deficiencies must be communicated in writing. The standard does not prescribe a specific format, but the communication should include:

A description of the deficiency and an explanation of its potential effects. ISA 265.A12 emphasises that the auditor need not quantify the potential effects, but should provide enough context for TCWG to understand why the deficiency is significant.

The communication must be made on a timely basis. ISA 265.9 uses the phrase "on a timely basis" without defining a deadline. In practice, "timely" means during or shortly after the audit, not six months later. The AFM has flagged late communications as a recurring inspection finding: teams that issue the management letter three months after signing the audit report have not met the timeliness requirement.

The content should not include recommendations unless the auditor chooses to. ISA 265.A13 clarifies that the auditor is not required to recommend corrective actions, and many firms separate the deficiency communication (which is ISA 265) from advisory recommendations (which are separate engagement work). Mixing them in a single letter can create confusion about which points are audit findings and which are consulting advice.

One content requirement that teams often miss: ISA 265.9 requires the communication to include a statement that the auditor's purpose was not to identify all deficiencies in internal control. This disclaimer is important because it manages expectations. The audit was not a controls audit. The deficiencies communicated are those that came to the auditor's attention, not an exhaustive list.

The management letter vs the TCWG communication

In practice, many firms combine the TCWG communication and the management letter into a single document. This is permitted under ISA 265.A14, but it creates a risk: the significant deficiencies (which must go to TCWG) get buried among operational recommendations that have nothing to do with ISA 265.

A cleaner approach separates the two. The TCWG communication covers significant deficiencies only, references ISA 265 explicitly, includes the disclaimer about scope, and is addressed to the audit committee or supervisory board. The management letter covers other deficiencies and operational observations, is addressed to management, and can include recommendations.

When a separate TCWG communication is issued, the auditor's report on the financial statements does not reference the deficiency communication. ISA 265 communications are private communications to TCWG and management. They are not public documents and do not appear in the auditor's report unless the deficiency also triggers a modification or key audit matter under ISA 701.

The timing of the management letter often slips because teams treat it as an administrative task to complete after the audit opinion is signed. This is the wrong sequence. Drafting the deficiency points during fieldwork (as you identify them) and finalising the letter before or alongside the audit report ensures timeliness and reduces the risk of forgetting a point that was clear during testing but faded from memory by completion.

Worked example

Brouwer Techniek B.V. Revenue: €35M. Industrial equipment manufacturer in Eindhoven. 80 employees. First-year audit engagement (successor auditor). During the risk assessment and substantive testing, the audit team identifies four control deficiencies.

1. Identify and describe each deficiency. (a) No segregation of duties in the purchase-to-pay cycle: the purchasing manager can create purchase orders, approve invoices, and initiate payments up to €10,000 without a second approval. (b) Month-end bank reconciliations are prepared by the bookkeeper but not reviewed by a second person. (c) Physical inventory counts are performed annually, but the count procedures lack documentation of how discrepancies are investigated. (d) The general ledger system allows journal entries by three users, with no approval workflow for entries above €5,000. Documentation note: For each deficiency, record the control that is missing or not operating effectively, the process it relates to, and how it was identified (risk assessment walkthrough, substantive test, or other procedure).

2. Assess significance for each deficiency. Apply ISA 265.A5-A7 indicators. Deficiency (a): the purchasing manager processes approximately €4M in purchases annually. The absence of segregation of duties exposes the entity to both error and fraud risk. Given the volume of transactions and the susceptibility to loss, this is a significant deficiency. Deficiency (b): bank reconciliation review is a detective control over cash, the most liquid asset. Monthly unreviewed reconciliations increase the risk that errors or irregularities go undetected for up to a month. Significant. Deficiency (c): the inventory count procedure gap could affect the accuracy of the €6M inventory balance, but the entity has a gross margin that has remained stable within 1% over three years, providing indirect evidence of inventory accuracy. Not significant, but of sufficient importance. Deficiency (d): unrestricted journal entry access for three users with no approval workflow is a significant deficiency because it affects the entire general ledger. Documentation note: For each deficiency, document the ISA 265.A5-A7 indicators assessed, the judgement reached, and the rationale. This is the working paper that inspection teams will review.

3. Determine the communication recipients. Significant deficiencies (a), (b), and (d) must be communicated in writing to TCWG under ISA 265.9. Deficiency (c) is communicated to management in the management letter under ISA 265.11. Documentation note: Record the communication plan: which deficiencies go to TCWG, which to management, and the planned timing.

4. Draft the communications. Prepare the TCWG letter addressing deficiencies (a), (b), and (d). Include the ISA 265 disclaimer that the audit was not designed to identify all deficiencies. Prepare the management letter addressing deficiency (c) and including deficiencies (a), (b), and (d) for management's information. Documentation note: File both communications in the audit file with the date issued and evidence of receipt.

5. Issue on a timely basis. The audit report is signed on 28 March 2026. The TCWG communication is issued on 21 March 2026 (before the audit report). The management letter is issued on 28 March 2026 alongside the report. Documentation note: Record the dates of issuance. If there is a delay beyond the audit report date, document the reason.

A reviewer sees: four deficiencies identified, three assessed as significant with documented rationale, the TCWG letter issued before the audit report, and the management letter issued concurrently.

Practical checklist

1. During fieldwork, maintain a running log of control deficiencies as you identify them. Do not wait until completion to compile the list. A spreadsheet with columns for description, process area, ISA 265.A5-A7 indicator assessment, and significance conclusion is sufficient.
2. For every deficiency assessed as significant, document the specific indicators from ISA 265.A5-A7 that support the judgement. A one-line note ("segregation of duties issue, significant") is not enough for inspection.
3. Issue the TCWG communication before or at the same time as the audit report. ISA 265.9 requires "timely" communication. A letter issued months after the audit report is a finding waiting to happen.
4. Include the ISA 265 disclaimer in the TCWG communication: the audit's purpose was not to identify all deficiencies in internal control (ISA 265.9).
5. Separate significant deficiency communications (TCWG) from operational recommendations (management letter). If you combine them in one document, clearly label which points are ISA 265 significant deficiencies.
6. When a deficiency implicates management's competence or integrity, communicate to TCWG only. Do not include it in a letter addressed to the person responsible for the deficiency.

Common mistakes

• Issuing the management letter months after the audit report. The AFM has repeatedly flagged late communications as a deficiency. "Timely" under ISA 265.9 means during or shortly after the audit, not when the team gets around to it.
• Failing to distinguish between significant deficiencies and other deficiencies. Inspection teams check whether the auditor applied ISA 265.A5-A7 indicators and documented the significance assessment. A management letter that lists 12 points with no indication of which ones are significant does not comply.
• Omitting the ISA 265 disclaimer that the audit's purpose was not to identify all deficiencies. This disclaimer protects both the auditor and TCWG from the expectation that the communication is an exhaustive controls assessment.

Related content

• Internal control deficiency glossary entry. Definitions of control deficiency, significant deficiency, and material weakness, with the ISA 265 paragraph references.
• ISA 570 going concern checklist. When control deficiencies are severe enough to raise going concern doubts (rare, but possible in entities with pervasive control failures affecting financial reporting reliability).
• FUTURE POST: ISA 260 communicating with those charged with governance. ISA 265 communications are one part of the broader TCWG communication framework under ISA 260.