Key Takeaways
- ISA 265 requires the auditor to communicate deficiencies in internal control identified during the audit to those charged with governance (TCWG) and management — ensuring that people with the power to fix control weaknesses are informed about them.
- The standard defines two levels: a deficiency in internal control (a control that is unable to prevent or detect and correct misstatements on a timely basis, or a necessary control that is missing) and a significant deficiency (a deficiency, or combination of deficiencies, important enough to merit the attention of TCWG).
- Significant deficiencies must be communicated to TCWG in writing and on a timely basis. They must also be communicated in writing to an appropriate level of management.
- Other deficiencies — those not rising to the level of significant but still important enough to warrant management's attention — must be communicated to management in writing.
- The communication must include a description of the deficiencies, an explanation of their potential effects, and contextual statements clarifying that the audit was not designed to express an opinion on internal control and that the matters reported are limited to those identified during the audit.
- ISA 265 does not require the auditor to search for deficiencies — it applies only to deficiencies actually identified during the normal course of the audit. The auditor is not performing an internal control audit.
What is ISA 265?
ISA 265, titled "Communicating Deficiencies in Internal Control to Those Charged with Governance and Management," addresses what the auditor does when, during the normal course of the audit, they discover that the entity's internal controls are not working as they should — or that needed controls simply do not exist.
This is distinct from performing an internal control audit. A financial statement auditor obtains an understanding of internal control under ISA 315 to assess risks and design audit procedures — not to express an opinion on the effectiveness of internal control. But in the course of that work, the auditor will inevitably identify weaknesses. ISA 265 governs what happens next.
The standard exists because the auditor occupies a unique position: they have detailed knowledge of the entity's controls, the professional expertise to evaluate those controls, and access to people at every level of the organisation. Control deficiencies identified by the auditor may not have been identified by management — particularly in smaller entities without a dedicated internal audit function. The communication requirement ensures these findings reach the people who can act on them.
ISA 265 is effective for audits of financial statements for periods beginning on or after 15 December 2009.
Key Definitions
Deficiency in internal control
ISA 265.6(a) defines a deficiency as existing when:
- A control is designed, implemented, or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or
- A control that is necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing.
In practical terms, a deficiency exists when either: a control exists but does not work properly (design or operating failure), or a control that should exist simply does not (missing control).
Examples of deficiencies:
- Bank reconciliations are prepared monthly but not reviewed by someone independent of the preparer.
- The entity processes payroll but has no segregation of duties between those who create employee records and those who approve payments.
- Access controls to the accounting system allow junior staff to post journal entries without approval.
- Revenue is recorded based on delivery notes, but the entity has no process to match delivery notes to customer purchase orders before recording revenue.
Significant deficiency
ISA 265.6(b) defines a significant deficiency as a deficiency or combination of deficiencies in internal control that, in the auditor's professional judgment, is of sufficient importance to merit the attention of those charged with governance.
The standard does not provide a mechanical test for significance. Instead, ISA 265.A6 identifies factors the auditor should consider:
| Factor | What to Consider |
|---|---|
| Likelihood | How likely is it that the deficiency could lead to a material misstatement? |
| Magnitude | What is the potential size of the misstatement that could result? |
| Subjectivity | Does the deficiency affect areas involving significant judgment or estimation? |
| Volume | Does the deficiency relate to accounts or transactions that are individually small but collectively significant? |
| Compensating controls | Are other controls in place that mitigate the deficiency? |
| Entity-level controls | Does the deficiency affect the control environment, management oversight, or the entity's risk assessment process? |
The "material weakness" terminology
If you come from a US audit background or work with clients subject to SOX reporting, you may be familiar with the term "material weakness." ISA 265 deliberately does not use this term — it was removed during the standard's development to avoid confusion with the US definition, which has a specific regulatory meaning under PCAOB standards. Under ISAs, the term is "significant deficiency," which is a broader concept than the US "significant deficiency" but narrower than the US "material weakness." If working across jurisdictions, be clear about which framework's terminology you are using.
The Auditor's Objective
ISA 265.5 states the objective:
The objective of the auditor is to communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified during the audit and that, in the auditor's professional judgment, are of sufficient importance to merit their respective attentions.
Two phrases are critical: "identified during the audit" — the auditor does not search for deficiencies beyond what is required by other ISAs; and "respective attentions" — different deficiencies go to different recipients depending on their severity.
Communication Requirements
Who receives what
ISA 265 creates a clear communication hierarchy:
| Level of Deficiency | Communicate To | How | When |
|---|---|---|---|
| Significant deficiency | Those charged with governance | In writing | On a timely basis |
| Significant deficiency | Appropriate level of management | In writing (unless inappropriate to communicate to management) | On a timely basis |
| Other deficiency (not significant but warranting management attention) | Appropriate level of management | In writing | On a timely basis |
| Clearly trivial deficiency | No communication required | — | — |
The "appropriate level of management" is the level with the responsibility and authority to take corrective action. A deficiency in the accounts payable process should be communicated to the financial controller or CFO — not to the head of marketing. A deficiency in the overall control environment should be communicated to the CEO or the board.
When communication to management is inappropriate
ISA 265.10 recognises that in some circumstances, communicating directly to management may be inappropriate — for example, when the deficiency involves management integrity, management's role in the entity's internal control environment, or management override of controls. In these cases, the communication should go directly to TCWG without informing management.
Content of the Written Communication
ISA 265.11 specifies what the written communication must include:
A description of the deficiencies and an explanation of their potential effects. The auditor does not need to quantify the potential misstatement — the requirement is to explain the risk clearly enough for TCWG or management to understand the implication and assess the urgency of remediation.
Sufficient context to enable TCWG and management to understand the communication. This includes:
- A statement that the purpose of the audit was to express an opinion on the financial statements.
- A statement that the audit included consideration of internal control relevant to the preparation of the financial statements in order to design appropriate audit procedures — but not for the purpose of expressing an opinion on the effectiveness of internal control.
- A statement that the matters reported are limited to those deficiencies that the auditor identified during the audit and concluded were of sufficient importance to report.
These contextual statements are essential — without them, recipients may misunderstand the scope and nature of the auditor's work. The communication is not a comprehensive assessment of internal control; it is a targeted notification of specific issues the auditor happened to identify.
The Management Letter in Practice
While ISA 265 does not use the term "management letter," this is the common industry name for the written communication of internal control deficiencies and other audit findings to management and TCWG.
What a good management letter looks like
A well-structured management letter typically includes:
For each deficiency: a clear description of the finding, the risk or potential effect, a recommendation for remediation, management's response (if obtained), and an agreed timeline for implementation.
Classification of severity: significant deficiencies flagged separately from other observations, with clear labelling so that TCWG can immediately identify the most important matters.
Follow-up on prior-year findings: referencing deficiencies communicated in previous years and noting whether management has implemented the recommended corrective actions. Recurring uncorrected deficiencies are particularly important — they may indicate a control environment issue.
Making the management letter a value-add
Many audit clients see the management letter as the most valuable tangible output of the audit — more valuable, in their perception, than the audit opinion itself. A management letter that merely lists deficiencies in generic terms misses the opportunity. The best management letters explain the deficiency in the specific context of the entity, quantify the risk where possible (e.g., "This deficiency could result in undetected revenue cut-off errors of up to €X"), provide a practical and specific recommendation for remediation, and prioritise findings so management knows where to focus resources. For smaller firms competing on value, the quality of the management letter is a genuine differentiator.
What ISA 265 Does Not Require
Understanding the boundaries of ISA 265 is as important as understanding its requirements:
No obligation to search for deficiencies. The auditor communicates deficiencies identified during the normal course of the audit. ISA 265 does not create an additional work effort to find deficiencies beyond what is required by ISA 315 (understanding internal control for risk assessment) and ISA 330 (testing controls when relying on them).
No opinion on internal control effectiveness. The auditor is not expressing an opinion on whether internal control as a whole is effective. The communication explicitly states this.
No requirement to test whether deficiencies have been corrected. While the auditor may reference prior-year deficiencies in the management letter, there is no ISA 265 requirement to perform follow-up procedures to verify remediation. That said, under ISA 315, the auditor must obtain an understanding of relevant controls each year — and if a prior-year deficiency has not been corrected, that will affect the risk assessment.
No exhaustive list of all deficiencies. The communication covers deficiencies the auditor considers important enough to report — not every minor weakness. Clearly trivial matters need not be communicated.
The Relationship Between ISA 265 and Other ISAs
ISA 265 intersects with several other standards:
ISA 315 (Revised 2019): The auditor's understanding of internal control — obtained under ISA 315 — is where most deficiencies are initially identified. The risk assessment process under ISA 315 directly informs the identification of control weaknesses.
ISA 330: When the auditor plans to rely on controls and tests those controls, deviations or control failures identified during testing are control deficiencies that must be evaluated under ISA 265.
ISA 260 (Revised): ISA 260 provides the broader framework for communication with TCWG. ISA 265's communication of significant deficiencies is a specific subset of the matters communicated under ISA 260. Other significant audit findings — qualitative aspects of accounting, significant difficulties, and other matters — are communicated under ISA 260.
ISA 220 (Revised): Quality management at the engagement level requires the engagement partner to ensure that appropriate communications are made — including internal control deficiency communications under ISA 265.
ISA 265 in Your Jurisdiction
Netherlands. COS 265 follows ISA 265 closely. Dutch practice places significant emphasis on the management letter (beheersingsbrief) as a key audit deliverable. The AFM's inspection findings have highlighted the quality of management letters as an area of focus — specifically, whether identified deficiencies are clearly described, appropriately classified as significant or non-significant, and communicated on a timely basis. For OOB engagements, the additional report to the audit committee (Article 11 report under the EU Audit Regulation) must also address internal control matters.
Germany. ISA 265 requirements are addressed within the German Prüfungsbericht framework. The Prüfungsbericht (§321 HGB) — the auditor's detailed report to the supervisory board — contains a section on internal control findings that substantially fulfills ISA 265's communication requirements. German practice typically provides a more detailed treatment of internal control observations than is common in some other jurisdictions, reflecting the Prüfungsbericht's comprehensive nature.
United Kingdom. ISA (UK) 265 is substantively aligned with ISA 265. The FRC's inspection findings have noted inconsistencies in how firms assess whether deficiencies are "significant" — some firms apply an overly narrow interpretation, communicating only deficiencies that actually resulted in a material misstatement, while the standard requires a forward-looking assessment of whether the deficiency could lead to material misstatement. UK practice also distinguishes between the management letter (to management and TCWG) and the audit committee report (a broader communication under ISA (UK) 260).
France. NEP 265 implements ISA 265 within the French statutory audit framework. French commissaires aux comptes are required to present their findings on internal control to the governance body (typically the conseil d'administration or conseil de surveillance). The French regulatory environment places particular emphasis on internal control for certain entities — the AMF requires listed companies to produce an annual internal control report, which creates a regulatory context for the auditor's ISA 265 communications.
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
What is the difference between a deficiency and a significant deficiency?
A deficiency exists when a control does not work properly or a needed control is missing. A significant deficiency is a deficiency (or combination of deficiencies) that is important enough to merit the attention of those charged with governance. The distinction is based on the auditor's professional judgment, considering factors such as the likelihood and potential magnitude of resulting misstatement.
Does the auditor have to find all deficiencies in internal control?
No. ISA 265 applies only to deficiencies identified during the normal course of the audit. The auditor's procedures under ISA 315 and ISA 330 are designed to assess risk and obtain audit evidence — not to perform a comprehensive evaluation of all internal controls. Some deficiencies will inevitably go unidentified, and the communication must state this limitation.
Must the management letter be issued before the audit report?
ISA 265 requires communication on a "timely basis" but does not specify that it must precede the audit report. However, best practice — and many firms' policies — is to issue the management letter before or concurrently with the audit report, so that TCWG can consider the findings when evaluating the financial statements. For significant deficiencies that affect the auditor's risk assessment or the audit approach, earlier communication is essential.
Can deficiency communications be combined with the ISA 260 communication?
Yes. Many auditors combine ISA 265 communications with the broader ISA 260 communication to TCWG, particularly where the same document (such as an audit committee report) covers both significant audit findings and internal control deficiencies. The key is that the ISA 265 requirements for written communication, specific content, and contextual statements are met regardless of the format.
What happens if a significant deficiency was communicated in a prior year and has not been corrected?
ISA 265 does not prohibit re-communicating prior-year findings. In practice, most auditors include uncorrected prior-year deficiencies in the current year's management letter — often with enhanced emphasis to indicate that the matter remains unresolved. Recurring uncorrected significant deficiencies may indicate broader concerns about the control environment or management's attitude toward internal control, which the auditor should consider in the risk assessment.
Does ISA 265 apply to deficiencies in IT general controls?
Yes. IT general controls (access security, change management, IT operations, business continuity) are internal controls within the scope of ISA 265. If the auditor identifies deficiencies in IT controls during the audit — for example, inadequate segregation of duties in the accounting system, missing access reviews, or uncontrolled changes to financial reporting systems — these are evaluated and communicated under the same framework as any other control deficiency.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 265 text, including all application material (paragraphs A1–A18).
- ISA 260 (Revised) — Communication with Those Charged with Governance — the broader communication framework that ISA 265 complements.
- ISA 315 (Revised 2019) — Identifying and Assessing the Risks of Material Misstatement — the standard under which the auditor obtains the understanding of internal control from which deficiencies are identified.
- ISA 330 — The Auditor's Responses to Assessed Risks — where control testing may reveal operating deficiencies.
- EU Audit Directive (2014/56/EU), Article 11 — Requirements for the additional report to the audit committee of PIEs, including internal control matters.