Under Canadian Auditing Standards 265 “Communicating Deficiencies in Internal Control to Those Charged with Governance and Management,” auditors are required to communicate to those charged with governance significant deficiencies in internal control identified during the audit. Such deficiencies could be the absence of a necessary control or the ineffective application of a control which was thought to be working or in place. Once identified, the auditor then assesses whether these deficiencies, individually or in combination, are significant. If so determined, the auditor must report in writing these significant deficiencies to the board or those charged with governance. This communication is commonly referred to as the management letter.
Generally, the auditor has been engaged solely to provide an audit opinion on the historical financial statements. (An exception being an engagement under CPA Canada Handbook Section 5925 “An Audit of Internal Control over Financial Reporting that Is Integrated with an Audit of Financial Statements” where the auditor is formally engaged to provide a special report.) Therefore, it should be highlighted in the management letter that consideration of internal controls is limited to those relevant to the preparation of the financial statements and that the deficiencies noted are limited to those the auditor concluded to be significant.
No Significant Deficiencies
We remind practitioners that careful consideration should be given prior to issuing a management letter indicating that no significant deficiencies were identified during the audit. This is because audit documentation is required to substantiate this assessment. More importantly, the practitioner should be cognizant of the potential of such a letter to be misunderstood by a reader as providing assurance on internal controls.
Copy to Third Parties
Although the intended purpose of the management letter is not to provide assurance to third parties, we understand it is not uncommon for third parties to request a copy of the management letter. Where practitioners have been specifically engaged to provide a copy of the management letter to a third party but not an audit opinion on the internal controls, you might consider the applicability of Canadian Standard on Related Services 4460 “Reports on Supplementary Matters Arising from an Audit or a Review Engagement.”
If you subsequently discover that a copy of the management letter was provided to a third party without your knowledge, you might be required to communicate with your client to determine whether they informed the third party that reliance on the information would be inappropriate. Further guidance can be found in Canadian Standard on Association 5000 “Use of the Practitioner’s Communication or Name.”
The likelihood of clients misusing the management letter could be reduced with the inclusion of appropriate communication stipulating the limited nature and scope of the original purpose of the management letter, such as a restriction of use clause. Below are a few thoughts to consider when you are aware of such third-party requests:
- Outline in the document the intended purpose of a management letter and its inherent limitations. Practitioners might wish to note that you do not accept responsibility for reliance placed by third parties on the management letter. It might also be useful to emphasize that you were not engaged to audit the internal controls within the client organization.
- Include restriction of use wording where appropriate.
- Document client consent to share this information in your engagement letter if the practitioner is providing the management letter directly (not something we would advise).