Communication Regarding Material Weaknesses and Significant Deficiencies (Adapted from SAS No. 115) Your Firm’s Logo Date Client Organization Client Contact Address City, State and Zip Dear Client Contact: We appreciate the opportunity to have conducted your audit this year. As previously discussed, we are writing to you to communicate deficiencies in internal control that we identified during the audit of your financial statements that we determined to be significant deficiencies or material weaknesses. This communication is a requirement of Statement on Auditing Standards (SAS) No. 115, Communicating Internal Control Related Matters Identified in an Audit, which supersedes SAS No. 112 of the same name. SAS No. 115 applies to audits of financial statements for periods ending on or after December 15, 2009. As we previously discussed, early implementation of SAS No. 115 is permitted and we will be implementing SAS No. 115 in the audit of your financial statements this year. In planning and performing our audit of your financial statements for the period ending Month XX, 20XX, we considered your internal control over financial reporting (internal control) as a basis for designing our auditing procedures, in accordance with generally accepted auditing standards (GAAS). We did this for the purpose of expressing our opinion on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of ABC Company’s (Company) internal control. Accordingly, as a part of your audit, we are not expressing an opinion on the effectiveness of the Company’s internal control. Our consideration of internal control was for the limited purpose of conducting your organization’s audit and would not necessarily identify all deficiencies in internal control that might be considered material weaknesses {or significant deficiencies}. However, we did identify certain deficiencies in internal control that we consider to be material weaknesses [and other deficiencies that we consider to be significant deficiencies] that are discussed below. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect, and correct misstatements on a timely basis. It is important to note that control deficiencies are problems that you will not necessarily choose to address; however, they do represent potential risks. Our job as your financial statement auditor is to make you aware of and assist you in understanding these material weaknesses [and significant deficiencies], assist you in understanding them, and thereby enable you to make informed business decisions about how best to respond to the potential risks. In this year’s audit, we identified the following: Materials Weaknesses A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. We believe that the following deficiencies constitute material weaknesses: [Describe the material weaknesses that were identified] Communication Regarding Material Weaknesses and Significant Deficiencies (Adapted from SAS No. 115) Significant Deficiencies A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the following deficiencies to be significant deficiencies in internal control: [Describe the significant deficiencies that were identified. [Examples of circumstances that may be deficiencies, significant deficiencies, or material weaknesses are presented in Exhibit B of SAS No. 115. Examples of significant deficiencies and material weaknesses are presented in the AICPA Risk Alert, Communicating Internal Control Related Matters in an Audit – Understanding SAS No. 115.] This written communication related to the material weaknesses [and significant deficiencies] identified during this year’s audit is intended solely for the information of and use by management of ABC Company, those charged with the Company’s governance, others you deem appropriate within your organization, and any governmental authorities that require you to submit this information. It is not intended for use by anyone other than these specified parties. {You may identify the body or individuals charged with governance or any specified governmental authorities.} We are available to answer any questions you may have related to the [material weaknesses] [significant deficiencies] we identified during your audit or to discuss the benefits and associated costs of options for remedying them, if you would like to do so. If you wish to set up a meeting to discuss this communication or your organization’s internal control, please feel free to contact me at insert your contact information here. We appreciate the opportunity to have conducted your organization’s audit. Sincerely, Name Audit Partner or Managing Partner Communication Regarding Material Weaknesses and Significant Deficiencies (Adapted from SAS No. 115) Examples of Significant Deficiencies and Material Weaknesses The following descriptions of material weaknesses and significant deficiencies are illustrative and are intended to provide examples of what you may find in your client audits. They are not intended to be used verbatim as each client situation will be unique. Once you identify any control deficiencies, you will need to evaluate them based on the parameters outlined in SAS No. 115 to determine if they are significant deficiencies or material weaknesses, and then list them under the appropriate sections of the communication. The findings you include in your communication will need to be specific to the organization you are auditing. 1 - Material weakness regarding the design of controls over the preparation of financial statements: The Committee of Sponsoring Organizations (COSO) framework for effective internal control over financial reporting involves the identification and analysis of the risks of material misstatement of the company’s audited financial statements. Management of ABC Company is responsible for determining how those identified risks should be managed. However, management has not identified risks related to the preparation of reliable financial statements and as a result has failed to design effective controls over the preparation of the financial statements to prevent or detect and correct material misstatements of the financial statements, including footnote disclosures. 1a – Material weakness regarding the operation of controls over the preparation of financial statements The COSO framework for effective internal control over financial reporting states that management should select and develop control activities that mitigate risks to the achievement of financial reporting objectives; which include appropriate financial statement disclosures required by generally accepted accounting principles (GAAP). ABC Company’s policies and procedures require that the drafted financial statements be reviewed and compared to a current GAAP checklist to evaluate whether the financial statements are reliable and in accordance with GAAP. This year, these procedures were performed by an employee of ABC Company who did not have current GAAP knowledge. As a result, we identified material disclosure and classification misstatements that were not prevented or detected and corrected by management prior to our audit. 2 - Material weakness related to the design of controls over accounting for fixed assets and leases (this could apply to controls over estimates as well) The COSO framework for effective internal control over financial reporting involves the identification and analysis of the risks of material misstatement of the company’s financial statements. Management has not identified or analyzed financial reporting risks in the area of fixed assets and lease accounting and as a result has failed to design effective controls over the accounting for fixed assets and leases to prevent or detect, and correct material misstatements of the financial statements. 3 – Significant deficiency related to a lack of segregation of duties – design deficiency The COSO framework for effective internal control over financial reporting indicates that, to the extent possible, no single individual should have control over two or more phases of a transaction or operation. Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities for any one person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties. In the course of our audit we noted that the employee who opens the mail containing cash receipts also makes bank deposits, records these payments, and reconciles the bank account. Management has not separated incompatible activities of company personnel, thereby creating risks to the safeguarding of cash. 4 – Significant deficiency related to controls over the preparation and review of bank reconciliation – operating effectiveness Communication Regarding Material Weaknesses and Significant Deficiencies (Adapted from SAS No. 115) The COSO framework for effective internal control over financial reporting states that control activities relating to reliable financial reporting should be established and communicated to personnel throughout the organization with corresponding procedures established to ensure that these control activities are operating effectively, resulting in management directives being carried out. Although ABC Company has established procedures and controls related to bank reconciliations, we found that these procedures and controls are not being followed. As a result, material misstatements of the cash account and the misappropriation of cash may occur and not be prevented or detected and corrected on a timely basis. 5- Material weakness regarding monitoring of controls – design deficiency The COSO framework for effective internal control over financial reporting states that monitoring should be performed to assess the quality of the company’s system of internal control. Management has not performed either ongoing or separate evaluations of the Company’s internal control. As a result, the company’s controls may not be designed or operating effectively to provide reasonable assurance that controls will prevent or detect and correct material misstatements in a timely manner. Additionally, management has not established a process to identify or communicate corrective actions to improve controls. DISCLAIMER: This publication has not been approved, disapproved or otherwise acted upon by any senior technical committees of, and does not represent an official position of, the American Institute of Certified Public Accountants. It is distributed with the understanding that the contributing authors and editors, and the Communication Regarding Material Weaknesses and Significant Deficiencies (Adapted from SAS No. 115) publisher, are not rendering legal, accounting, or other professional services in this publication. If legal advice or other expert assistance is required, the services of a competent professional should be sought.