During a financial statement audit, auditors are required to communicate internal control deficiencies to those charged with governance, such as the audit committee and key management personnel. These deficiencies can be classified into three levels based on severity:

1. Internal Control Deficiency

• A control that is either missing or not functioning effectively to prevent or detect misstatements.

• This is the least severe and does not always require communication to those charged with governance.

2. Significant Deficiency

• A control weakness that is less severe than a material weakness but important enough to merit attention by governance.

• Example: A lack of segregation of duties in a critical process.

• Must be communicated in writing to management and the audit committee​.

3. Material Weakness

• A deficiency or combination of deficiencies that results in a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis.

• Example: Inadequate oversight by the audit committee, or fraud by senior management.

• Requires written communication to the board of directors or audit committee.

• Public companies must disclose material weaknesses in their annual reports​.

Communication Process

• Auditors issue a formal Internal Control Letter, addressed to management and the audit committee, outlining identified significant deficiencies and material weaknesses.

• Auditors may also issue a Management Letter, which contains additional advisory recommendations beyond required internal control reporting.

Reporting Considerations for Public vs. Private Companies

• Public companies (issuers): Auditors must provide a written report before issuing their opinion on internal control over financial reporting (SOX 404).

• Private companies (non-issuers): Auditors acknowledge that their opinion is only on financial statements and not on internal control effectiveness unless engaged to do so separately​.