Management Letters.

Understanding AuditsAudit EducationCompliance & Governance
Written By Jason O'Connor CA
Management letters are often misunderstood because they are not a report on what is “wrong”, but a communication tool designed to highlight risks, improve processes, and strengthen financial governance.

A management letter explains internal control weaknesses and practical recommendations found during an audit. This guide explains what it means in plain English for committees, treasurers and boards.


Many clients read a management letter as criticism. In reality, it is one of the most valuable outputs of an audit or review.


What is a Management Letter?

A management letter is a report provided by an auditor or reviewer that outlines opportunities to improve internal controls, processes, and financial reporting.


It sits alongside the audit or review report—but serves a very different purpose.

Where the audit report provides an opinion, the management letter provides insight.

Why Clients Misunderstand Management Letters

In practice, we often see three common reactions:

1. “Something must be wrong”

Clients assume that if an issue is raised, it means there is a problem or failure. Most of the time, that’s not the case.

2. Audit language can feel confronting

Terms like “deficiency”, “control weakness”, or “recommendation” can sound more serious than they are.

3. The expectation gap

Clients expect a “clean” outcome to mean no further commentary. However, even well-run organisations can improve controls and processes.


What a Management Letter Actually Means

A management letter is not about fault—it is about improvement.

It highlights areas where:

  • Controls can be strengthened

  • Processes can be made more efficient

  • Risks can be reduced

For example, a management letter may note that bank reconciliations are not independently reviewed. This doesn’t mean an error has occurred—it means there is an opportunity to reduce the risk of error or fraud.

Why Management Letters Matter

Management letters are valuable because they focus on the future, not the past.

They help organisations:

  • Strengthen governance

  • Improve accountability

  • Reduce financial and operational risk

  • Build better systems and processes over time

In many cases, the management letter provides more practical value than the audit report itself.

How Clients Should Use a Management Letter

To get the most value, management letters should be:

  • Discussed at board or committee level

  • Reviewed as part of governance processes

  • Used as a roadmap for improvement

Importantly, not every point requires immediate action—but each one should be understood and considered.

Key Takeaway

A management letter is not a list of problems—it is a roadmap to stronger governance, better controls, and reduced risk.

If you’ve received a management letter and are unsure what it means, you’re not alone.

The value isn’t just in receiving the letter—it’s in understanding it.

If you’d like help walking through your management letter and what it means for your organisation, we’re always happy to assist.

Learn more
Contact Us

Technical note for auditing students: management letters, ASA 265 and communication with governance

For auditing students, management letters are not part of the audit opinion — but they are a key audit deliverable that communicates internal control findings and practical recommendations.

They sit within the broader framework of auditor communication with those charged with governance and are primarily guided by ASA 265 Communicating Deficiencies in Internal Control.

What is a management letter?

A management letter (also referred to as a findings and recommendations report) is prepared by the auditor and provided to:

  • management

  • those charged with governance (e.g. committee, board)

Its purpose is to:

  • identify weaknesses in internal control

  • provide recommendations for improvement

  • give insight into risks identified during the audit

Unlike the audit report, it is not standardised, and its content depends heavily on professional judgement.

ASA 265: communicating deficiencies in internal control

ASA 265 establishes the auditor’s responsibility to communicate deficiencies identified during the audit.

The standard requires the auditor to:

  • determine whether deficiencies in internal control exist

  • assess whether those deficiencies are significant

  • communicate significant deficiencies in writing to those charged with governance

A deficiency in internal control arises where:

  • a control is missing, or

  • a control does not prevent or detect misstatements on a timely basis

A significant deficiency is one that, in the auditor’s judgement, is important enough to merit the attention of those charged with governance.

Professional judgement in practice

One of the most important aspects for students to understand is that:

Not every issue identified during an audit must be reported — but many are.

Auditors must decide:

  • whether a weakness is significant

  • whether it should be reported formally

  • how it should be communicated

In practice, due to past corporate failures and litigation risk, auditors often:

  • report more issues rather than fewer

  • include both significant and non-significant observations

  • adopt a conservative approach to communication

This reflects the increasing expectation that auditors act as a source of insight, not just assurance.

Written vs verbal communication

ASA 265 requires significant deficiencies to be communicated in writing.

However:

  • less significant issues may be communicated verbally

  • discussions with management often occur before formal reporting

  • written communication is preferred to avoid ambiguity

A written management letter:

  • provides clarity of findings and recommendations

  • creates an audit trail

  • allows management to document responses and actions

Content of a management letter

While not prescribed in a strict format, a management letter typically includes:

  • description of the control weakness

  • explanation of the risk or potential impact

  • recommendation for improvement

  • (often) management’s response

ASA 265 also requires that communications provide sufficient context, including:

  • that the audit is not designed to test all internal controls

  • that only identified deficiencies are being reported

  • that the purpose of the audit is to express an opinion on the financial report

Timing and communication process

Deficiencies should be communicated on a timely basis, not just at the end of the audit.

In practice, this may involve:

  • interim management letters (during planning or interim work)

  • final management letters (at audit completion)

ASA 260 reinforces that communication with those charged with governance is a two-way process, supporting oversight of financial reporting and internal control.

Why management letters matter in practice

From a technical perspective, management letters:

  • bridge the gap between audit procedures and operational improvement

  • provide governance bodies with actionable insights

  • reinforce accountability for internal controls

  • allow auditors to assess management’s responsiveness over time

They also provide evidence of:

  • the auditor’s understanding of the entity

  • the auditor’s exercise of professional judgement

  • communication of risks beyond the audit opinion

Key takeaway for students

Management letters are not optional “extras” — they are a critical communication tool grounded in ASA 265 and ASA 260.

In simple terms:

The audit opinion tells users whether the financial report is reliable — the management letter tells the client how to improve.

Jason O'Connor CA https://www.joconnorptyltd.com
Previous

Why Engagement Letters Matter

Next

Transparent Pricing: How Fixed Fees Reduce Risk