ISA 260 (Revised): Communication with Those Charged with Governance

What ISA 260 actually requires

Here is what ISA 260 is not: a requirement to write a letter at the end of the audit. The standard is titled “Communication with Those Charged with Governance” and the emphasis is on "communication," not "letter." It asks for ongoing dialogue between the auditor and TCWG that starts at planning, runs through fieldwork, and closes out at completion.

What actually happens at most firms is different. We produce a planning letter in November, a management letter in March, and maybe a closing meeting in April. The standard envisions something closer to a running conversation, because the purpose is not just reporting. It serves the auditor and TCWG at the same time.

The standard serves four purposes:

1. TCWG can give the auditor information that sharpens the understanding of the entity, its risks, and specific transactions. An auditor who communicates well with the board or audit committee gets access to context that working papers alone cannot provide.
2. The auditor’s communications help TCWG fulfil their oversight responsibilities, particularly over financial reporting and internal control.
3. When both sides engage, issues surface earlier, misunderstandings drop, and the risk of material misstatement falls.
4. For listed entities specifically, the independence communication creates a formal record that protects both the firm and the audit committee.

ISA 260 (Revised) became effective for periods ending on or after 15 December 2016, revised alongside the introduction of ISA 701 (Key Audit Matters).

Identifying those charged with governance

The identification problem

Before you can communicate with TCWG, you need to figure out who they are. That sounds obvious. It is not. ISA 260 .A1–A8 acknowledges that governance structures vary enormously, and the auditor must determine the right person(s) to receive each communication.

I have seen engagement teams spend time drafting a detailed governance letter only to realise they were sending it to a management body with no governance authority. The file should tell a story about why you identified a particular body as TCWG, not just assert it.

When management and governance overlap

In many smaller entities the same people sit on both sides. The owner-manager prepares the financial statements and oversees that process. ISA 260 .A8 addresses this directly: if you have already communicated a matter in a management capacity to someone who also has a governance role, you do not need to communicate it again as a governance matter.

What actually happens is subtler. You discuss a revenue recognition issue with the managing director, document it in the management letter, and assume the non-executive directors have seen it. They have not. The standard requires you to confirm that communication has reached all individuals with a governance role, not just the most accessible one.

The audit committee as primary channel

Where an audit committee exists, it is usually the main channel for audit-related matters. We check the committee’s terms of reference early (during planning, not at completion) to understand which matters fall within its mandate and which need escalation to the full board. ISA 260 .A4 notes that the auditor may need to communicate with the full governing body when the committee’s authority is limited. At firms like ours, this comes up regularly with smaller PIEs where the audit committee is two people with restricted terms of reference.

The four communication categories

ISA 260 groups required communications into four categories. Most firms get the first one right and treat the rest as a tick box exercise. That is where the problems start.

1. The auditor’s responsibilities ( ISA 260.14 )

The auditor communicates that they are responsible for forming and expressing an opinion on the FS, and that the audit does not relieve management or TCWG of their responsibilities. This sounds obvious. It is not.

What actually happens is that audit committees frequently assume the auditor is checking everything. We have had board members ask why a small fraud was not detected, genuinely surprised that a financial statement audit is not designed to find all fraud. Clarifying responsibilities at the outset (ideally in a planning meeting, not buried in paragraph 4 of an engagement letter) reduces the risk of that conversation happening after the audit report is signed.

2. Planned scope and timing ( ISA 260.15 )

The auditor communicates an overview of planned scope and timing, including:

• Significant risks identified by the auditor, so TCWG understand why attention is concentrated in specific areas
• The approach to internal control relevant to the audit (clarifying that the audit opinion covers the FS, not internal control itself)
• How materiality has been applied
• Where ISA 701 applies, the assessed risks most likely to become key audit matters (KAMs)

This communication happens during planning. In our experience, a face-to-face planning meeting with the audit committee produces better results than a written plan sent by email, because the conversation surfaces issues that a document does not.

3. Significant findings ( ISA 260.16 )

This is the category where governance communication either works or fails. The standard breaks it into five sub-requirements:

ISA 260.16 (a) covers significant qualitative aspects of accounting practices: policies, estimates, disclosures, and the consistency of those choices with the applicable framework. The auditor’s views on whether policies are appropriate and whether estimates appear reasonable. I think this is where most governance letters fall flat, because the language is so hedged and generic that the audit committee cannot tell whether the auditor actually agrees with management’s position or is just describing it.

ISA 260.16 (b) covers significant difficulties encountered. Delays in receiving information, unreasonably tight deadlines, unexpected effort to obtain evidence, or unavailability of expected information. The auditor must also consider whether the difficulty may represent a scope limitation. What actually happens is that teams absorb these difficulties silently (working weekends, pulling in more resource) rather than reporting them to TCWG. That is a mistake, because a difficulty that recurs year after year without being reported to governance will never get fixed.

ISA 260.16 (c) covers significant matters discussed with management. Where ISA 701 applies, the auditor must also communicate which matters are expected to appear as KAMs in the auditor’s report.

ISA 260.16 (d) requires informing TCWG about the written representations requested from management under ISA 580 . This is straightforward but often omitted or buried in an appendix.

ISA 260.16 (e) is the catch-all: any other matters the auditor judges relevant to TCWG’s oversight of financial reporting. This includes fraud or suspected fraud ( ISA 240 ), non-compliance with laws and regulations ( ISA 250 ), going concern issues ( ISA 570 ), and related party matters ( ISA 550 ).

Here is how this plays out in practice. You are auditing a mid-sized manufacturing company. During fieldwork you discover that management changed the useful life of its plant assets from 10 years to 15 years, reducing the depreciation charge by €800k. Management says it reflects the actual condition of the equipment. You discuss it, agree the change is within the range of reasonable estimates, and document it in the WPs. The complication: the audit committee has not been told. The change is not disclosed in the notes (management argues it is not material to total assets), and the governance letter from last year contains identical wording about depreciation policy. So you have a judgment that falls inside the range but sits at the aggressive end, an undisclosed change in estimate, and a SALY governance letter that does not flag any of it. ISA 260.16 (a) exists precisely for this situation. The audit committee needs to know, even if the number passes materiality thresholds.

4. Auditor independence ( ISA 260.17 )

For listed entities, the auditor must communicate:

• A statement that the engagement team, the firm, and (where applicable) network firms have complied with relevant independence requirements
• All relationships and matters between the firm, network firms, and the entity that may reasonably be thought to bear on independence, together with the safeguards applied
• Total fees charged for audit and non-audit services, broken down by category, so TCWG can assess the effect on independence
• Where relevant, confirmation that engagement partner rotation requirements have been met or are being managed

In the EU, the Audit Regulation (537/2014) adds requirements for PIE audits: confirmation that the firm is not providing prohibited non-audit services and that the fee cap has not been exceeded. So if you are auditing a PIE in Europe, your independence communication has both an ISA layer and a regulatory layer. Getting these tangled or missing one is a common review finding.

Form and timing

Written vs. oral

ISA 260.19 –20 gives flexibility. Communication can be oral or written. But significant audit findings must be in writing when oral communication alone would be inadequate. The independence statement for listed entities must always be written.

What actually happens is that almost everything goes in writing anyway, because no one wants a dispute about what was communicated orally to an audit committee six months ago. I think that is the right instinct, even though the standard does not require it. Oral communication works best as a supplement to a written document, not a substitute for one.

Timing

ISA 260.21 requires communication on a timely basis. Planned scope and timing should be communicated during planning, early enough for TCWG to provide input. Significant findings should be communicated as they arise, not saved up for a single letter at completion.

Look, this is where we all struggle. The practical pressure is to batch communications into a single document at the end, because drafting governance letters mid-audit feels like it slows down fieldwork. But a significant difficulty (say, management refusing to provide access to a subsidiary’s records) that you only report to TCWG three months after it occurred has lost most of its value. TCWG cannot intervene on a problem that is already resolved or embedded in the audit opinion.

Documentation

ISA 260.23 requires the auditor to document oral communications: what was discussed, when, and with whom. Written communications are retained as part of the audit file. If you have a phone conversation with the audit committee chair about a going concern issue, that call needs to be documented with enough detail that a reviewer can reconstruct what was said.

Two-way communication (and what happens when it breaks down)

ISA 260.22 requires the auditor to evaluate whether two-way communication with TCWG has been adequate for the purposes of the audit. If it has not, the auditor must assess the effect on risk assessment and on the ability to obtain sufficient appropriate evidence. Then they must take appropriate action.

This is not a theoretical concern. Inadequate two-way communication shows up in recognisable patterns: TCWG who do not respond to the auditor’s letters, TCWG who refuse to meet without management present, a governance structure that routes all communication through the CFO, or audit committee members who give vague or evasive answers to direct questions. We had one engagement where the audit committee chair would only accept questions submitted in writing in advance, with no follow-up permitted. That is not two-way communication. That is a controlled information channel.

There is a legitimate disagreement in the profession about how aggressively to escalate. Some partners take the view that poor communication is just a documentation point. I disagree, because ISA 260.22 explicitly links communication quality to evidence sufficiency. If TCWG are not engaging, you may not have enough information to assess certain risks properly. Where the auditor concludes that two-way communication is inadequate and cannot be resolved, the standard says the auditor must consider the effect on the audit opinion and may need legal advice. That is a serious consequence, and it should be treated as one.

ISA 260 in your jurisdiction

Netherlands. COS 260 follows ISA 260 (Revised) closely. For OOB (PIE) entities, the EU Audit Regulation adds further communication requirements. Article 11 of Regulation 537/2014 requires a detailed written report to the audit committee covering audit methodology, materiality levels, key findings, and independence. Dutch practice treats the management letter (to management) and the audit committee report (to TCWG) as distinct communications, and the quality of each is assessed separately during practice inspections.

Germany. German practice has historically emphasised the Prüfungsbericht (audit report to the supervisory board), which in many cases is more detailed than the statutory auditor’s report. Required under §321 HGB, the Prüfungsbericht covers findings and the auditor’s assessment of the entity’s position, including risk-related matters. It intersects with ISA 260 ’s requirements but has its own legal basis. If you are auditing under both ISA and HGB, you effectively maintain two parallel communication tracks.

United Kingdom. ISA (UK) 260 adds UK-specific requirements, particularly for PIE audits. These include communication about the FRC’s Ethical Standard requirements, enhanced independence communications, the auditor’s assessment of going concern status, the viability statement (for premium-listed entities), and Corporate Governance Code compliance.

France. NEP 260 implements ISA 260 within the French statutory framework. French practice is distinctive because the commissaire aux comptes issues a public annual report to the shareholders’ meeting (rapport à l’assemblée générale). The private communication with the audit committee or board is separate and covers more detailed audit findings. For joint audits, coordination of communications between the two audit firms and TCWG is an additional layer that requires careful management.

Frequently asked questions

Who are “those charged with governance”?

TCWG are the person(s) or organisation(s) with responsibility for overseeing the entity’s strategic direction and accountability, including the financial reporting process. The identification depends on the entity’s governance structure: a board of directors, supervisory board, audit committee, trustees, partners, or an owner-manager.

What is the difference between ISA 260 and ISA 265 ?

ISA 260 sets the general framework for auditor-governance communication across multiple categories. ISA 265 specifically addresses communication of deficiencies in internal control, with its own requirements for what level of deficiency must be communicated and to whom. Think of 260 as the channel and 265 as one specific message type that flows through it.

Must all communications be in writing?

No. ISA 260 allows oral communication for many matters. Significant audit findings must be in writing if oral communication alone would be inadequate. Independence communications for listed entities must always be written. In practice, most of us put significant matters in writing anyway, because it protects both the firm and the audit committee.

Does the auditor communicate directly with the audit committee or through management?

Directly with TCWG. The auditor may discuss matters with management first (this is often appropriate to clarify facts), but the communication to TCWG must come from the auditor. If management tries to control or filter what you say to TCWG, that filtering is itself a matter you should raise with TCWG. I have seen this happen when a CFO insists on reviewing the governance letter before it is sent. The standard does not prohibit sharing a draft with management, but the final version must reflect the auditor’s own views, unedited.

How does ISA 260 relate to ISA 701 (key audit matters)?

ISA 701 requires auditors of listed entities to communicate KAMs in the auditor’s report (the public document). ISA 260 requires private communication with TCWG about similar matters: significant risks, significant findings, difficulties encountered, and matters requiring significant auditor attention. The matters communicated under ISA 260 inform the auditor’s determination of KAMs under ISA 701 . And ISA 260.16 specifically requires the auditor to tell TCWG which matters are expected to appear as KAMs, before the auditor’s report is issued.

Further reading and sources

• IAASB Handbook 2024: ISA 260 (Revised) full text, including all application material and Appendix 1 (listing other ISAs with TCWG communication requirements).
• ISA 265 : Communicating Deficiencies in Internal Control (the companion standard for internal control communications).
• ISA 701 : Communicating Key Audit Matters (public reporting of significant audit matters).
• ISA 580 : Written Representations (management’s formal representations to the auditor).
• EU Audit Regulation (537/2014), Article 11: requirements for the additional report to the audit committee of PIEs.

This guide reflects the ISA 260 (Revised) text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools: