Audit Findings and Management Letters in Malta: How to Respond as a Director
How Maltese directors should read and respond to audit findings and the management letter: ISA 265, ISA 260, and a practical action plan.
Audit Findings and Management Letters in Malta 2026: How to Respond as a Director
By the EGM Assurance Editorial Team . Last reviewed June 2026 . 13 min read
At the end of an audit, most directors focus on one thing: the audit opinion on the financial statements. But the audit produces a second, equally important output that directors often skim - the auditor's communication of findings, including the management letter. This is where the auditor sets out the weaknesses they identified in the company's internal controls and processes, and where, handled well, a director gets a free, expert diagnostic of where the business is exposed. Handled badly - ignored, filed away, or treated as criticism to be rebutted - the same letter becomes evidence that the board was told about a problem and did nothing.
This guide explains, for directors of Maltese companies, what audit findings actually are, the professional standards that govern how and why your auditor reports them (ISA 265 and ISA 260), the difference between a deficiency, a significant deficiency and a material weakness, what the management letter is and is not, and - most importantly - how to respond constructively. It is written for the recipient of the letter, not the auditor who writes it. The standards referenced are the International Standards on Auditing as applied in Malta; the practical guidance reflects general good practice as at June 2026.
Throughout, we use "those charged with governance" (TCWG) - the standards' term for the board of directors, audit committee, or equivalent body responsible for overseeing the company - and distinguish it from "management", who run the company day to day. In many Maltese SMEs the same people occupy both roles, a point we return to because it changes how the communication works.
1. The two outputs of an audit
An audit produces two distinct reporting outputs, and conflating them is the source of much director confusion.
The audit report (the opinion)
The first output is the auditor's report on the financial statements - the formal opinion, addressed to the shareholders, on whether the financial statements give a true and fair view in accordance with the applicable framework (GAPSME or IFRS) and the Companies Act. This is the public document filed with the financial statements. It is what most people mean by "the audit."
The communication of audit findings (including the management letter)
The second output is the auditor's communication to those charged with governance and to management about matters arising from the audit - significant findings, difficulties encountered, and deficiencies in internal control. Part of this is mandatory under the auditing standards; part is the discretionary, value-adding commentary commonly delivered as a management letter. Unlike the audit opinion, this communication is private to the board and management. It is not filed publicly, and it is the document this guide is about.
The audit opinion tells the shareholders whether the numbers can be relied upon. The findings communication tells the board where the business is exposed and what to fix. The first is backward-looking and public; the second is forward-looking and private. Directors who only read the opinion miss the half of the audit that is actually addressed to them. |
|---|
2. What an internal control deficiency actually is
The bulk of audit findings concern deficiencies in internal control. The auditing standards define this precisely, and understanding the definition helps directors read the findings correctly rather than defensively.
A deficiency in internal control exists in either of two situations: where a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or where a control necessary to prevent, or detect and correct, such misstatements is missing altogether. In plain terms: either a control that exists does not work, or a control that should exist is not there.
Crucially, the auditor is not engaged to express an opinion on the effectiveness of the company's internal control. The auditor considers internal control only to design audit procedures appropriate to the circumstances. Deficiencies are therefore identified as a by-product of the audit of the financial statements - which is why the findings communication routinely states that the matters reported are limited to those identified during the audit and that the audit was not designed to identify all control deficiencies. This is not a disclaimer to be brushed aside; it is an accurate description of scope.
3. The three tiers: deficiency, significant deficiency, material weakness
Not all findings carry the same weight. The standards classify control deficiencies into a hierarchy, and the tier determines how the auditor must report it and how urgently the board should respond.
Tier | What it means | How the auditor reports it |
|---|---|---|
Deficiency (other) | A control weakness that, alone or with others, the auditor judges does not rise to significant. Often an operational or efficiency point. | May be communicated to management (often orally or in the management letter); not required to go to governance in writing. |
Significant deficiency | A deficiency, or combination, that in the auditor's professional judgement is important enough to merit the attention of those charged with governance. | Must be communicated in writing to those charged with governance, on a timely basis. |
Material weakness | A deficiency, or combination, such that there is a reasonable possibility a material misstatement of the financial statements would not be prevented or detected and corrected on a timely basis. | The most serious tier; communicated in writing and may have implications for the audit approach and report. |
The distinction between an ordinary deficiency and a significant one is a matter of the auditor's professional judgement, taking into account the likelihood and potential magnitude of misstatement, the susceptibility of the related asset or liability to loss or fraud, the subjectivity of the amounts involved, the volume of activity, and the importance of the control to the financial reporting process. A finding does not need to have caused an actual misstatement to be significant - the reasonable possibility of one is enough.
The tier label is not a measure of how annoyed the auditor is - it is a technical classification with defined reporting consequences. A "significant deficiency" is a formal designation that triggers a written report to the board. If your auditor uses that term, treat it as the considered professional judgement it is, not as a stylistic choice, and respond accordingly. |
|---|
4. Why your auditor is required to tell you: ISA 265 and ISA 260
The auditor's communication of findings is not a courtesy - it is mandated by the auditing standards. Two standards govern it, and they work together.
ISA 265 - deficiencies in internal control
ISA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management, requires the auditor to communicate significant deficiencies in internal control, in writing, to those charged with governance on a timely basis. The auditor must also communicate to management - at an appropriate level of responsibility - significant deficiencies (in writing) and other deficiencies identified during the audit that merit management's attention and have not been communicated by other parties. The written communication of significant deficiencies must describe the deficiencies and explain their potential effects, and must set out enough context for the reader to understand its purpose: that the audit considered internal control in order to design appropriate procedures, not to opine on control effectiveness, and that the matters reported are limited to those identified during the audit.
ISA 260 - communication with those charged with governance
ISA 260 (Revised), Communication with Those Charged with Governance, is the broader standard. It requires the auditor to communicate a range of audit matters to the board: the auditor's responsibilities in relation to the audit, the planned scope and timing, significant findings from the audit (including significant qualitative aspects of accounting practices, significant difficulties encountered, and material weaknesses), and - for listed entities - matters bearing on auditor independence. Following amendments effective for audits of periods beginning on or after 15 December 2024, the independence-related communication requirements were updated in line with the revised international ethics code. The standard emphasises effective two-way communication: the board is expected to engage, not merely receive.
Together, the effect is that significant deficiencies and material weaknesses reach the board in writing, ordinary deficiencies typically reach management, and the board has a standard-backed expectation of a genuine dialogue with the auditor - not a one-way letter.
5. What the management letter is - and what it is not
The management letter (sometimes called the letter of recommendations, or letter of weaknesses) is the document directors most often have in mind when they talk about "audit findings." It is worth being precise about its status.
What it is
The management letter is the auditor's written communication of control deficiencies and recommendations for improvement. It typically sets out each finding, the potential effect or risk, and a recommendation, and it leaves space for management's response. It commonly bundles together the matters ISA 265 requires to be reported (significant deficiencies) with other, less severe deficiencies and practical operational suggestions the auditor is well placed to offer. It is one of the most useful by-products of an audit: an independent, experienced view of where the company's processes are weak.
What it is not
The management letter is not a substitute for the mandatory written communication of significant deficiencies and material weaknesses to those charged with governance - although in practice the two are frequently combined into a single document addressed to the board. It is not a public document, and it is not filed with the financial statements or the Registrar. And it is not an opinion on the effectiveness of internal control: it reports what the audit happened to surface, not the results of a comprehensive controls review. The auditor's recommendations are advisory; the auditor cannot design or operate the company's controls without impairing independence, so the responsibility for deciding on and implementing fixes remains with the company.
A frequent misconception is that a clean audit opinion means there were no findings. The two are independent. A company can receive an unmodified (clean) opinion on its financial statements and still receive a management letter setting out several significant deficiencies - because the auditor obtained the evidence needed for the opinion despite the control weaknesses, often by doing more substantive testing. A clean opinion is not a clean bill of health for your control environment. |
|---|
6. How to read the findings: a director's lens
When the findings communication arrives, work through it deliberately rather than reactively. A useful sequence:
Sort by tier first. Identify which items are flagged as material weaknesses, which as significant deficiencies, and which as other/operational points. Your attention and the board's time should be allocated in that order.
For each finding, separate the three components: the deficiency (what is wrong), the potential effect (what could go wrong as a result), and the recommendation (what the auditor suggests). Directors often react to the tone and miss the substance; the substance is in those three components.
Ask whether the finding is a design problem or an operating problem. A missing control (design) is fixed differently from a control that exists but is not being performed consistently (operation). The remediation differs accordingly.
Look for themes, not just items. Several findings pointing at the same root cause - understaffing in finance, lack of segregation of duties, weak month-end discipline - usually indicate one underlying issue worth addressing structurally rather than five separate patches.
Check for repeat findings. A deficiency that also appeared last year is the single most important category to address: it signals that a previously identified risk was accepted and left unremediated, which is precisely the pattern that exposes directors.
7. How to respond constructively
The response to audit findings is where directors add value and protect themselves. A constructive response has several elements.
Respond in writing, finding by finding
For each finding, management should provide a written response stating whether it accepts the finding, the action it will take (or the considered reason it will not), the person responsible, and the target date. This management response is commonly recorded alongside each item in the management letter itself. A written, dated response converts the auditor's diagnosis into a board-owned action plan and creates the contemporaneous record that demonstrates the board engaged.
Accept, mitigate, or consciously accept the risk
Not every recommendation must be implemented exactly as written. For each finding the board can reasonably decide to implement the recommendation, implement an alternative control that addresses the same risk, or - where the cost of remediation genuinely outweighs the risk - consciously accept the risk. What matters is that the decision is deliberate, documented, and taken by people who understood the potential effect. A documented, reasoned decision to accept a minor risk is defensible; silent inaction on a significant deficiency is not.
Assign ownership and a deadline
A finding without a named owner and a date is not being managed. Each accepted action should sit with a specific person and have a realistic target date, so that progress can be tracked and the board can confirm closure at a subsequent meeting.
Engage with the auditor - it is meant to be two-way
ISA 260 frames the communication as a dialogue. If a finding is unclear, or you believe the auditor has misunderstood a process, say so - constructively. A good auditor will welcome the correction or explain why the concern stands. This exchange is part of how the standard expects the relationship to work, and it produces better outcomes than a defensive silence followed by a rebuttal.
The most protective thing a board can do with a management letter is to minute its consideration of each significant finding, the decision taken, the owner and the deadline - and then check progress at the next meeting. This single habit converts the auditor's findings from a latent liability (the board was told and did nothing) into evidence of good governance (the board was told and acted). |
|---|
8. Why this matters: the director-protection angle
Beyond good business sense, there are concrete reasons a Maltese director should take audit findings seriously.
Director duties under the Companies Act
Directors of Maltese companies owe statutory duties, including to exercise the degree of care, diligence and skill reasonably expected, and to promote the well-being of the company. A documented record of considering audit findings and acting on them is direct evidence of those duties being discharged. Findings that are received and ignored point the other way.
Repeat and unremediated findings
The category that most often causes difficulty later is the significant deficiency that recurs year after year. It demonstrates that a risk was identified, communicated to the board in writing, and left unaddressed. If the risk subsequently crystallises - a fraud, a material error, a loss - the existence of the prior-year finding makes the board's inaction difficult to defend. Closing repeat findings should be the board's highest remediation priority.
Insolvency, disputes and scrutiny
If the company later faces insolvency, a shareholder dispute, a tax investigation or regulatory scrutiny, the audit findings and the board's documented response become part of the record. A board that can show it received findings, considered them, and acted is in a materially stronger position than one that cannot. The management letter, properly handled, is part of a director's protection - not merely a list of chores.
The link to control environment and future audit cost
Acting on findings improves the control environment, which in turn tends to make future audits smoother and reduces the risk of misstatement. Persistent weak controls have the opposite effect: more substantive testing, more audit effort, and a higher likelihood of a modified opinion or a difficult audit. Remediation is an investment that pays back in lower friction and lower risk.
9. Frequently asked questions
Is the management letter the same as the audit report?
No. The audit report is the formal opinion on the financial statements, addressed to shareholders and filed publicly with the accounts. The management letter is a private communication to the board and management setting out internal-control deficiencies and recommendations. They are produced by the same audit but serve completely different purposes, and a clean audit report does not mean there is no management letter.
Does a clean audit opinion mean there were no findings?
No. The two are independent. A company can receive an unmodified (clean) opinion and still receive a management letter with significant deficiencies, because the auditor can obtain the evidence needed to support the opinion - often through additional substantive testing - despite weaknesses in the company's controls. The opinion is about whether the financial statements are reliable; the findings are about how well the company's processes work.
What is the difference between a significant deficiency and a material weakness?
Both are serious, but a material weakness is the higher tier. A significant deficiency is one the auditor judges important enough to merit the attention of those charged with governance. A material weakness is a deficiency, or combination, such that there is a reasonable possibility that a material misstatement of the financial statements would not be prevented, or detected and corrected, on a timely basis. Material weaknesses can also affect the auditor's approach and, in some cases, the report.
Do we have to implement every recommendation in the management letter?
No. The recommendations are advisory. For each finding the board can implement the recommendation, put in place an alternative control that addresses the same risk, or - where the cost of fixing it genuinely outweighs the risk - consciously accept the risk. What matters is that the decision is deliberate, reasoned and documented. Silent inaction on a significant deficiency is the option to avoid.
Who should receive and respond to the findings - management or the board?
Both, in their respective roles. Under ISA 265, significant deficiencies must be communicated in writing to those charged with governance (the board or audit committee), while deficiencies meriting management's attention go to management. In many Maltese SMEs the same individuals are both, but the board should still formally consider and minute the significant findings in its governance capacity, because that is the record that demonstrates oversight.
Is the management letter filed with the Malta Business Registry or made public?
No. Unlike the audit report and financial statements, the management letter and the auditor's communication of findings are private to the company's board and management. They are not filed with the Registrar and are not public documents. That privacy is precisely why the board should keep its own clear record of how it considered and responded to them.
Our auditor raised the same finding as last year. Does that matter?
Yes - more than any other category. A repeat finding shows a risk was identified and communicated in writing and then left unremediated. If the risk later crystallises, the prior-year finding makes the board's inaction hard to defend. Repeat significant deficiencies should be the board's top remediation priority, and closing them should be confirmed and minuted.
Can our auditor just fix the problems for us?
No - not without impairing their independence. The auditor can identify deficiencies and recommend improvements, but designing or operating the company's controls is management's responsibility. An auditor who set up and ran the very controls they later audit would be auditing their own work. They can advise; the company must decide and implement. Separate advisory support, within the limits of the ethics rules, can be arranged where appropriate.
How quickly do we need to respond?
The standards require the auditor to communicate on a timely basis - ideally early enough for issues to be addressed before the financial statements are approved. On the company's side, there is no fixed statutory deadline to respond to a management letter, but the practical answer is: while it is fresh, and before the next audit. A response recorded promptly, with owners and dates, is far more useful (and more protective) than one assembled a year later.
We are a small owner-managed company - do these findings really apply to us?
Yes, and arguably more so. Smaller companies often have fewer staff, which makes segregation of duties harder and control deficiencies more common. The auditor's findings are frequently the only independent review of your processes you will receive all year. Even where the same people are owners, directors and managers, the findings highlight genuine exposures - and documenting your response remains valuable evidence of diligence.
Related guides from EGM Assurance
Accounting Records in Malta 2026: Companies Act Requirements and Common Pitfalls
Becoming a Malta Company Director: Duties, Liability and Personal Exposure
Authoritative references
ISA 260 (Revised), Communication with Those Charged with Governance - IAASB
ISA 230, Audit Documentation; ISA 450, Evaluation of Misstatements - IAASB
Companies Act (Cap. 386) - directors' duties and audit requirements
Accountancy Profession Act (Cap. 281) - regulation of auditors in Malta
Need help? EGM Assurance provides statutory audit services in Malta - partner-led, transparent, on time. Get a quote.
Received a management letter you are not sure how to act on? EGM Assurance helps directors interpret audit findings, prioritise significant deficiencies and material weaknesses, and build a documented, board-owned remediation plan - turning the management letter into better controls and a stronger governance record. |
|---|
This article is prepared by EGM Assurance for general informational purposes and reflects the International Standards on Auditing as applied in Malta and general good practice as at June 2026. It is not legal or professional advice, and it does not describe the findings of any particular audit. The classification of audit findings and the appropriate response depend on the specific facts of each company and engagement. Always discuss your audit findings with your auditor and obtain specific advice where needed.