COVID-19 update: A message from our partnersRead more
Control deficiencies can have a detrimental effect on your company and the accuracy of its financial statements.
If your independent auditors identify potential problems, they will evaluate them and convey to you in writing any significant deficiencies and material weaknesses detected. To understand what the auditor is stating, it is important to first understand the terms.
Let’s begin with the basics.
Internal control refers to a framework or process designed by management to provide reasonable assurance regarding the achievement of reliable financial reporting, effective and efficient operations, and compliance with laws and regulations.
Effective internal control provides for prevention of errors, misreporting or violations. Or it can mean timely detection of such difficulties by employees during their regular course of duties. The design or type of an entity’s internal control structure will vary depending upon the size of operations, complexity of the industry in which it operates and management’s perspective.
Deficiencies in internal control fall into one of three categories:
1. Control deficiencies
2. Significant deficiencies
3. Material weaknesses
A control deficiency exists when the design or operation of a control does not allow management to prevent or detect misstatements in a timely manner.
Design deficiency occurs when:
Operational deficiency occurs when:
A significant deficiency is a control deficiency – or a combination of control deficiencies – that limits the ability to record, process or report financial data in accordance with generally accepted accounting principles. To be considered significant, the deficiency must allow a misstatement that is more than inconsequential to be more than remotely likely to occur.
A material weakness exists when a significant deficiency or a combination of significant deficiencies may cause material misstatement of the financial statements to occur and may not prevent or detect the misstatement.
Imagine three buckets. The first bucket collects control deficiencies. The second bucket contains control deficiencies that have a greater potential impact on accurate and timely financial reporting. The third bucket holds the “serious” deficiencies, which in the auditor’s judgment would allow financial misstatement to occur.
Auditors evaluate deficiencies based on their judgment of potential misstatement, not on whether a misstatement actually has occurred. In evaluating each deficiency, the auditor considers both qualitative and quantitative factors.
Multiple control deficiencies that affect the same account balance or financial statement disclosure may constitute a significant deficiency or material weakness even though each individual deficiency is seemingly insignificant.
The existence of the control deficiencies may have a significant impact on the audit engagement.
For example, when the auditor is testing a control’s effectiveness, a single deviation when none is expected can result in an increase in the scope of audit testing necessary.
Communication in writing to management and those charged with governance is required when significant deficiencies or material weaknesses are detected by the auditor. This communication should occur by the report date but in no circumstances more than 60 days after the report release date.
Early communication of control deficiencies may be important and is often useful dialogue between the auditor and audit client. And it may provide opportunity for timely corrective action. Verbal communication on an interim basis does not preclude written communication at the conclusion of the engagement.
Once control deficiencies are communicated by the auditor, those charged with governance of the entity should evaluate the risk associated with the deficiency and determine a course of corrective action. Management’s evaluation will involve consideration of level of acceptable risk and cost/benefit relationships.
Communication with your independent auditor is the key to understanding control deficiencies and their impact on the audit engagement.