What information do we need to gather related to an identified control deficiency?

May 2022

Management is responsible for maintaining a system of internal control over financial reporting (ICFR) that provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with the applicable accounting principles framework. The Securities and Exchange Commission (SEC) rules require management of registrants to evaluate on an annual basis whether ICFR is effective at providing reasonable assurance and to disclose its assessment to investors. In supporting its assessment, management is responsible for maintaining evidential matter, including documentation.

Our guide Management Mini Guide for Evaluating Control Deficiencies was developed to assist management in evaluating identified control deficiencies individually and in the aggregate. While the guide focuses on SEC requirements and the responsibilities of management and the audit committee in the assessment and documentation of an identified control deficiency, this guide is also relevant for private companies, as the deficiency evaluation process is consistent.

  The guide will assist management through the process, including:

1. Identification of the deficiency
2. Considerations over the magnitude and likelihood of a potential misstatement
3. Identification of compensating controls
4. Assessment of deficiencies for potential aggregation
5. Conclusions on the severity of the deficiency
6. Documentation of conclusions and reporting considerations

Additionally, this guide includes important reminders related to the remediation of identified control deficiencies.

There are three levels of deficiencies that the auditor will report on in regard to the assessment of an organization’s internal controls. The three types include:

Control deficiencies – A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Control deficiencies are less severe than significant deficiencies.

Significant deficiencies – A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.

Material Weakness – A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.

---

Back To All Questions

You might also be interested in... Understanding Variance Analysis

Variance Analysis Variance analysis is a method for companies to compare its actual performance vs its budgeted amount for that cost measurement (related to the flexible budget). The differences between the standard (budgeted) amount of cost and the actual amount that the organization incurs is referred to as a variance. By analyzing variances, the company...

Variance Analysis Excel Workbook

If you would like to use the Excel workbook that was used to create the Universal CPA lecture on variance analysis, please click the link below to download the Excel workbook: Variance Analysis Lecture Example

Discontinued Operations on the FAR CPA Exam

Overview of Discontinued Operations In financial reporting, discontinued operations refer to a component of a company’s core business or product line that have been divested or shut down. Discontinued operations will be reported (net of tax) separately from continuing operations on the income statement. The reason that discontinued operations are reported separately is so that...

I am pleased to introduce Thomas Ray, member of the accounting faculty at Baruch College and former Chief Auditor at the PCAOB, who will be guest blogging for us this week.

In his remarks at the AICPA Conference on Current SEC and PCAOB Developments last month, Brian T. Croteau, SEC Deputy Chief Accountant, noted some encouraging signs related to public companies' evaluations of their internal control. For the second year in a row, the number of material weaknesses reported by companies in circumstances in which they had not also identified a material misstatement had increased, which suggests that companies are performing a more rigorous analysis of the effectiveness of their controls.

The encouragement came with a caution, however, as Croteau noted the frequency with which internal control issues are identified in SEC staff consultations. He then discussed the importance of properly identifying, understanding, and describing control deficiencies.

In my experience, identifying and evaluating the severity of internal control deficiencies is often difficult and has been a challenge for both companies and their auditors. Croteau's comments in this area are therefore both helpful and timely.

Here are four tips for evaluating internal control deficiencies, based on Croteau's remarks and relevant guidance included in the PCAOB's Auditing Standard No. 5 and elsewhere.

1. The misstatement is not the deficiency.                                                                                                                        Often, an internal control deficiency is identified after the discovery of a misstatement in the financial statements. Companies must look beyond the misstatement to understand how it happened and which control should have either prevented or detected the misstatement. Perhaps, there is not a control in place to deal with the type of misstatement that occurred, which also would be considered a deficiency. The internal control deficiency is not that "we did not properly account for the transactions."
2. Is it a design or operating deficiency?
   Companies should first understand the design of the control and carefully evaluate whether it would prevent or timely detect misstatements if it operates in accordance with its design. If it would not reliably prevent or detect misstatements, then there is a design deficiency.
   Sometimes, a control is well designed, but the person performing that control was not adequately trained or did not perform and document the steps required to perform the control effectively, which allowed the misstatement to end up in the financial statements. This may be considered an operating deficiency.
3. How often and how big?
   There are two components that must be evaluated to assess the severity of a control deficiency: the likelihood that the deficient control will not prevent or timely detect a misstatement, and the magnitude of the potential misstatement resulting from the deficiency.
   Companies should identify the complete population of transactions that a control is intended to address and the size and number of misstatements the deficient control would permit to assess whether the deficiency would allow a material misstatement. An omitted disclosure also can be the source of a material misstatement. Controls over the completeness and accuracy of disclosures may be different and require a different type of analysis.
4. What do we know, and what should we expect?

   Croteau emphasized the importance of the likelihood and magnitude analysis, highlighting what has been termed the "could factor."

   The evaluation of whether it is reasonably possible that a material misstatement could occur and not be prevented or detected on a timely basis requires careful analysis that contemplates both known errors, if any, as well as potential misstatements for which it is reasonably possible that the misstatements would not be prevented or detected in light of the control deficiency. This latter part of the evaluation, also referred to as analysis of the so called 'could factor,' often requires management to evaluate information that is incremental to that which would be necessary, for example, for a materiality assessment of known errors pursuant to SAB 99.

   — Brian T. Croteau, Deputy Chief Accountant, Office of the Chief Accountant, Remarks before the 2015 AICPA National Conference on Current SEC and PCAOB Developments

   Finally, Croteau pointed out that companies should give ongoing consideration to implementing or redesigning controls as necessary in connection with the application of new accounting standards and policies. In addition, companies need to remember their obligations to disclose material changes to their internal control, including in situations where such changes are made in advance of the adoption of a new standard, but also affect current period financial reporting.

How are deficiencies in internal control assessed?

What is the first step in the three step process for identifying and evaluating control deficiencies?

When should we communicate control deficiencies to management?

What are the two main reasons for control deficiency?