Control Deficiency: What It Is and How to Address It

A control deficiency is a flaw in a company’s system of internal controls. These controls are the procedures and policies put in place to ensure financial information is reliable and operations run effectively. When a control has a deficiency, it means it is not properly designed or operating as intended. This breakdown creates an opening for errors or misstatements to occur in the company’s financial records and go undetected, undermining the integrity of the data that management, investors, and creditors rely on.

The Severity Spectrum of Control Issues

Control issues exist on a spectrum of severity, classified into three levels based on their potential consequences. The least severe is a “control deficiency,” which exists when a control’s design or operation doesn’t allow for the timely prevention or detection of misstatements. An example is a lack of timely reconciliation of a department’s expenditures, creating an opportunity for errors to go unnoticed.

A more serious issue is a “significant deficiency.” This is a control deficiency, or a combination of them, important enough to merit the attention of those responsible for overseeing the company’s financial reporting, such as an audit committee. The determination hinges on the possibility that a misstatement that is more than inconsequential could occur and not be detected.

The most severe level is a “material weakness.” This is a deficiency, or combination of deficiencies, where there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a time-sensitive basis. The term “reasonable possibility” means the likelihood of the event is either reasonably possible or probable. A material weakness indicates a serious flaw in the internal control system, such as ineffective controls over revenue recognition that could lead to a financial restatement.

Identifying and Evaluating Deficiencies

The discovery of control deficiencies often occurs through several channels. Management’s own ongoing monitoring activities are a primary source of identification, as these day-to-day and periodic checks are designed to assess how well controls are functioning. Internal audit departments also play a large role, conducting formal reviews and tests to evaluate the effectiveness of internal controls.

External auditors are another common source for identifying these issues during their financial statement audit. As they test the company’s controls to determine the extent they can rely on them, they may uncover weaknesses. A financial misstatement itself is not the deficiency; rather, auditors must investigate the source of the error to understand which control failed or was missing.

Once a potential deficiency is found, a formal evaluation process begins to classify its severity. Management and auditors assess the issue against two dimensions: likelihood and magnitude. They determine how likely it is that the faulty control will fail to prevent or detect a misstatement and what the potential size of that misstatement could be. This analysis determines if the issue is a simple control deficiency, a significant deficiency, or a material weakness.

Required Communications

The reporting requirements for a control deficiency are dictated by its assessed level of severity. For the least severe category, a control deficiency, the issue is communicated directly to an appropriate level of management responsible for the affected area. These communications can often be informal and are not required to be in writing.

When a deficiency rises to the level of a “significant deficiency” or a “material weakness,” the communication requirements become more formal. The auditor must communicate all significant deficiencies and material weaknesses in writing to both management and the audit committee of the board of directors. This written communication must happen before the auditor issues their report on the financial statements and must clearly distinguish between the two levels of severity.

For public companies, the discovery of a material weakness carries an additional disclosure requirement. Management must disclose the material weakness to the public in its annual financial filings, such as in Form 10-K. This disclosure includes a description of the weakness and management’s plan for remediation, a requirement under the Sarbanes-Oxley Act.

The Remediation Process

Once a control deficiency has been identified and properly communicated, the organization must undertake a structured process to correct it. The first step is to perform a thorough root-cause analysis to understand precisely why the control failed. This involves determining if the issue was a flaw in the control’s design or a failure in its operation, such as an employee lacking proper training.

Following the analysis, the next stage is to design and document a new or improved control activity that directly addresses the identified root cause. This might involve rewriting a procedure, implementing new software, or enhancing segregation of duties. The plan should be detailed, outlining the specific corrective actions, assigning responsibilities, and setting a timeline for completion.

After the new control is designed, it must be implemented, which could involve training employees on the new procedures or configuring new system settings. The final step is to test the newly implemented control to verify that it is designed appropriately and operating effectively. This testing provides assurance to management and auditors that the deficiency has been successfully remediated.