What Are Control Deficiencies in Financial Reporting?

Internal controls are the policies and procedures a business uses to safeguard its assets, ensure its accounting records are accurate, and operate efficiently. When these established procedures break down or are improperly designed, a control deficiency occurs. A control deficiency exists when the design or operation of a control does not allow management or employees to prevent or detect financial misstatements in a timely manner.

Defining and Classifying Control Deficiencies

Control deficiencies are categorized into two types. The first is a deficiency in design, which occurs when a necessary control is either missing or is structured in a way that it would be ineffective. For instance, if a company has no policy requiring a secondary review and approval for payments made to new vendors, a design deficiency exists.

The second type is a deficiency in operation. This arises when a control is well-designed, but it is not being performed as intended. This could happen if the person responsible for the control lacks the competence or authority to perform it effectively. An example would be a company policy that requires removing a terminated employee’s system access within 24 hours, but the IT staff consistently fails to do so.

Once identified, a deficiency is evaluated for severity based on the potential magnitude and likelihood of a misstatement. The mildest classification is a control deficiency, a flaw not severe enough to warrant attention from the company’s oversight body. It is a weakness unlikely to lead to a significant financial error on its own.

A more serious issue is a significant deficiency. The Public Company Accounting Oversight Board (PCAOB) defines this as a deficiency, or a combination of them, important enough to merit attention by those responsible for oversight, such as the audit committee. This classification hinges on the judgment that the issue could adversely affect the company’s ability to reliably report financial data. An example could be inconsistent reconciliation of a secondary bank account.

The most severe classification is a material weakness. This is a deficiency, or combination of deficiencies, where there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected in a timely fashion. An example is the inadequate segregation of duties, where a single employee can initiate, approve, and record a transaction. The discovery of a material weakness is a serious event requiring public disclosure.

The Identification Process

Control deficiencies are uncovered through monitoring and testing by different parties. A company’s management team is responsible for establishing and maintaining internal controls, which includes ongoing monitoring. This can involve routine supervisory reviews, performance evaluations, and system-generated exception reports that flag unusual transactions.

A company’s internal audit function often conducts more formalized reviews. Internal auditors operate independently and perform systematic tests of the control environment. Their work is risk-based, meaning they focus their attention on areas with the highest potential for error or fraud. They provide management and the board with objective assurance that controls are operating effectively.

External auditors also play a part in identifying control deficiencies. During a financial statement audit, auditors test internal controls to determine their reliability for producing accurate financial data. For many public companies, the Sarbanes-Oxley Act (SOX) requires an integrated audit of both the financial statements and internal control over financial reporting (ICFR).

To find these weaknesses, auditors use several techniques, including:

• Inquiries by interviewing personnel to understand processes.
• Observation to watch employees perform their duties and follow procedures.
• Inspection of documents, such as invoices and bank reconciliations, for evidence that a control was performed.
• Re-performance, which involves independently executing a control to verify its outcome.

Required Communication of Deficiencies

Once a control deficiency is identified and classified, specific communication protocols are triggered. The reporting requirements are dictated by the severity of the finding to ensure the information reaches the appropriate levels of authority. These rules are a component of corporate governance frameworks, particularly for public companies subject to regulations like SOX.

For control deficiencies, communication is made in writing to the company’s management. An external auditor may include these items in a management letter. This gives management the opportunity to correct the issues before they escalate.

For a significant deficiency, the communication requirements expand. The auditor must report all significant deficiencies in writing to both management and the audit committee of the board of directors. This ensures those charged with oversight are aware of weaknesses that require their attention.

A material weakness triggers the most stringent reporting obligations. It must be communicated in writing by the auditor to both management and the audit committee before the auditor’s report is issued. For public companies, SOX Section 404 requires that if a material weakness exists at year-end, it must be publicly disclosed in the company’s annual report. This disclosure alerts investors to flaws in the company’s financial oversight.