What Are Examples of a Significant Deficiency?

An organization’s system of internal control is the collection of processes designed to safeguard assets and ensure the reliability of financial information. During a financial statement audit, an independent auditor evaluates this system to determine its effectiveness. When examining these controls, auditors may identify issues that vary in severity. The auditor’s role is to uncover and classify these issues, providing management and oversight bodies with a clear picture of the health of their internal control environment.

The Hierarchy of Internal Control Deficiencies

Auditors classify internal control issues into a three-tiered hierarchy based on their potential impact. The least severe issue is a control deficiency. According to auditing standards, this exists when the design or operation of a control does not allow management or employees to prevent, or detect and correct, misstatements on a timely basis. A control might be designed improperly or operated ineffectively by personnel.

Moving up the scale is a significant deficiency. This is a control deficiency, or a combination of them, that is less severe than a material weakness yet important enough to merit attention by those charged with governance. An issue is elevated to this level when it represents a notable flaw in the control system that could lead to a financial misstatement that is more than inconsequential.

The highest level of concern is a material weakness. The Public Company Accounting Oversight Board (PCAOB) defines this as a deficiency where there is a reasonable possibility that a material misstatement of financial statements will not be prevented or detected on a timely basis. A material weakness indicates that the company’s internal control over financial reporting is ineffective and must be publicly disclosed by most public companies.

This hierarchy can be compared to a building’s structural integrity. A control deficiency is like a small, non-structural crack in a wall. A significant deficiency is a more serious issue, like a leaking roof that requires prompt attention to prevent further damage. A material weakness is akin to a compromised foundation, signaling a reasonable possibility of structural failure.

Categorized Examples of Significant Deficiencies

The following examples are grouped by the five components of the COSO Internal Control Framework: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. Each example illustrates a breakdown that could compromise the integrity of financial reporting.

Control Environment

The control environment sets the tone of an organization. A significant deficiency here often points to a weak “tone at the top.” For instance, if an organization’s audit committee is not independent from management or lacks members with sufficient financial expertise, its oversight is compromised. This is a significant deficiency because the body responsible for oversight cannot effectively challenge management’s decisions.

Another example is the persistent management override of prescribed controls. If senior executives frequently bypass established procedures, such as approval limits for expenditures, without documented justification, it undermines the entire control system. This behavior signals to employees that controls are not important and can lead to unauthorized transactions.

Risk Assessment

An organization must have a process for identifying and analyzing risks to its financial reporting objectives. A significant deficiency can arise when this process is absent or ineffective. For example, a company that lacks a formal method for evaluating how changes in the business environment, such as new competitors or product lines, affect its financial statements has a flawed risk assessment process.

Another example is the failure to assess the risk associated with new accounting standards from the Financial Accounting Standards Board (FASB). When a new standard is released, companies must analyze its impact and implement new processes. Not having a process to identify and adopt these requirements can lead to financial statements that do not conform with U.S. Generally Accepted Accounting Principles (GAAP).

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out, and this is where many significant deficiencies are found.

• Lack of adequate segregation of duties: When a single employee is responsible for authorizing a payment, recording it, and reconciling the bank account, it creates an opportunity to perpetrate and conceal fraud or errors.
• Absence of timely account reconciliations: If accounts like cash or accounts receivable are not reconciled to the general ledger monthly, discrepancies may go undetected for extended periods, potentially leading to a material misstatement.
• Inadequate controls over non-standard journal entries: These manual entries are made for unusual transactions or last-minute adjustments. Without independent review and approval, they could be used to improperly manipulate financial results.
• Weaknesses in Information Technology General Controls (ITGCs): This includes a lack of sufficient controls over user access to financial applications or the failure to implement and test a disaster recovery plan for critical financial systems.

Monitoring Activities

Monitoring of controls is a process that assesses the effectiveness of internal control performance over time. A significant deficiency in this component occurs when management fails to oversee the control system. For instance, if an internal audit function identifies control weaknesses and management consistently fails to take corrective action, it indicates a breakdown in monitoring.

A related example is the failure to remediate deficiencies identified during the prior year’s external audit. When an auditor communicates a significant deficiency, there is an expectation that management will develop and implement a plan to fix it. If a subsequent audit finds the same deficiency unaddressed, it points to a systemic issue in the company’s monitoring and self-correction processes.

Reporting and Responding to a Significant Deficiency

Once an auditor identifies a significant deficiency, professional standards from the AICPA and PCAOB require them to communicate it in writing to management and those charged with governance, such as the audit committee. This letter must be issued before the auditor’s report on the financial statements is released. The communication details the deficiencies and explains their potential effects on the company’s financial reporting.

The auditor’s role is to identify and report the problem, not to design the solution. The responsibility for correcting the internal control system rests with the company’s management. Upon receipt of the auditor’s letter, management must develop a corrective action plan that outlines the steps to fix the deficiency, assigns responsibility, and sets a timeline for completion.

The auditor will follow up on these matters during the next year’s audit. They will assess whether management’s remediation plan has been implemented and if the new controls are operating effectively. If the deficiency has not been corrected, it will be communicated again, which can raise the level of concern for the audit committee.