As any auditor knows, risk management is essential to any business’s financial and operational health. Businesses rely on increasingly complex systems to generate the kinds of data that support their financial and operational management. If there’s a flaw in the system — either in design or operation — companies open themselves up to significant financial risks, including fraud and asset loss. While some risk is inevitable, internal controls help mitigate risk and are therefore among the most important tools available for effective risk management.
According to the American Institute of Certified Public Accountants (AICPA), internal controls are designed to provide reasonable assurance about the achievement of a business’s objectives in three key areas: the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. A deficiency in internal control exists when a control does not allow management or employees to prevent, or detect and correct, misstatements on a timely basis.
As the cases of Enron and Worldcom show, failure to identify or correct control deficiencies can be disastrous, damaging the integrity of financial reporting, eroding public and investor confidence, and destabilizing capital markets. In this article, we break down the importance of identifying internal control deficiencies as part of the audit and assurance process, providing 10 tips for how to evaluate internal control deficiencies and manage financial risk appropriately.
What Are Internal Controls Deficiencies?
In response to the frauds at Enron and Worldcom, Congress passed the Sarbanes-Oxley (SOX) Act in 2002, introducing significant reforms to the regulation of financial disclosure. Among its major provisions, the SOX Act mandates that all publicly-traded US companies’ financial reports include an Internal Controls Report.
Under Section 404 of the SOX Act, management is responsible for an adequate internal control structure and must provide an assessment of the effectiveness of the control structure in its annual Internal Controls Report. An independent external auditor must also attest to the accuracy of the company’s statement that internal controls are in place and effective.
Internal controls are the policies and procedures that institutions establish to reduce risks and ensure they meet operating, reporting, and other SOX compliance objectives. Internal controls can be electronic or physical. Electronic controls include two-factor authentication to access company data, while physical controls include the segregation of duties — breaking down tasks that could be completed by one person into tasks completed by several people, ensuring that no one person is in control, and thereby minimizing the potential for fraud and error.
Internal control deficiencies exist when the design or operation of a control does not prevent or detect a material misstatement on a timely basis.
A deficiency in design exists when:
- The control is missing entirely.
- The control is in place but is not properly designed.
Take payroll management as an example, an administrative function that requires segregation of duties. A company that doesn’t put segregation of duties in place for its payroll management system will have a deficiency in design — the control should be in place but is missing entirely, leaving the company open to fraud and financial risk.
A deficiency in operation exists when:
- The control is properly designed but does not operate as designed.
- The person performing the control does not possess the necessary competence to perform the control effectively.
A deficiency in operation will occur if, for example, the sole accountant at a small business suddenly quits, leaving an inexperienced accounting clerk to manage the bank reconciliation process (a type of internal control). Without the proper training or technical expertise, the accounting clerk in this scenario cannot perform the control effectively, leaving the business open to long-term financial damage.
Once management or an auditor has identified a control deficiency during the course of an audit, they must evaluate its materiality, or severity, as either a significant deficiency or a material weakness.
As defined by the Public Company Accounting Oversight Board (PCAOB), a significant deficiency is one or more control deficiencies that are less severe in magnitude yet important enough to merit attention by those responsible for oversight.
In contrast, a material weakness is more severe in magnitude — it is one or more control deficiencies that create a reasonable possibility of a material misstatement in a company’s financial statement.
The severity of a deficiency, as AICPA reminds us, doesn’t depend on whether a material misstatement actually occurred, but rather, its potential magnitude and likelihood. Management and external auditors must evaluate a company’s internal controls for material misstatements — doing so helps maintain the integrity of financial reporting.
Why Is It Important to Evaluate Internal Controls Deficiencies?
When designed appropriately and operating effectively, internal controls safeguard company assets from fraud or significant loss, maintain the integrity of financial data and transactions, and ensure financial, accounting, and statutory compliance. Simply put, internal controls over financial reporting (ICFR) is the bedrock of public and investor confidence in the capital markets. Without effective ICFR, companies put themselves at significant financial and reputational risk.
While it’s ultimately the responsibility of a company’s management to implement appropriate policies on internal controls and seek regular assurance that the system is functioning effectively, external auditors also have a crucial role to play in determining internal control compliance. High levels of deficiencies in audits of internal controls remain a pressing concern for the profession. Auditors either don’t fully understand Auditing Standard No. 5, which outlines key ICFR practices, or don’t have an adequate grasp on an audit client’s business, leading to errors in evaluation of internal controls deficiencies.
The consequences of such errors can be immense for the audit client. Loss of assets and resources, mismanagement and inefficiency in operations, and even loss of market share are only the tip of the iceberg. Depending on the magnitude of the audit deficiencies and the stature of the company, a client could be facing a massive loss in consumer and investor confidence. While Enron remains a favorite in accounting case studies, the more recent 2019 Mattel accounting scandal shows that audit deficiencies — whether deliberate, in Mattel’s case, or unintentional, due to a lack of audit expertise — can lead to substantial company devaluation.
How Do You Evaluate Internal Controls Deficiencies?
Because of the growing complexity of business operations, properly identifying and evaluating internal controls deficiencies can be a challenge for both companies and external auditors. COSO’s framework for evaluating internal control deficiencies provides useful guidance and focuses on five key assessment areas: the control environment, risk assessment, control activities, information and communication systems, and monitoring activities.
Assess the Control Environment
Assessing the control environment is an important first step in evaluating internal control deficiencies. As the foundation of internal control, the control environment sets the tone of an organization and influences the way employees behave. An organization committed to an effective control environment will operate with integrity and ethical values, and it will attract and retain competent employees who are held accountable for their internal control responsibilities.
Evaluate Risk Assessment
Internal controls are only as effective as the risk analysis that supports them. An organization must identify risks to the achievement of its objectives, and it must analyze these risks in order to determine how they can be managed effectively. Fraud is a common risk area. Evaluating a company’s overall risk assessment strategy will help audit, risk, and compliance professionals identify if internal controls to prevent fraud are in place and designed properly.
Investigate Control Activities
Designing proper controls is just half the battle — once these controls are in place, an organization must have policies and procedures that mitigate risks to the achievement of its objectives to acceptable levels. Key internal control activities to investigate include performance reviews, segregation of duties, and electronic safeguards like two-factor authentication. Control activities that reduce the risk of fraud and error will indicate a healthy control environment.
Examine Information and Communication Systems
Quality internal communications that support the functioning of internal controls are essential. Examine the organization’s information and communication systems, especially the accounting information system, which can have a significant impact on efficiency and accuracy of reports. Are accounting reports easily-generated and error-free? If not, the organization may need to reexamine or even overhaul its accounting software.
Analyze Monitoring Activities
An organization that performs regular and ongoing evaluations of its internal controls will ultimately mitigate risks to an acceptable level. Analyze the organization’s monitoring activities based on frequency and quality — the more consistently an organization monitors, assesses, and takes corrective action around internal control deficiencies, the more successful it will be at managing financial risk.
10 Important Tips for Evaluating Internal Controls Deficiencies
In order to protect the integrity of financial reporting, it is critical that audit, risk, and compliance professionals identify internal controls deficiencies as part of the audit and assurance process. Here are 10 important tips to keep in mind!
1. Index Existing Controls
No matter how big or small the organization you’re auditing is, internal controls will likely exist, even if they are less sophisticated than they could be. Almost all clients have some internal controls over financial reporting, including login credentials to access company computers and policies and procedures determining the competency of the chief accountant. While it’s a good idea to investigate how robust these internal controls are, it would be impossible to do sufficient audit work without some internal controls already in place.
2. Understand which Controls Are Relevant to the Audit
Depending on the client’s size, complexity, and overall operations, controls relevant to the audit will vary. As defined by AU-C Section 315, auditors should always consider controls that:
- Address significant risks, including fraud risks.
- Address risks for which substantive procedures do not provide sufficient audit evidence.
- The auditor intends to test for operating effectiveness.
- Support journal entries.
3. Continue the Audit After Determining Controls Exist
According to Peer Review program data at The Journal of Accountancy, many auditors think that determining whether controls exist is the extent of their responsibilities, but this isn’t true. Auditors have the foremost responsibility of obtaining audit evidence about the client’s relevant controls by observing the client implementing these controls, inspecting documents and reports, and tracing relevant transactions through the client’s financial reporting system. Simply inquiring about the existence of controls is not enough — controls must be assessed effectively.
4. Remember that Misstatements Are Not Deficiencies
Internal control deficiencies are often identified after the fact — companies will detect a misstatement in the financial statement and discover the existence of a control deficiency. But failing to properly account for transactions is not the deficiency itself. Auditors must examine the source of the misstatement to understand how it happened and which control should have prevented or detected the misstatement. It may be that the client simply doesn’t have the control that would prevent or detect the misstatement in place, which would be a design deficiency.
5. Determine if the Deficiency Is in Design or Operation
Fundamentally, internal control deficiencies are due to a flaw in design or operation. If a control does not reliably prevent or detect material misstatements, then there is a design deficiency. If a control is well-designed but is still causing a material misstatement, then there is an operating deficiency. Perhaps the person performing the control hasn’t been trained adequately, or they did not perform and document the steps needed to operate the control effectively. In either case, it’s the auditor’s job to identify the origin of the deficiency.
6. Assess the Severity of the Deficiency
Once an auditor has identified a deficiency, they must assess the severity of the deficiency according to two factors: likelihood and magnitude. How likely is it that the deficient control will not prevent or detect a material misstatement, and what is the magnitude of the potential misstatement resulting from the deficiency? It is crucial that auditors identify the complete population of transactions that a control is intended to address — with this information, the number and size of misstatements caused by the deficient control can be correctly assessed.
7. Evaluate the Reliability of Information Used to Determine Severity
The information used to determine the severity of an internal control deficiency must be reliable, including the use of reasonable assumptions about the risk of misstatement. Limitations on a client’s own internal understanding of the nature and severity of a deficiency can result in a lower likelihood that the remediation is sufficient. Always evaluate the comprehensiveness of a client’s information and financial reports, so that severity can be accurately determined.
8. Avoid Defaulting to Maximum Severity
While it may be a well-intentioned approach, the severity of the risk of material misstatement should never automatically be set to “maximum” without careful consideration of the client’s control environment and activities. Defaulting to maximum severity could lead to failing to identify risks that are relevant to the audit. Auditors must always have a reasonable basis for determining a client’s risk of material misstatement, whether by testing design or operation.
9. Identify Further Audit Procedures to Control-Related Risks
After the auditor has determined the risks of material misstatement due to deficient controls, they must design and perform further audit procedures that respond to the client’s specific control-related risks. How can the auditor best lower the client’s risk level to an acceptable level? Depending on the risk, this may require designing or more effectively implementing additional control policies or procedures.
10. Tailor Further Audit Procedures Based on the Individual Client
Always thoughtfully consider the procedures that would respond most effectively to an individual client’s control-related risks. Performing the same procedure for two different clients in the same industry may seem like the correct approach, but risks of material misstatements vary based on company size, nature of operations, and even culture. When it comes to audit responses, keep in mind that there is no one-size-fits-all approach to correcting internal controls deficiencies.
Start Evaluating Internal Controls Deficiencies Effectively
The importance of internal controls cannot be overstated. While all companies want to minimize risk due to ineffective financial or operational practices, internal controls help prevent significant loss and devaluation. Companies that invest in ongoing evaluation of their internal controls will be able to mitigate risk and ensure SOX compliance, protecting not only their reputation but also consumer and investor confidence. AuditBoard can assist in the process of ongoing evaluation with our internal controls compliance software — get started with AuditBoard today!