10 Tips for Evaluating Internal Control Deficiencies

10 Tips for Evaluating Internal Control Deficiencies

As any auditor knows, risk management is essential to any business’s financial and operational health. Businesses rely on increasingly complex systems to generate the kinds of data that support their financial and operational management. If there’s a flaw in the system — either in design or operation — companies open themselves up to significant financial risks, including fraud and asset loss. While some risk is inevitable, internal controls help mitigate risk and are therefore among the most important tools available for effective risk management.

According to the American Institute of Certified Public Accountants (AICPA), internal controls are designed to provide reasonable assurance about the achievement of a business’s objectives in three key areas: the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. A deficiency in internal control exists when a control does not allow management or employees to prevent, or detect and correct, misstatements on a timely basis. 

As the cases of Enron and Worldcom show, failure to identify or correct control deficiencies can be disastrous, damaging the integrity of financial reporting, eroding public and investor confidence, and destabilizing capital markets. In this article, we break down the importance of identifying internal control deficiencies as part of the audit and assurance process, providing 10 tips for how to evaluate internal control deficiencies and manage financial risk appropriately.

What Are Internal Controls Deficiencies?

In response to the fraudulent reporting and scandals at Enron and Worldcom, Congress passed the Sarbanes-Oxley (SOX) Act in 2002, introducing significant reforms to the regulation of financial disclosure. Among its major provisions, the SOX Act mandates all publicly-traded US companies’ financial reports must include an Internal Controls Report and that an organization’s Audit Committee must provide, “oversight of financial reporting, including the internal control over financial reporting (ICFR) and the external, independent audit process.

Under Section 404 of the SOX Act, management is responsible for an adequate internal control structure and must provide an assessment of the effectiveness of the control structure in its annual Internal Controls Report. An independent auditor must also attest to the accuracy of the company’s statement that internal controls are in place and effective. These financial statement audits must adhere to Generally Accepted Accounting Principles (GAAP) and typical accounting standards.

Internal controls are the policies and procedures institutions establish to reduce risksand ensure they meet operating, reporting, and other SOX compliance objectives. Internal controls can be electronic or physical. Examples of electronic controls include two-factor authentication to access company data, while physical controls might include locks for sensitive data or locations, or surveillance of critical areas.

Internal control deficiencies exist when the design or operation of a control does not prevent or detect a material misstatement on a timely basis.

A deficiency in design exists when:

  • The control is missing entirely.
  • The control is in place but is not properly designed.

Take payroll management as an example, an administrative function requiring the segregation of duties. A company that doesn’t put segregation of duties in place for its payroll management system will have a deficiency in design — since this is a control that should be in place but is missing entirely, leaving the company open to fraud,financial risk, and potential issues in filings.

A deficiency in operation exists when:

  • The control is properly designed but does not operate as designed.
  • The person performing the control does not possess the necessary competence to perform the control effectively.

A deficiency in operation will occur if, for example, the sole accountant at a small business suddenly quits, leaving an inexperienced accounting clerk to manage the bank reconciliation process (a type of internal control). Without the proper training or technical expertise, the accounting clerk in this scenario cannot perform the control effectively, leaving the business open to long-term financial damage.

Once management or an auditor has identified a control deficiency during the course of an audit, they must evaluate its materiality, or severity, as either a significant deficiency or a material weakness. Neither is inconsequential.

As defined by the Public Company Accounting Oversight Board (PCAOB), a significant deficiency is one or more control deficiencies that are less severe in magnitude yet important enough to merit attention by those responsible for oversight. 

In contrast, a material weakness is more severe in magnitude — it is a combination of deficiencies (one or more) that create a reasonable possibility of a material misstatement in a company’s financial statement.

The severity of a deficiency, as AICPA reminds us, doesn’t depend on whether a material misstatement actually occurred, but rather, its potential magnitude and likelihood. Management, potentially through an internal audit function, and external auditors must evaluate a company’s internal controls for material misstatements — doing so helps maintain the integrity of financial reporting.

The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates

The Importance of Evaluating Internal Controls Deficiencies

When designed appropriately and operating effectively, internal controls safeguard company assets from fraud or significant loss, maintain the integrity of financial data and transactions, and ensure financial, accounting, and statutory compliance. Simply put, internal controls over financial reporting (ICFR) is the bedrock of public and investor confidence in the capital markets. Without effective ICFR, companies put themselves at significant financial and reputational risk.

While it’s ultimately the responsibility of a company’s management to implement appropriate policies on internal controls and seek regular assurance that the system is functioning effectively, external auditors also have a crucial role to play in determining internal control compliance. High levels of deficiencies in audits of internal controls remain a pressing concern for the profession. Auditors either don’t fully understand Auditing Standard No. 5, which outlines key ICFR practices, or don’t have an adequate grasp on an audit client’s business, leading to errors in the evaluation of internal controls deficiencies.

The consequences of such errors can be immense for the audit client. Loss of assets and resources, mismanagement and inefficiency in operations, and even loss of market share are only the tip of the iceberg. Depending on the magnitude of the audit deficiencies and the stature of the company, a client could be facing a massive loss in consumer and investor confidence. While Enron remains a favorite in accounting case studies, the more recent 2019 Mattel accounting scandal shows that audit deficiencies  — whether deliberate, in Mattel’s case, or unintentional, due to a lack of audit expertise  — can lead to substantial company devaluation.

How Do You Evaluate Internal Controls Deficiencies?

Because of the growing complexity of business operations, properly identifying and evaluating internal controls deficiencies can be a challenge for both companies and CPAs. COSO’s framework for evaluating internal control deficiencies provides useful guidance and focuses on five key assessment areas: the control environment, risk assessment, control activities, information and communication systems, and monitoring activities.

Assess the Control Environment

Assessing the control environment is an important first step in evaluating internal control deficiencies. As the foundation of internal control, the control environment sets the tone of an organization and influences the way employees behave. An organization committed to an effective control environment will operate with integrity and ethical values, and it will attract and retain competent employees who are held accountable for their internal control responsibilities.

Evaluate Risk Assessment 

Internal controls are only as effective as the risk analysis supporting them. An organization must identify risks to the achievement of its objectives, and it must analyze these risks in order to determine how they can be managed effectively. Fraud is a common risk area. Evaluating a company’s overall risk assessment strategy will help audit, risk, and compliance professionals identify if internal controls to prevent fraud are in place and designed properly.

Investigate Control Activities

Designing proper controls is just half the battle — once these controls are in place, an organization must have policies and procedures mitigating risks to the achievement of its objectives to acceptable levels. Key internal control activities to investigate include performance reviews, segregation of duties, and electronic safeguards like two-factor authentication. Control activities that reduce the risk of fraud and error will indicate a healthy control environment.

Examine Information and Communication Systems

Quality internal communications that support the functioning of internal controls are essential. Examine the organization’s information and communication systems, especially the accounting information system, which can have a significant impact on the efficiency and accuracy of reports. Are accounting reports easily-generated and error-free? If not, the organization may need to reexamine or even overhaul its accounting software.

Analyze Monitoring Activities

An organization performing regular and ongoing evaluations of its internal controls will ultimately mitigate risks to an acceptable level. Analyze the organization’s monitoring activities based on frequency and quality — the more consistently an organization monitors, assesses, and takes corrective action around internal control deficiencies, the more successful it will be at managing financial risk.

10 Important Tips for Evaluating Internal Controls Deficiencies

In order to protect the integrity of financial reporting, it is critical for audit, risk, and compliance professionals to identify internal controls deficiencies as part of the audit and assurance process. Here are 10 important tips to keep in mind!

1. Index Existing Controls

No matter how big or small the organization you’re auditing is, internal controls will likely exist, even if they are less sophisticated than they could be. Almost all clients have some internal controls over financial reporting, including login credentials to access company computers and policies and procedures determining the competency of the chief accountant. While it’s a good idea to investigate how robust these internal controls are, it would be impossible to do sufficient audit work without some internal controls already in place.

2. Understand Which Controls Are Most Relevant to Audit

Depending on the client’s size, complexity, and overall operations, controls relevant to the audit will vary. As defined by AU-C Section 315, CPAs should always consider controls that:

  • Address significant risks, including fraud risks.
  • Address risks for which substantive procedures do not provide sufficient audit evidence. *
  • Support journal entries.
  • Compensating controls for key risk areas, if they exist.

3. Continue the Audit After Determining Controls Exist

According to Peer Review program data at The Journal of Accountancy, many auditors think determining whether controls exist is the extent of their responsibilities, but this isn’t true. Auditors have the foremost responsibility of obtaining audit evidence about the client’s relevant controls by observing the client implementing these controls, inspecting documents and reports, and tracing relevant transactions through the client’s financial reporting system. Simply inquiring about the existence of controls is not enough — controls must be assessed effectively.

4. Remember: Misstatements Are Not Deficiencies

Internal control deficiencies are often identified after the fact — companies will detect a misstatement in the financial statement and discover the existence of a control deficiency. But failing to properly account for transactions is not the deficiency itself. Auditors must examine the source of the misstatement to understand how it happened and which control should have prevented or detected the misstatement. It may be the client simply doesn’t have the control that would prevent or detect the misstatement in place, which would be a design deficiency. Root cause analysis can help define the gap in internal controls for remediation.

5. Determine if the Deficiency Is in Design or Operation

Fundamentally, internal control deficiencies are due to a flaw in design or operation. If a control does not reliably prevent or detect material misstatements, then there is a design deficiency. If a control is well-designed but is still causing a material misstatement, then there is an operating deficiency. Perhaps the person performing the control hasn’t been trained adequately, or they did not perform and document the steps needed to operate the control effectively. In either case, it’s the auditor’s job to identify the origin of the deficiency.

6. Assess the Severity of the Deficiency

Once an auditor has identified a deficiency, they must assess the severity of the deficiency according to two factors: likelihood and magnitude. How likely is it the deficient control will not prevent or detect a material misstatement, and what is the magnitude of the potential misstatement resulting from the deficiency? It is crucial for auditors to identify the complete population of transactions a control is intended to address — with this information, the number and size of misstatements caused by the deficient control can be correctly assessed.

7. Evaluate the Reliability of Information Used to Determine Severity

The information used to determine the severity of an internal control deficiency must be reliable, including the use of reasonable assumptions about the risk of misstatement. Limitations on a client’s own internal understanding of the nature and severity of a deficiency can result in a lower likelihood the remediation is sufficient. Always evaluate the comprehensiveness of a client’s information and financial reports, so severity can be accurately determined.

8. Avoid Defaulting to Maximum Severity

While it may be a well-intentioned approach, the severity of the risk of material misstatement should never automatically be set to “maximum” without careful consideration of the client’s control environment and activities. Defaulting to maximum severity could lead to failing to identify risks relevant to the audit. Auditors must always have a reasonable basis for determining a client’s risk of material misstatement, whether by testing design or operation.

9. Identify Further Audit Procedures to Control-Related Risks

After the auditor has determined the risks of material misstatement due to deficient controls, they must design and perform further audit procedures to respond to the client’s specific control-related risks. How can the auditor best lower the client’s risk level to an acceptable level? Depending on the risk, this may require designing or more effectively implementing additional control policies or procedures. 

10. Tailor Further Audit Procedures Based on the Individual Client

Always thoughtfully consider the procedures providing the most effective responses to an individual client’s control-related risks. Performing the same procedure for two different clients in the same industry may seem like the correct approach, but risks of material misstatements vary based on company size, nature of operations, and even culture. When it comes to audit responses, keep in mind that there is no one-size-fits-all approach to correcting internal control deficiencies.

Start Evaluating Internal Controls Deficiencies Effectively

The importance of internal controls cannot be overstated. While all companies want to minimize risk due to ineffective financial or operational practices, internal controls help prevent significant loss and devaluation. Companies investing in ongoing evaluation of their internal controls will be able to mitigate risk and ensure SOX compliance, protecting not only their reputation but also consumer and investor confidence. AuditBoard can assist in the process of ongoing evaluation with our internal controls compliance software — get started with AuditBoard today!

Frequently Asked Questions About Internal Controls Deficiencies

What are internal controls deficiencies?

A deficiency in internal control exists when a control does not allow management or employees to prevent, or detect and correct, misstatements on a timely basis. 

How do you evaluate internal controls deficiencies?

Internal controls deficiencies can be evaluated based on their magnitude and likelihood.


Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.