Internal controls have become an area of high significance for organizations. It involves the control systems that companies or organizations put in place against risks. Therefore, it also links with the risk management systems that companies employ. Internal controls can be helpful in detecting, preventing, or controlling any significant risks within a company.
Most companies put systems in place that can help with the internal control process. Sometimes, however, these procedures may not be sufficient in meeting the intended purpose. In that case, deficiencies in internal controls may exist. In some cases, the deficiencies may also be significant. Before understanding those, it is crucial to understand what deficiencies in internal control are.
What are Deficiencies in Internal Control?
Deficiencies in internal control exist due to two reasons. Firstly, these may occur when control is missing. It happens when a control necessary to prevent or detect and correct misstatements does not exist. In some cases, internal controls may exist in the future. However, these may not be able to prevent or detect and correct issues on a timely basis. Therefore, it will classify as an internal control deficiency.
Secondly, internal control deficiencies may exist when internal controls exist currently. However, these controls cannot prevent or detect, and correct misstatements on a timely basis. In this case, the controls are not missing. However, these controls are not effective enough to work as intended. In either of these two cases, internal control deficiency will exist.
What do auditors do to determine Internal Control Deficiencies?
In some cases, auditors may deem an area to have insufficient internal controls. In those cases, they may suspect an internal control deficiency may exist. However, auditors must not term these as deficiencies. Instead, they must discuss their findings with the client’s management. In some cases, however, that may not be an option. It may happen, for example, when the deficiencies question the management’s integrity or competence.
During the discussion, auditors will have to consider various factors. These will include whether the management understands the cause of the deficiencies, any exceptions arising from those deficiencies noted by the management or the management’s response to the findings. Based on these factors, auditors can decide on whether deficiencies exist.
What is a Significant Deficiency?
A significant deficiency is basically referred to as a deficiency or a combination of internal controls that merit the attention of those charged with governance. These deficiencies relate to a misstatement occurring or the likelihood of it happening in the future and its potential effects. Therefore, significant deficiencies may exist even if auditors cannot identify any deficiencies within an audit engagement.
The above provides a standard definition of what significant deficiencies are. However, the standard does not specify any criteria for significant deficiencies. Auditors must use their professional judgment in order to determine whether an identified deficiency will classify as significant. For that, they will need to consider various factors.
How to Assess Significant Deficiencies of Internal Control of a Company?
There are several factors that auditors need to consider to assess significant deficiencies of internal control. Once auditors identify areas that may have deficiencies, they will need to consider the following factors to evaluate whether these are significant.
- Evidence of ineffective aspects of the company’s control environment.
- Absence of risk assessment process within the entity where auditors expect it to exist.
- Evidence of an ineffective entity risk assessment process. This evidence may relate to the management’s failure to identify a risk area that auditors would expect to have been covered.
- Evidence of ineffective response to the identified risk.
- Misstatements detected by the auditor’s procedures that internal controls failed to prevent, or detect and correct.
- Restatement of previously issued financial statements that relate to the correction of material misstatements due to fraud or error.
- Evidence of management’s inability to oversee the preparation of the financial statements.
All of the above factors are indicators of significant deficiencies within a company. These factors come from ISA 265 which is on “Communicating Deficiencies in Internal Control to Those Charged with Governance and Management“. According to the standard, auditors also need to communicate any significant deficiencies with the client’s management.
In some cases, the cost of remedying such deficiencies may exceed the benefits. Therefore, the management may not be able to apply any remedies. Similarly, auditors need to assess any significant deficiencies identified in any previous audits for the same client. If the management has not remedied those, the auditors will need to discuss them with the management.
Internal controls exist to help companies mitigate any unwanted risks. In some cases, however, these internal controls may not be sufficient or effective. These are known as internal control deficiencies. These significant deficiencies are typically referred to as deficiencies or a combination of deficiencies that require the attention of those charged with governance. Auditors need to apply their professional judgment and consider various factors to establish a significant deficiency.
- IAS 265 – Communicating Deficiencies in Internal Control to Those Charged with Governance and Management [Source]