How to Capture and Communicate Internal Control Deficiencies

Capturing and reporting internal control weaknesses

Too many times auditors fail to capture control deficiencies in the audit process. So, today I’ll show you how to capture and communicate internal control deficiencies.

A Common End-of-Audit Problem

We’re concluding another audit, and it’s time to consider whether we will issue a letter communicating internal control deficiencies. A month ago we noticed some control issues in accounts payable, but presently we’re not clear about how to describe them. We hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks we’re done, and quite frankly, they are tired of seeing us. We know that boiler-plate language will not clearly communicate the weakness or how to fix it. Now we’re kicking ourselves for not taking more time to document the control deficiencies.

Here’s a post to help capture and document internal control issues as we audit.

How to Capture and Communicate Internal Control Deficiencies

Today, we’ll take a look at the following control weakness objectives:

  1. How to communicate them
  2. How to discover them
  3. How to capture them
how to capture and communicate internal control deficiencies

Picture is courtesy of AdobeStock.com

As we begin, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Categorizing a control weakness is not a science, but an art. With this thought in mind, let’s start our journey with how control weaknesses should be reported.

1. How to Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. Other deficiencies can be given verbally to management, but you must document those discussions in your work papers.

2. How to Discover Control Weaknesses

Capture control weaknesses as you perform the audit. You might identify control weaknesses in the following audit stages:

  1. Planning – Risk assessment and walkthroughs
  2. Fieldwork – Transaction-level work
  3. Conclusion – Wrapping up

A. Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties).

Segregation of Duties

Are accounting duties appropriately segregated with regard to:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Auditors often make statements such as, “Segregation of duties is not possible due to the limited number of employees.”

I fear such statements are made only to protect the auditor (should fraud occur in the future). It is better that we be specific about the control weakness and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client what the problem is, where it is, and the potential damage. 

Fraud: A Cause of Misstatements

While I just described how a lack of segregation of duties can open the door to theft, the same idea applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a higher risk of financial statement fraud. Appropriate segregation lessens the chance that someone will manipulate the numbers.

Within each transaction cycle, accounting duties need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review.

If possible, the client should have a second person examine reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, a company should not allow someone with the ability to steal to work alone without review. The fear of detection lessens fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possible impacts exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft of insignificant amounts (other deficiency)

My experience has been that if any potential theft area exists, the board wants to know about it. But this is a decision you will make as the auditor.

Errors: Another Cause of Misstatements

While auditors should consider control weaknesses that allow fraud, we should also consider whether errors can lead to potential misstatements. So, ask questions such as:

  • Do the monthly financial statements ever contain errors?
  • Are invoices mistakenly omitted from the payable system?
  • Do employees forget to obtain purchase order numbers prior to buying goods?
  • Are new employees ever unintentionally left off the payroll?
  • Do bookkeepers fail to reconcile the bank statements on a timely basis? 

B. Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies sometimes surface during fieldwork. How? Audit journal entries. What are audit entries but corrections? And corrections imply a weakness in the accounting system.

When an auditor makes a material journal entry, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible” (it happened). We also know that prevention did not occur on a timely basis.

C. Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. 

Your firm may desire to have a policy that only managers or partners make these communications. Why? Management can see the auditor’s comments as a criticism of their own work. After all, they designed the accounting system (or at least they oversee it). So, these discussions can be a little challenging.

Now let’s discuss how to capture control weaknesses.

3. How to Capture Control Weaknesses

So, how do you capture the control weakness?

First, and most importantly, document internal control deficiencies as you see them.

Why should you document control weaknesses when you initially see them?

  1. You may not be on the engagement when it concludes (because you are working elsewhere) or
  2. You may not remember the issue (weeks later).

Second, create a standard form (if you don’t already have one) to capture control weaknesses. 

Internal Controls

Picture is courtesy of AdobeStock.com

Internal Control Capture Form

 What should be in the internal control form? At a minimum include the following:

  1.  Check-mark boxes for:
    • Significant deficiency
    • Material weakness
    • Other control deficiency
    • Other issues (e.g., violations of laws or regulations) 
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
    • If the probability of occurrence is at least reasonably possible and the magnitude of the potential misstatement is material, then the client has a material weakness
  3. Description of the deficiency and the verbal or written communications to the client; also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person who identified the issue and the date when the issue was identified
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

Summary

The main points in capturing and communicating internal control deficiencies are:

  1. Capture control weaknesses as soon as you see them
  2. Develop a form to document the control weaknesses

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

Learn from the CPA Scribo newsletter!

Get my free weekly accounting and auditing digest with the latest content.

Powered by ConvertKit

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

10 thoughts on “How to Capture and Communicate Internal Control Deficiencies

  1. Thanks Armando. I think this is one area that we auditors need to focus upon more often–easily neglected.

  2. Seeing “Segregation of duties is not possible due to the limited staff” in workpapers in one of my pet peeves. More correctly, seeing that comment, and then no deficiency in internal controls cited! Either improve the controls (which can usually be done, even with limited staff), or communicate the problem.

    And you would also think with a comment like that, that there would be some pretty extensive audit testing. But often that blanket comment seems to be justification for cutting back procedures because things are so simple. I think you’re setting yourself up for liability if things go south.

    • Jim, yes, I agree. If we say segregation is not possible and there are not compensating controls such as outside reviews, then you’d think at a minimum there would be a SAS 115 letter–particularly if the issue relates to a material area.

  3. Although I have not been in public accounting for many years, this information is always appreciated. I often encountered internal control weaknesses when I was working with clients to implement ERP systems. As much as possible, I would work with the client to implement controls through the software that could mitigate the problems. Of course, if the client chose not to use those controls, there was nothing I could do. Software implementation doesn’t come with a requirement to notify the board. The best I could do was to make sure the CFO and CEO had copies of my follow up letters where I would point out issues I found.

  4. Charles, thank you for sharing of good article. However, I’m very interesting in the phrase of “Categorizing a control weakness is not a science, but an art”, due to the subjectivity matter. Sometimes it is quite difficult to differentiate between “material weakness” and “significant deficiency”, moreover it is arguable between the auditor and client, whether it is material weakness or significant deficiency, or even whether it is a deficiency or not. Would you mind to share any valuable tips based on your experiences how to differentiate those kind of deficiencies, for example whether it is based on monetary value impact to the company or other significant impact? thank you

    • Aditya, good question but one hard to answer. Ultimately the determination that a weakness is “material” is based upon whether the auditor believes a material misstatement could occur. I look to my materiality calculation for the audit and ask myself, “Could this control weakness allow a misstatement greater than my materiality number?” If yes, then it is reported as a material weakness. Still, it’s always a judgment, one–as you said–the client (usually management) can argue about.

  5. Hi Charles,

    But this didn’t answer the issue in the introduction. what to do if those weaknesses identified in the cold review stage!

    • Mark, yes I focused on how to capture and communicate “as the audit is performed.” But still, your question is a good one. What should have be do when he or she encounters this problem in the cold review stage.

      I think it depends on the importance of the weakness. In other words, is the weakness significant? If no, I would email the client to advise them about the weakness.

      If a material weakness, the auditor needs to be sure that potential unidentifiable material misstatements aren’t present. If that risk has not been addressed, then the auditor should perform more work before the opinion is issued. This is why it is so important to consider this issue as we audit.