How to Capture and Communicate Control Deficiencies

Capturing and reporting internal control weaknesses

We’re concluding another audit, and it’s time to consider whether we will issue a letter communicating internal control deficiencies. A month ago we noticed some control issues in accounts payable, but presently we’re not clear about how to describe them. We hesitate to call the client to rehash the now-cold walkthrough. After all, the client thinks we’re done, and quite frankly, they are tired of seeing us. We know that boiler-plate language will not adequately apprise the client of the weaknesses nor will it provide corrective steps. Now we’re kicking ourselves for not taking more time to document the control deficiencies.

Here’s a post to help capture and document internal control issues as we audit.

Today, we’ll take a look at the following control weakness objectives:

  1. How to communicate them
  2. How to discover them
  3. How to capture them
Internal Controls

Picture is courtesy of

Before we get started, let’s define three types of weaknesses:

  • Material weaknesses – A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
  • Significant deficiencies – A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
  • Other deficiencies – For purposes of this blog post, we’ll define other deficiencies as those less than material weaknesses or significant deficiencies.

As we look at these definitions, we see that categorizing control weaknesses is subjective. Notice the following terms:

  • Reasonable possibility
  • Material misstatement
  • Less severe
  • Merits attention by those charged with governance

Categorizing a control weakness is not a science, but an art. With this thought in mind, let’s start our journey with how control weaknesses should be reported.

1. How to Communicate Control Weaknesses

Material weaknesses and significant deficiencies must be communicated in writing to management and those charged with governance. While other deficiencies don’t have to be writing, they should nonetheless be disclosed to management and documented in the work papers.

2. How to Discover Control Weaknesses

Rather than trying to recall control weaknesses at the end of the audit, capture them as you perform the audit. You might see control problems in the following stages:

  • Planning – Risk assessment and Walkthroughs
  • Fieldwork – Transaction-level work
  • Conclusion – Wrapping up

Planning Stage

You will discover deficiencies as you perform walkthroughs which are carried out in the early stages of the engagement. Correctly performed walkthroughs allow you to see process shortcomings and where duties are overly concentrated (what auditors refer to as a lack of segregation of duties). Are functions appropriately segregated concerning:

  • Custody of assets
  • Reconciliations
  • Authorization
  • Bookkeeping

Notice the first letters of these words spell CRAB (I know it’s cheesy, but it helps me remember).

Within each transaction cycle, these functions–if possible–need to be performed by different people. Doing so lessens the possibility of theft. If one person performs multiple duties, ask yourself, “Is there any way this person could steal funds?” If yes, then the client should add a control in the form of a second-person review. If possible, the client should have someone external to prior accounting processes (usually a supervisor) examine daily reports or other supporting documentation. How often should the review be performed? Daily, if possible. If not daily, as often as possible. Regardless, the client should not allow someone with the ability to steal to work without reviews by a second person. As we saw in my recent post, the fear of detection will lessen fraud.

If a transaction cycle lacks segregation of duties, then consider the potential impact from the control weakness. Three possibilities exist:

  • Theft that is material (material weakness)
  • Theft that is not material but which deserves the attention of management and the board anyway (significant deficiency)
  • Theft that is so small that you don’t have to communicate the issue to the board but will do so to management (other deficiency)

My experience has been that if any theft potential exists, those charged with governance want to know about it, but this too is a subjective decision.

Too often auditors make blanket statements that the client lacks appropriate segregation of duties, and then practically excuse the weakness with words such as, “Segregation of duties is not possible due to the limited staff.” I fear such statements are made to protect the auditor (should fraud occur in the future). It is better to be specific about where the weakness lies and what the potential impact might be. For example:

The accounts payable clerk can add new vendors to the vendor file. Since checks are signed electronically as they are printed, there is a possibility that fictitious vendors could be added and funds stolen. Such amounts could be material.

Such a statement tells the client where the problem is and the potential damage. Be prepared to provide a recommendation to remediate the problem.

While I just described how a lack of segregation of duties may allow theft to occur, the same applies to financial statement fraud (or cooking the books). When one person controls the reporting process, there is a greater risk of financial statement fraud. Appropriate segregation mitigates the risk that someone will manipulate the numbers.

Fieldwork Stage

While it is more likely you will discover process control weaknesses in the planning stage of an audit, the results of control deficiencies surface during fieldwork. How? Audit journal entries. What are journal entries but corrections to results (from the accounting system)? The stronger the system, the fewer the journal entries in number and size. Not that all journal entries are evidence of internal control weaknesses, but consider why the errors occurred. If the corrections are the result of control weaknesses, then consider if the client has a material weakness.

A material weakness is defined as:

  • being reasonably possible,
  • material in amount, and
  • [will not be] prevented on a timely basis

When the auditor makes a journal entry for a material amount, it’s difficult to argue that a material weakness does not exist. We know the error is “reasonably possible.” It occurred. We also know it was not “prevented on a timely basis.”

Conclusion Stage

When concluding the audit, review all of the audit entries to see if any are indicators of control weaknesses. Also, review your internal control deficiency work papers (more on this in a moment). If you have not already done so, discuss the noted control weaknesses with management. In particular, it is wise to communicate any potential significant deficiencies or material weaknesses. As you already know, management may oppose these since they are reported to the board–and can cast a poor light on the accounting staff. So be prepared to explain your determination. Your firm may desire to have a policy that only managers or partners make these communications since they are sensitive.

It is a good practice for your company to designate a particular location in your audit files for internal control deficiency documentation. Let’s discuss the appearance of these controls evaluation work papers.

3. How to Capture Control Weaknesses

Create a standard form (if you don’t already have one) to capture control weaknesses. The main point I am stressing is to document the internal control deficiency when you see it.

Internal Controls

Picture is courtesy of

Too often auditors don’t write the weakness down, thinking they will remember the issue at the conclusion of the audit. Be disciplined in documenting on the go. Why?

Two reasons:

  1. You may not be on the engagement when it concludes (you are transferred to another audit) and
  2. You may not remember the issue (weeks later).

The audit standards require that we document our internal control weakness communications–either in a letter (for significant deficiencies and material weaknesses) or another way such as a memorandum (for control weaknesses we verbally communicate). Either way, the communication should be documented.

Think of the internal control communication process as follows:

  1. Capture the control deficiency on your firm’s form
  2. Later, determine whether the weakness if a significant deficiency or a material weakness
  3. If the deficiency is a significant deficiency or a material weakness, create your written letter to management and those charged with governance
  4. If the deficiency is not a significant deficiency or a material weakness, then you have already met the documentation requirement for this type of control issue (you’ve already completed your firm’s form to capture the control problem)
    • Note – You can include these other deficiencies in your written letter, but you are not required to; the communication can be verbal.

What should be on the internal control capture form? At a minimum include the following:

  1.  Check-mark boxes for:
    1. Significant deficiency
    2. Material weakness
    3. Other control deficiency
    4. Other issues (e.g., violations of laws or regulations) — this general category has no relation to internal control weaknesses
  2. Whether the probability of occurrence is at least reasonably possible and whether the magnitude of the potential misstatement is material
    • If the probability of occurrence is at least reasonably possible and the magnitude of the potential misstatement is material, then the client has a material weakness
  3. Description of the deficiency and verbal or other communications with the client about the issue (at the time the problem was identified or later); also the client’s response
  4. The cause of the condition
  5. The potential effect of the condition
  6. Recommendation to correct the issue
  7. Person who identified the issue and the date the issue was noted
  8. Whether the issue is a repeat from the prior year
  9. An area for the partner to sign off that he or she agrees with the description of the deficiency and the category assigned to it (e.g., material weakness)
  10. Reference to related documentation in the audit file

How Do You Capture and Report Control Deficiencies?

Whew! We’ve covered a lot of ground today. How do you capture and report control deficiencies? I’m always looking for new ideas: Please share.

Learn from the CPA Scribo newsletter!

Get my free weekly accounting and auditing digest with the latest content.

Powered by ConvertKit

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 thoughts on “How to Capture and Communicate Control Deficiencies

  1. Thanks Armando. I think this is one area that we auditors need to focus upon more often–easily neglected.

  2. Seeing “Segregation of duties is not possible due to the limited staff” in workpapers in one of my pet peeves. More correctly, seeing that comment, and then no deficiency in internal controls cited! Either improve the controls (which can usually be done, even with limited staff), or communicate the problem.

    And you would also think with a comment like that, that there would be some pretty extensive audit testing. But often that blanket comment seems to be justification for cutting back procedures because things are so simple. I think you’re setting yourself up for liability if things go south.

    • Jim, yes, I agree. If we say segregation is not possible and there are not compensating controls such as outside reviews, then you’d think at a minimum there would be a SAS 115 letter–particularly if the issue relates to a material area.

  3. Although I have not been in public accounting for many years, this information is always appreciated. I often encountered internal control weaknesses when I was working with clients to implement ERP systems. As much as possible, I would work with the client to implement controls through the software that could mitigate the problems. Of course, if the client chose not to use those controls, there was nothing I could do. Software implementation doesn’t come with a requirement to notify the board. The best I could do was to make sure the CFO and CEO had copies of my follow up letters where I would point out issues I found.

  4. Charles, thank you for sharing of good article. However, I’m very interesting in the phrase of “Categorizing a control weakness is not a science, but an art”, due to the subjectivity matter. Sometimes it is quite difficult to differentiate between “material weakness” and “significant deficiency”, moreover it is arguable between the auditor and client, whether it is material weakness or significant deficiency, or even whether it is a deficiency or not. Would you mind to share any valuable tips based on your experiences how to differentiate those kind of deficiencies, for example whether it is based on monetary value impact to the company or other significant impact? thank you

    • Aditya, good question but one hard to answer. Ultimately the determination that a weakness is “material” is based upon whether the auditor believes a material misstatement could occur. I look to my materiality calculation for the audit and ask myself, “Could this control weakness allow a misstatement greater than my materiality number?” If yes, then it is reported as a material weakness. Still, it’s always a judgment, one–as you said–the client (usually management) can argue about.