In today’s post, I tell you how to understand and communicate material weaknesses and significant deficiencies.
How do you categorize a control weakness? Is the weakness a material weakness, a significant deficiency or something less? This seems to be the most significant struggle in addressing internal control issues.
And if you’ve been in the business for any time at all, you know that management can take offense regarding control weakness communications. For instance, a CFO may believe that a material weakness reflects poorly upon him. After all, he controls the design of the accounting system. So, communicating control weaknesses can result in disagreements. Therefore, it’s even more important that these communications be correct.
Before telling you how to distinguish material weaknesses from significant deficiencies, let’s review control weakness definitions.
Definitions of Control Weaknesses
A deficiency in internal control is defined as follows: A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.
Now let’s define (1) material weaknesses, (2) significant deficiencies, and (3) other deficiencies.
- Material weakness. A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis.
- Significant deficiency. A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
- Other deficiencies. For the purposes of this blog post, an other deficiency is a control weakness that is less than a material weakness or a significant deficiency.
How to Categorize a Control Weaknesses
Now that we have defined material weaknesses and significant deficiencies, we can discuss how to distinguish between the two.
First, ask these two questions:
- Is there a reasonable possibility that a misstatement could occur?
- Could the misstatement be material?
If your answer to both questions is yes, then the client has a material weakness. (By the way, if you propose a material audit adjustment, it’s difficult to argue that there is no material weakness. As you write your control letter, examine your proposed audit entries.)
If your answer to either of the questions is no, then ask the following:
Is the weakness important enough to merit the attention of those charged with governance? In other words, are there board members who would see the weakness as important.
If the answer is yes, then it is a significant deficiency.
If no, then it is not a significant deficiency or a material weakness.
How to Communicate Material Weaknesses and Significant Deficiencies
The following deficiencies must be communicated in writing to management and to those charged with governance:
- Material weaknesses
- Significant deficiencies
The written communication (according to AU-C section 265) must include:
- the definition of the term material weakness and, when relevant, the definition of the term significant deficiency
- a description of the significant deficiencies and material weaknesses and an explanation of their potential effects
- sufficient information to enable those charged with governance and management to understand the context of the communication
- the fact that the audit included consideration of internal control over financial reporting in order to design audit procedures that are appropriate in the circumstances and that the audit was not for the purpose of expressing an opinion on the effectiveness of internal control
- the fact that the auditor is not expressing an opinion on the effectiveness of internal control
- that the auditor’s consideration of internal control was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies, and therefore, material weaknesses or significant deficiencies may exist that were not identified
- an appropriate alert, in accordance with section 905, Alert That Restricts the Use of the Auditor’s Written Communication
Next, I explain how to communicate other deficiencies (those that are less than a material weakness or a significant deficiency).
How to Communicate Other Deficiencies
Other deficiencies can be communicated in writing or orally and need only be communicated to management (and not to those charged with governance). The communication must be documented in the audit file. So if you communicate orally, then follow up with a memo to the file addressing who you spoke with, what you discussed, and the date of the discussion.
Stand-alone management letters are often used to communicate other deficiencies. Since there is no authoritative guidance for management letters, you may word them as you wish. Alternatively, you can, if you like, include other deficiencies in your written communication of significant deficiencies or material weaknesses.
A Key Word of Warning
Always provide a draft of any written communications to management before final issuance. It is much better to provide a draft and find out (before issuance) that it contains an error or a miscommunication. Then, corrections can be made.
Writing your internal control letter is a part of the wrap-up process for audits. Click here for additional information concerning wrapping up an audit.