How auditors evaluate control deviations, revise reliance decisions, and adjust further audit procedures.
A control deviation occurs when a control does not operate as designed. A missing approval, late reconciliation, unauthorized override, or unresolved exception can change the auditor’s view of control risk. The issue is not just that one control failed; the issue is whether the auditor can still rely on the control to reduce substantive testing.
The AUD exam commonly tests deviations as an iterative risk-assessment problem. When testing reveals deviations, the auditor evaluates frequency, cause, severity, and financial-statement effect, then revises the audit response when necessary.
flowchart TD
A["Identify control deviation"] --> B["Investigate cause and frequency"]
B --> C["Evaluate severity and affected assertions"]
C --> D{"Can planned reliance continue?"}
D -- "Yes, with support" --> E["Document basis and continue testing plan"]
D -- "No or uncertain" --> F["Revise control risk and expand substantive work"]
F --> G["Consider communication of deficiency"]
A deviation is not limited to a missing signature. It is any failure of a prescribed control to operate as expected.
| Deviation type | Example | Audit concern |
|---|---|---|
| Missing performance | Monthly reconciliation was not prepared | Misstatements may not be detected timely |
| Late performance | Review happened after financial close | Errors may have reached the financial statements |
| Incomplete performance | Reviewer signed off but did not resolve exceptions | The control may not be meaningful |
| Unauthorized override | System limit was bypassed without approval | Fraud or management override risk may increase |
| Wrong performer | Control performed by someone without authority or competence | Control may not be effective |
| IT failure | Automated control did not run or used incorrect logic | Systemic error may affect many transactions |
The auditor should determine whether the deviation is isolated, recurring, or systemic. That distinction drives the risk response.
Control deviations are evaluated using both likelihood and magnitude. The auditor asks what misstatement could occur, how likely it is that the control would fail to prevent or detect it, and whether other controls would compensate.
Key factors include:
A single deviation can be serious if it affects a key control over a significant risk. Multiple small deviations can also become serious if they show that the control is not consistently performed.
The auditor should not automatically treat every exception as isolated. The cause matters.
| Cause | Likely interpretation | Audit response |
|---|---|---|
| One employee forgot one approval and evidence supports normal performance otherwise | Possibly isolated | Evaluate additional evidence and document conclusion |
| Several employees bypass the same approval near month-end | Potentially systemic | Reduce reliance and expand testing |
| System configuration applies the wrong threshold to all transactions | Systemic IT-dependent control failure | Test affected population and related IT controls |
| Manager overrides controls without review | Possible fraud or control-environment issue | Expand procedures and consider governance communication |
| Review sign-offs are present but exceptions are never resolved | Control may be ineffective by design or operation | Reassess the control and related risk |
Calling a deviation isolated requires evidence. The auditor may need to expand the sample, test other periods, inspect logs, or perform additional inquiries and procedures.
Control deviations affect the audit plan because they affect control risk. If the auditor can no longer support planned reliance, detection risk must decrease, which usually means more persuasive substantive procedures.
| Finding | Likely audit effect |
|---|---|
| No or few supported isolated deviations | Continue planned reliance if evidence is sufficient |
| Deviation rate exceeds tolerable rate | Reduce reliance and increase substantive procedures |
| Deviation affects significant risk | Add targeted substantive procedures and consider fraud implications |
| Deviation occurred after interim testing | Test the remaining period or perform year-end procedures |
| Deviation suggests a deficiency | Evaluate classification and required communication |
The auditor may increase sample sizes, shift testing closer to year-end, perform more tests of details, use more external evidence, or add unpredictable procedures. The response should connect to the affected assertion.
The audit file should show how the deviation was evaluated. A useful conclusion states the condition, cause, affected control, affected assertion, additional procedures performed, and effect on reliance.
For example, “Three of 40 purchase approvals were missing” is incomplete. A stronger documentation trail explains whether the missing approvals were isolated to one preparer, whether the purchases were valid, whether compensating review controls operated, whether the deviation rate exceeded the tolerable rate, and whether substantive testing over purchases was expanded.
Do not ignore deviations because the account balance ultimately appears reasonable. A control failure may still affect control risk and future testing.
Do not automatically issue a modified opinion because deviations exist. The auditor first evaluates whether sufficient appropriate evidence can still be obtained.
Do not assume a deviation is isolated because management says it is. The auditor needs evidence.
Do not continue a reliance strategy unchanged when deviations exceed the tolerable rate or involve significant risk.