Evaluate control deficiencies, improvement recommendations, and communication levels.
A control deficiency matters because it changes risk, evidence, communication, and sometimes the report. The response should not stop at “there is a weak control.” It should explain the effect, root cause, severity, recommended improvement, and communication level.
The practical task is to connect the failed or missing control to what could go wrong, how serious the issue is, what evidence or procedure changes are needed, and who should receive the communication.
This lesson focuses on how to:
A deficiency can affect several objectives at once. Identify the affected objective before recommending a fix.
| Affected objective | What the deficiency may cause | Assurance implication |
|---|---|---|
| Financial reporting | Misstatement, incomplete records, wrong classification, or late close. | Increase procedures over affected assertions and consider communication of significant deficiencies. |
| Operational reliability | Delays, rework, duplicate effort, lost records, or inconsistent service. | Recommend process and monitoring improvements tied to the operational objective. |
| Compliance | Breach of policy, agreement, regulation, funding condition, or approval requirement. | Test extent of non-compliance and consider required communication. |
| Safeguarding assets | Theft, unapproved use, loss, or unsupported disposal. | Reassess fraud risk, test affected assets, and evaluate segregation of duties. |
| Data reliability | Inaccurate reports, incomplete populations, or weak audit trail. | Test report reliability before relying on data from the system. |
| Assurance risk | Planned reliance on controls may no longer be appropriate. | Reduce reliance, expand substantive work, or change procedure nature and extent. |
The affected objective determines the response. A deficiency in grant approval may require compliance testing and funder communication. A deficiency in financial close review may require expanded reporting procedures and governance attention.
Communication level depends on more than whether the control failed once. Severity considers likelihood, magnitude, cause, recurrence, and sensitivity.
| Severity indicator | Communication implication |
|---|---|
| Isolated minor process issue with low risk | Discuss with responsible management and document if relevant. |
| Repeated exception in a key process | Communicate to management with a clear recommendation and follow-up plan. |
| Deficiency affects a significant account, disclosure, program, or compliance requirement | Communicate to senior management and possibly governance. |
| Deficiency involves fraud risk, management override, or senior management | Escalate to governance or appropriate oversight level. |
| Deficiency prevents reliance on controls | Update assurance strategy and communicate the effect on procedures. |
| Deficiency remains unresolved from a prior engagement | Escalate communication because remediation is not effective. |
The communication should be directed to the level that can act on the matter and oversee remediation. A deficiency caused by senior management override should not be communicated only to the same management group.
A recommendation should address the reason the control failed. Adding another approval step may not help if the real problem is unclear ownership, poor system access, weak monitoring, or inadequate information.
| Root cause | Weak recommendation | Stronger recommendation |
|---|---|---|
| No assigned owner | “Review more carefully.” | Assign process ownership and require documented review evidence. |
| Segregation conflict | “Employee should be careful.” | Separate incompatible duties or add independent compensating review. |
| System access not updated | “Limit access.” | Implement periodic access review and timely removal of terminated or transferred users. |
| Exception reports ignored | “Generate reports monthly.” | Require documented follow-up of exception reports and escalation of unresolved items. |
| Policy unclear | “Follow policy.” | Clarify threshold, approval requirement, evidence required, and exception process. |
| Monitoring absent | “Management should monitor.” | Define monitoring frequency, responsible reviewer, evidence retained, and follow-up process. |
Recommendations should preserve management responsibility. The practitioner can recommend objectives, risks, and possible controls, but management should decide, implement, and operate the control.
Not every observation is a control deficiency. The distinction depends on whether the issue creates meaningful risk to an objective.
| Fact pattern | Likely classification | Reason |
|---|---|---|
| Minor formatting inconsistency in an internal report | Process observation | It may not affect reliability, compliance, or user decisions. |
| Missing approval on several purchases above threshold | Control deficiency | Required approval did not operate and unapproved spending could occur. |
| No review evidence for a key reconciliation | Control deficiency | The entity cannot demonstrate that errors would be detected. |
| Late filing that violates a funding agreement | Compliance deficiency | The issue affects a stated criterion and may require communication. |
| Backup person not documented for a low-risk manual task | Observation or minor deficiency | Classification depends on risk, frequency, and effect if absent. |
| Prior-year deficiency repeated without remediation | More serious deficiency | Recurrence suggests weak monitoring and ineffective corrective action. |
When classification is unclear, explain the factors that would decide it: likelihood, possible magnitude, affected objective, user sensitivity, and whether compensating controls exist.
| Step | Question | Output |
|---|---|---|
| 1. Condition | What control failed or is missing? | Deficiency fact. |
| 2. Criteria | What should have happened? | Policy, control objective, framework, or requirement. |
| 3. Cause | Why did the deficiency occur? | Root cause. |
| 4. Effect | What could go wrong? | Reporting, compliance, asset, data, operational, or assurance risk. |
| 5. Response | What recommendation and communication level fit? | Remediation and audience. |
If the deficiency affects assurance strategy, add a final sentence explaining whether control reliance should be reduced and what additional procedures are needed.
| Pitfall | Correction |
|---|---|
| Listing a weakness without explaining effect. | State what could go wrong and how it affects reporting, operations, compliance, or assurance risk. |
| Recommending a control that does not address root cause. | Identify why the deficiency occurred before proposing remediation. |
| Communicating every point at the same level. | Match communication audience to severity and sensitivity. |
| Forgetting assurance strategy impact. | Reduce control reliance or expand procedures when deficiencies affect planned evidence. |
| Creating independence issues with recommendations. | Recommend improvements without implementing or operating management controls. |