Assess compensating controls, deficiencies, communication, IT security, and control enhancements.
A control deficiency is not just a missing step. It is a gap that creates risk for information reliability, asset safeguarding, compliance, operating performance, IT security, or governance. A strong Performance Management response evaluates whether existing compensating controls reduce the risk, identifies who needs to know, and recommends a practical enhancement.
The recommendation should be specific enough for management to implement. “Improve controls” is not sufficient. State the risk, control gap, consequence, remediation, owner, evidence, and follow-up.
This lesson focuses on control deficiencies, compensating controls, communication level, IT security requirements, and remediation planning.
| Topic | Performance Management use |
|---|---|
| Deficiency implication | Explain the operational, reporting, compliance, fraud, security, or governance consequence. |
| Compensating control | Decide whether another control reduces the risk enough. |
| Communication | Match the recipient to severity, sensitivity, repetition, and governance responsibility. |
| IT security | Address access, authentication, logging, change management, backup, privacy, and incident response. |
| Enhancement | Recommend a feasible control improvement with owner, timing, evidence, and monitoring. |
State why the deficiency matters. A control weakness should be tied to the process and decision it affects.
| Deficiency | Possible implication |
|---|---|
| No independent review of supplier master changes. | Invalid suppliers, duplicate payments, fraud, or inaccurate procurement reporting. |
| Bank reconciliations are late or not reviewed. | Cash errors, missing transactions, or fraud may not be detected quickly. |
| Excessive system access rights. | Users may enter, approve, or alter transactions beyond their role. |
| Reports are manually compiled without reconciliation. | Management may rely on incomplete or inaccurate performance data. |
| Exceptions are generated but not followed up. | Control appears to exist but does not reduce risk. |
| Backup and recovery are untested. | Data loss or downtime could impair operations and reporting. |
The response should explain the effect on decisions. For example, if inventory counts are unreliable, management may set prices, reorder points, margins, and production plans using bad data.
A compensating control may reduce risk, but it must be precise enough, timely enough, and performed by someone independent enough to matter.
| Weak primary control | Possible compensating control | Adequacy question |
|---|---|---|
| Segregation of duties is limited in a small team. | Owner reviews transaction exception report and bank activity weekly. | Is the review independent, evidenced, timely, and detailed enough? |
| System blocks cannot yet be configured. | Manual exception log reviewed before month-end close. | Does it catch the relevant risk before reports are used? |
| Supplier master approval is weak. | Monthly supplier change report reviewed by finance leader. | Does review include supporting evidence and suspicious changes? |
| Inventory count frequency is low. | Cycle counts for high-value items with variance investigation. | Does it cover material risk areas and require follow-up? |
| Access review is annual only. | Immediate access removal checklist for terminations and role changes. | Does HR trigger the process reliably and is completion logged? |
If the compensating control is detective and delayed, explain any risk that remains before detection. A monthly review may not prevent a fraudulent payment made today; it may only detect the issue later.
Not every deficiency goes to the board or audit committee, but significant or sensitive weaknesses should not remain at the process-owner level. The communication recipient should match severity, pervasiveness, fraud risk, financial reporting effect, IT security exposure, and management involvement.
| Deficiency characteristic | Likely communication |
|---|---|
| Routine process error with low impact | Process owner and supervisor with corrective action. |
| Repeated deficiency or missed follow-up | Senior management responsible for the function. |
| Financial reporting risk or fraud risk | CFO, controller, and audit committee or equivalent governance body. |
| IT security exposure affecting sensitive data | Senior management, IT/security lead, privacy or compliance owner, and governance body where severe. |
| Management override or senior-person involvement | Board, audit committee, or independent governance recipient. |
| Regulatory, funder, lender, or public accountability concern | Appropriate executive and governance-level communication. |
The response should identify recipient, urgency, content, and follow-up responsibility.
Control enhancements often require IT involvement. Performance Management candidates do not need to design detailed cybersecurity architecture, but they should identify the security requirement and recommend specialist collaboration where appropriate.
| Requirement | Why it matters |
|---|---|
| Role-based access | Users should have only the access required for their role. |
| Multi-factor authentication | Reduces risk of compromised credentials. |
| Logging and monitoring | Creates evidence for exception review and investigation. |
| Change management | Prevents untested system changes from breaking workflows or reports. |
| Backup and recovery testing | Confirms data can be restored when needed. |
| Encryption or data protection | Protects sensitive information from exposure. |
| Incident response | Defines who acts, communicates, and remediates after a security event. |
When facts involve cybersecurity, privacy, complex configuration, or system architecture, recommend collaboration with qualified IT or security specialists rather than pretending the CPA can design the technical solution alone.
Good remediation is specific. Examples include “configure three-way match tolerance and review exceptions weekly” or “remove conflicting access rights and perform quarterly role review,” not just “improve controls.”
Use this remediation sequence:
The owner and evidence matter. Without them, management cannot tell whether remediation occurred.
Control recommendations should be practical. A small organization may not have enough staff for ideal segregation, so the response may require owner review, exception reporting, access restrictions, or external review. A system limitation may require a temporary manual control until configuration is complete. A severe IT security risk may require immediate containment before long-term redesign.
When implementation is constrained, state the interim and permanent response.
| Constraint | Practical response |
|---|---|
| Small team | Use compensating review, exception reports, and owner-level evidence. |
| System cannot enforce rule yet | Use manual exception tracking until configuration is tested. |
| High security exposure | Restrict access immediately, then perform root-cause remediation. |
| Repeated unresolved issue | Escalate to senior management or governance and require deadline tracking. |
| Staff do not understand control | Provide training and monitor evidence after implementation. |
| Pitfall | Correction |
|---|---|
| Naming a deficiency without consequence. | Explain risk, affected process, information impact, and stakeholder effect. |
| Assuming a compensating control is automatically adequate. | Test precision, independence, timing, evidence, and residual risk. |
| Sending every issue to the board. | Match communication level to severity, sensitivity, and governance responsibility. |
| Recommending automation without requirements. | State system rule, owner, test, exception report, and specialist involvement where needed. |
| Ignoring follow-up. | Include deadline, evidence, monitoring, and escalation. |