5037 Control deficiencies within the entity’s system of internal control
Sep-2022

In This Section

Control deficiencies within the entity’s system of internal control

Control deficiencies within the entity’s system of internal control

CAS Requirement

Based on the auditor’s evaluation of each of the components of the entity’s system of internal control, the auditor shall determine whether one or more control deficiencies have been identified (CAS 315.27). 

CAS Guidance

The auditor’s identification and assessment of risks of material misstatement at the assertion level is influenced by both the auditor’s (CAS 315.A130):

  • Understanding of the entity’s policies for its information processing activities in the information system and communication component, and

  • Identification and evaluation of controls in the control activities component.

In performing the evaluations of each of the components of the entity’s system of internal control, the auditor may determine that certain of the entity’s policies in a component are not appropriate to the nature and circumstances of the entity. Such a determination may be an indicator that assists the auditor in identifying control deficiencies. If the auditor has identified one or more control deficiencies, the auditor may consider the effect of those control deficiencies on the design of further audit procedures in accordance with CAS 330 (CAS 315.A182).

If the auditor has identified one or more control deficiencies, CAS 265 requires the auditor to determine whether, individually or in combination, the deficiencies constitute a significant deficiency. The auditor uses professional judgment in determining whether a deficiency represents a significant control deficiency (CAS 315.A183).

Examples:

Circumstances that may indicate a significant control deficiency exists include matters such as:

  • The identification of fraud of any magnitude that involves senior management;

  • Identified internal processes that are inadequate relating to the reporting and communication of deficiencies noted by internal audit;

  • Previously communicated deficiencies that are not corrected by management in a timely manner;

  • Failure by management to respond to significant risks, for example, by not implementing controls over significant risks; and

  • The restatement of previously issued financial statements.

OAG Guidance

If we identify one or more control deficiencies when obtaining an understanding and evaluating the entity’s system of internal control we consider the impact of those deficiencies on the following:

  • Our conclusion regarding the appropriateness of the individual component of the entity’s system of internal controls where the deficiency was identified

  • Any potential impact of the deficiency on our evaluation of other components (e.g., a deficiency identified within the control environment component could have an impact on the effectiveness of other components of the entity’s system of internal control)

  • Identification of risks of material misstatement at the financial statement level. Such financial statement level risks are most likely to arise as a result of deficiencies identified within the entity’s control environment, risk assessment process and/or its process to monitor the system of internal control because such control components can have indirect but pervasive effects on the preparation of the financial statements.

Example:

If we conclude that the entity has deficiencies within the control environment because management does not provide an appropriate "tone at the top" this could, in our judgment, increase the likelihood that a material misstatement could go undetected and/or uncorrected on a timely basis. Even if we identify no specific additional risks of material misstatement arising from this control environment weakness, we need to be alert to how this "tone at the top" issue may impact our assessment of the inherent risk factors of susceptibility to management bias or other fraud risk factors and whether this may impact any of our financial statement level or assertion level risk assessments.

This "tone at the top" deficiency within the control environment may also have a pervasive impact on the potential for ineffective operation of the entity’s designed controls if, in our judgment, the tone issue could include management not sufficiently emphasizing an expectation of diligent and compliant execution of control procedures by all control owners and/or not implementing appropriate monitoring of controls.

In the circumstances of this example we would consider whether a specific financial statement level risk has been identified and needs to be added to the engagement file. The following are examples of risks that can result from deficiencies within the control environment and that can be added in the audit working paper software under the Fraud risk non‑FSLI:

  • Questions are raised regarding the integrity or conduct of the entity’s directors, senior management or owners

  • Members of management have very arrogant or autocratic personalities

  • There is an indication of unusually aggressive or creative accounting policies or practices

Two other risks presented under the Other financial statement level risks non‑FSLI are the following which may also represent fraud risks:

  • Accounting personnel may be ineffective, or the financial reporting process dominated by non­financial management or unqualified accountants

  • Indicators of potential management bias have been identified in relation to judgments and decisions made by management in making accounting estimates

  • Identification of risks of material misstatement at the assertion level. Such assertion level risks are most likely to arise as a result of deficiencies identified within the entity’s information system and communication and control activities components due to the more direct nature and effect of these control components on the preparation of the financial statements

Example:

When obtaining our understanding of the flow of transactions within the revenue and receivables business process we identified that the master file that contains the contractually‑established customer prices, including any discount, is not being updated on a timely basis which results in the need for entity personnel to manually override the sales price that would otherwise be automatically populated by the sales system using the applicable pricing information from the master file. This manual override is necessary because contractually agreed sales prices change frequently and as agreed between the entity and its customers on a monthly basis. We also identified a compensating monthly control, whereby the head of the sales department is required to review and approve any pricing/discounts overridden and to investigate and resolve any unusual items on a timely basis before approving the pricing override.

Due to staffing shortages at the entity, the threshold to identify unusual pricing/discounts overrides was set at a level higher than, in our judgment, would be required to detect a material individual or aggregate revenue misstatement on a timely basis. As a result, an elevated risk that is titled Invoice pricing is not approved or is not entered in system appropriately has been identified and added to the engagement file. In this circumstance we also would need to consider how the frequent number of manual pricing overrides and the fact that they are not taken through the designed pricing master file maintenance process may impact the susceptibility of the completeness and accuracy assertions in revenue and receivables to material misstatements relating both to risks of error and risks of fraud. It is unlikely in these circumstances that any of the planned audit evidence for these assertions will come from reliance on the entity’s controls and it is likely that we would increase the level of substantive evidence required to address the completeness and accuracy assertions in the revenue and accounts receivable FSLIs.

  • Nature, timing and extent of substantive or controls testing responsive to the assessed risks of material misstatement at the financial statement and assertion levels

Example:

When obtaining our understanding of the entity’s IT environment, we identified that the entity has multiple users of its inventory management system with "super user" access rights which enable them to create, process and delete transactions related to inventory movements without leaving an audit trail. As a result we have determined that the controls related to management’s review of the inventory sub‑ledger to identify slow moving and excess/obsolete inventory as part of their process to assess the reasonableness of the inventory reserve is not designed effectively because data may have been inappropriately altered by someone with "super user" access rights and there would be no reliable means of detecting the alteration. As a result, we conclude not to seek to rely on this control as part of our audit response to the risk of material misstatement of the inventory FSLI for the existence, accuracy, completeness and valuation assertions. Instead we will need to plan a variety of substantive procedures to test the relevant inventory assertions, including attending the entity’s inventory counting procedures and others.

Related guidance

OAG Audit 6057 and OAG Audit 2222  provide additional guidance regarding evaluating and communicating deficiencies in internal control to those charged with governance and management.