To avoid risks, entities will first identify the high-risk areas and use a number of internal controls to tackle them. However, sometimes the controls are not enough to keep the risks and threats at bay. There are also times where those controls in place are not functioning as they should. All these might cause issues, which can result in financial losses for the entity. This is what we characterise as control deficiency.
Control deficiency is mainly caused by two factors.
Firstly, a control deficiency can occur when an entity’s internal controls are designed, implemented or operated in such a way that they cannot deter, identify or correct risks. In this event, the necessary controls may be in place but they may be insufficient or ineffective in deterring, identifying or mitigating the risks.
Secondly, another factor is that such control deficiencies are caused by a lack of sufficient internal controls. Entities that have no procedures in place to deter, identify or correct risks in their operations suffer from this kind of control deficiencies. In short, the absence of a suitable internal control system or particular procedures is also a type of control deficiency.
Ways to minimise control deficiencies
1) Identify the risks
A risk analysis is essential for identifying critical areas that might have a negative impact on the entity. Because the analysis readily generates a hierarchy for priorities, these sorts of analyses evaluate the probability of the risks occurring and their effect on the entity.
The results will vary from one entity to another because the probability and effect of each category of risk in each entity will differ depending on its environment, its business nature, its competitors, its industry, etc.
2) Assess the risk appetite
If an entity takes too few risks, i.e., too risk-averse it will become mired down in detail with little effect. If an entity takes too many risks, i.e., being a risk-taker, it may fail to accomplish its goals or suffer negative repercussions from taking unnecessary risks.
3) Use risk strategically
On rare occasions, even the most vigilant and fraud-aware entities may be hit with a significant control deficiency or material weakness in their control system. Under this kind of circumstances, a healthy company will respond by addressing the root issue, being even more vigilant in their continuous efforts of implementing good controls and refusing to allow it to weaken their “defence”.
Because risk is inherent in the pursuit of value, entities should not seek to remove or even decrease it. Instead, they should strive to manage risk exposures across all aspects of their operations so that they take exactly the correct amount of risk at any given time to achieve their strategic objectives. This viewpoint contrasts sharply with the typical corporate view of risk: risks should be avoided at all costs.
4) Ensure compliance with regulatory rules
Within a regulatory environment that is continuously shifting to accommodate the pace of the corporate world, it is even more critical for entities to remain on top of new regulations and ensure their approach is up to date. Internal control issues are more likely to occur if new compliance standards are not met or do not comply properly.
Therefore, it is important for an entity to take the time before an audit to ensure that its controls are up to date on regulatory compliance. This extra effort will help the entity to go a long way towards improving its internal controls and ensure sustainability.
5) Talk to the auditor
While an external auditor’s defining guidance on process and control concerns vary from that of the management, the method for evaluating internal controls over financial reporting should be largely the same.
Since the external auditors frequently conduct extensive risk evaluations for a large number of different entities, they may provide the management with valuable insights on control deficiencies discovered across other entities following legislative changes and the procedures to work with internal audit teams.
6) Reassess the basic controls
Many assumptions are made regarding the state of the most basic internal controls, such as segregation of duties, but when these assumptions are incorrect, serious problems might arise.
When a single individual is authorised to conduct two or more sensitive transactions on his or her own, issues such as material misstatements are more likely to occur.
7) Address the common issues
One of the issues is the lack of a separate risk management role. In terms of practical concerns, informal evaluations may be more useful. Nonetheless, risk management is most useful when performed through a rigorous repeatable procedure that gives enhanced independence.
Independence is another common issue. Because when there is a lack of independence, the board of directors becomes interested stakeholders when making business decisions. In this case, an entity will be subject to a substantial risk of favouritism.
Lastly, there is a lack of financial expertise. At the very least, entities should have a financial expert on their audit committee. Account misstatements are more likely in audit committees that do not have a non-executive director with recent and relevant financial expertise.
8) Ask Questions
Auditors anticipate those they are auditing to have concerns regarding the control procedures. Therefore entities should not be afraid to seek guidance from their auditor based on what they observe in the market. This is especially true if any regulatory changes have occurred.
Inquiring about an auditor’s reliance on the work of the internal audit team, for instance, may educate the management on whether the internal controls need to be retested. An entity can be confident in its findings if the auditor approves the testing of an internal audit team.
Summary
Internal controls are risk-avoidance techniques used by entities and they are essential. However, some control deficiencies may occur from time to time.
Control deficiencies occur when the controls in place are insufficient or ineffective or when there is a lack of control that contributes to the problem.
The entities should take the necessary measures to minimise these deficiencies.