22.4 Control Deficiencies and Material Weaknesses
Key Takeaways
- A control deficiency can be a design problem or an operating problem; classification depends on whether the control can prevent, detect, or correct misstatements on a timely basis.
- Severity is evaluated by likelihood and potential magnitude, not by whether a misstatement actually occurred.
- A significant deficiency is less severe than a material weakness but important enough to merit attention by those charged with governance.
- A material weakness means there is a reasonable possibility that a material misstatement will not be prevented, detected, and corrected on a timely basis.
- In an integrated audit, an identified material weakness normally results in an adverse opinion on ICFR, even if the financial statement opinion remains unmodified.
The Three-Level Classification
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing assigned functions, to prevent, detect, and correct misstatements on a timely basis. A design deficiency occurs when a needed control is missing or a control would not address the risk even if it operated as designed. An operating deficiency occurs when a properly designed control is not performed, is performed by an unqualified or non-objective person, is performed too late, or lacks evidence that it operated.
The three severity levels build on one another:
| Level | Definition | Reporting consequence |
|---|---|---|
| Control deficiency | Control cannot prevent/detect/correct misstatement timely | Not required to be communicated unless it rises higher |
| Significant deficiency | Less severe than a material weakness, but important enough to merit attention by those charged with governance | Communicated in writing to management and those charged with governance |
| Material weakness | Reasonable possibility that a material misstatement will not be prevented, detected, and corrected timely | Written communication; adverse ICFR opinion in an integrated audit |
Under PCAOB AS 2201, the auditor may also identify indicators of a material weakness, such as identification of fraud by senior management, restatement of previously issued financial statements, or an auditor-identified material misstatement that the company's controls did not catch.
Severity Is Likelihood Plus Magnitude
Do not classify a deficiency by the dollar amount of the known exception alone. The auditor evaluates two dimensions: the likelihood that the control fails and the potential magnitude of misstatement that could result. "Reasonable possibility" exists when the chance is more than remote; the auditor need not quantify it as a percentage. A small detected error may signal a control failure that could have allowed a far larger misstatement, while an isolated clerical error in a low-risk immaterial account may be only a control deficiency.
| Finding | Likely classification issue | Why it matters |
|---|---|---|
| Reconciliation prepared but never reviewed | Operating deficiency | The review control did not operate |
| No control exists over manual journal entries posted by senior accountants | Design deficiency | Risk spans multiple accounts and fraud assertions |
| Access review performed, but terminated users remain active | Operating deficiency with broader access exposure | Unauthorized entries may affect reporting |
| Auditor finds a material misstatement that controls missed | Strong indicator of material weakness | Controls failed to detect a material error |
| Senior management commits fraud, even with no misstatement | Strong indicator of material weakness | Tone, override, and governance are implicated |
Compensating Controls
A compensating control can reduce assessed severity only if it is precise enough to detect a material misstatement, performed by a competent and objective person, operates at the right frequency, and is supported by evidence. A chief financial officer's general monthly review of results usually does not compensate for missing detailed revenue-cutoff controls unless the review is specifically designed to catch cutoff misstatements at a meaningful threshold and documentation shows it actually worked.
For management review controls, evaluate precision directly: Did the reviewer set expectations and thresholds? Were unusual items investigated? Was follow-up documented? A vague signoff is weak evidence and rarely lowers severity.
Communication and Reporting
In a financial statement audit under generally accepted auditing standards (AICPA AU-C 265), the auditor communicates significant deficiencies and material weaknesses identified during the audit in writing to management and those charged with governance. The auditor does not express an opinion on internal control unless a separate or integrated ICFR engagement exists.
In an issuer integrated audit under AS 2201, the consequences sharpen. Material weaknesses must be communicated in writing, and because effective ICFR cannot exist when even one material weakness exists, the auditor issues an adverse opinion on ICFR. The financial statement opinion may still be unmodified if the auditor gathered sufficient appropriate evidence that the statements are not materially misstated, typically by expanding substantive procedures to compensate.
Classification Workflow
- Identify whether the issue is missing design, failed operation, or insufficient evidence.
- Identify the accounts, disclosures, and assertions affected.
- Estimate potential magnitude, not just the observed error.
- Assess likelihood using frequency, fraud susceptibility, complexity, volume, and prior exceptions.
- Consider whether compensating controls are precise and operating.
- Classify as control deficiency, significant deficiency, or material weakness.
- Decide communication and reporting effects.
The most common trap is treating any deficiency without a known misstatement as minor. A material weakness can exist with no detected misstatement, because the standard asks whether there is a reasonable possibility that controls would fail to prevent, detect, and correct a material misstatement on a timely basis.
Aggregation and the Prudent-Official Test
Deficiencies must be evaluated both individually and in combination. Several individually minor deficiencies that affect the same account or assertion can aggregate into a significant deficiency or material weakness. For example, a weak access control, an unreviewed reconciliation, and an imprecise management review over the same revenue process may together create a reasonable possibility of a material misstatement that none of them would create alone.
A useful exam heuristic is the prudent-official test: a deficiency is a material weakness if prudent officials, having knowledge of the same facts, would conclude the deficiency precludes effective ICFR. This pushes candidates to consider how a knowledgeable third party would view the finding, not merely the dollar value of any error already detected. Timing matters too.
A deficiency identified during the audit but remediated before the as-of date may not affect the year-end ICFR opinion if the auditor obtains sufficient evidence that the new control was designed and operated effectively for a sufficient period; remediation after year-end does not change the as-of conclusion.
Finally, distinguish the two reporting tracks clearly: under AU-C 265 (nonissuer audits) only significant deficiencies and material weaknesses are communicated in writing, and there is no public ICFR opinion, whereas under AS 2201 (issuer integrated audits) a material weakness produces a public adverse ICFR opinion. Knowing which framework governs the fact pattern is essential to selecting the correct communication and reporting answer.
During an integrated audit, the auditor finds that no one reviews manual journal entries posted directly by the controller to revenue and receivables. The accounts are material, entries are frequent, and no precise compensating control exists. How should the auditor most likely view the issue?
Which statement about control deficiency severity is correct?