36.3 Control Deficiency Classification Drill

Drill Goal

Control deficiency questions are not solved by reacting to the label in the fact pattern. A missing approval, late review, or excessive access right may be minor or severe depending on what misstatement could occur, how likely it is, and whether another control would prevent or detect it timely. AUD expects you to classify the issue and understand the communication or reporting result. The underlying framework most issuers use is COSO Internal Control - Integrated Framework, built on five components: control environment, risk assessment, control activities, information and communication, and monitoring.

Classification Ladder

Two words drive classification: likelihood and magnitude. Likelihood asks whether a misstatement could reasonably occur and escape timely correction. Magnitude asks how large the misstatement could be, not merely how large the error found in the sample happened to be. A single $50 error can signal a material weakness if the control gap could permit a material misstatement.

Deficiency Type: Design vs. Operating

• A design deficiency exists when a control needed to meet the objective is missing or is not designed properly even if it operates as designed.
• An operating deficiency exists when a properly designed control does not operate as designed or the person performing it lacks authority or competence.

Distinguishing the two changes the audit response: a design gap cannot be tested for operating effectiveness, so the auditor moves straight to substantive procedures and considers severity; an operating failure may still be remediated and re-tested if time permits.

Workflow: Severity Decision

1. Identify the control objective.
2. Identify the failure: design gap or operating failure.
3. Identify the financial statement misstatement that could result.
4. Estimate potential magnitude using transaction volume, account balance, and exposure period.
5. Evaluate likelihood using frequency, history, complexity, fraud opportunity, and monitoring.
6. Test any compensating control before relying on it.
7. Classify and state the required communication.

Scenario Drill 1: Bank Reconciliation Review

A nonissuer client prepares monthly bank reconciliations, but the controller reviews them only at quarter-end. Cash is material; the preparer cannot post journal entries; the quarter-end review covers reconciling items, stale checks, and unusual transfers. The monthly review control is not operating at the intended frequency, so a deficiency exists. If the quarter-end review is precise, evidenced, and timely enough to detect material misstatements before issuance, the issue may stay below material weakness. If cash is volatile, transfers are numerous, and the review is cursory, severity rises.

Scenario Drill 2: Journal Entry Access

The CFO can create vendors, approve payments, and post manual journal entries without independent review. The company faces lender pressure to meet earnings targets, and several large manual entries increased year-end revenue. This is a strong material weakness candidate: the account exposure is material, management-override opportunity is high, the pressure cue increases fraud risk, and no independent review exists. Severity rests on the reasonable possibility that a material misstatement could occur and escape timely detection, even if none is yet proven.

This is also a textbook segregation of duties failure across authorization, custody, and recording.

Scenario Drill 3: Inactive User Access

An IT access review found three terminated employees retained read-only access to the purchasing system for 30 days. They could view purchase orders but could not create vendors, approve invoices, receive goods, or post entries; the access review otherwise ran monthly. This is likely a control deficiency, not a material weakness, because the access does not create a reasonable possibility of material financial statement misstatement. The classification would change if the access allowed vendor changes, payment approval, or posting. Classify on what the access permits, not on the phrase "terminated user."

Scenario Drill 4: Revenue Contract Review

Under a new revenue workflow, contracts over $250,000 require review by a revenue accounting manager. The auditor finds 6 of 25 large contracts unreviewed; two had complex multiple performance obligations; revenue is material. This operating failure is at least a significant deficiency and may be a material weakness because it touches complex revenue recognition, a material account, and multiple high-dollar contracts. To decide, evaluate whether a precise monthly revenue analytics review by a competent reviewer would detect the misstatement timely. A broad budget-to-actual review is usually not precise enough to compensate.

Communication and Reporting Check

For a financial statement audit, AU-C 265 requires that significant deficiencies and material weaknesses identified during the audit be communicated in writing to management and those charged with governance, generally within 60 days of the report release date. Deficiencies that are not significant may be communicated orally or in writing to management only.

In an integrated audit of an issuer under PCAOB AS 2201, a material weakness means internal control over financial reporting is not effective and leads to an adverse opinion on internal control; the financial statement opinion is not automatically adverse, but the auditor must consider the effect on substantive procedures.