Assessing the Severity of Identified Controls Deficiencies
In the process of assessing and testing controls, you are likely to encounter deficiencies in the design or operating effectiveness of the controls. For example, an important control objective might not be addressed or might be only partially addressed by the control that is in place. If you do not have a control over the selection of vendors for fulfilling various service needs, you might run the risk that business could be diverted to a vendor who will share some overbillings with the accountant or business manager directing the business to it. In addition, even if the control is designed properly, unless it operates effectively, it is deficient. For example, you might find through the auditor's procedures or through customer returns and complaints that your controls failed and led (or could have led) to substantive errors on the financial statements, even though your tests showed that the controls seemed adequate and to be working. This happens in all sorts of entities, including governments and nonprofits.
Finding control deficiencies is not a rare event. Most businesses have some if the assessment is done competently and fairly. Little public data about deficiencies and their rates of occurrence is available. The reported material weaknesses of public companies are only the tip of the iceberg ...