O'Reilly logo

Internal Control Audit and Compliance: Documentation and Testing Under the New COSO Framework by Lynford Graham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

CHAPTER TEN

Assessing the Severity of Identified Controls Deficiencies

imagesIT'S INEVITABLE

In the process of assessing and testing controls, you are likely to encounter deficiencies in the design or operating effectiveness of the controls. For example, an important control objective might not be addressed or might be only partially addressed by the control that is in place. If you do not have a control over the selection of vendors for fulfilling various service needs, you might run the risk that business could be diverted to a vendor who will share some overbillings with the accountant or business manager directing the business to it. In addition, even if the control is designed properly, unless it operates effectively, it is deficient. For example, you might find through the auditor's procedures or through customer returns and complaints that your controls failed and led (or could have led) to substantive errors on the financial statements, even though your tests showed that the controls seemed adequate and to be working. This happens in all sorts of entities, including governments and nonprofits.

Finding control deficiencies is not a rare event. Most businesses have some if the assessment is done competently and fairly. Little public data about deficiencies and their rates of occurrence is available. The reported material weaknesses of public companies are only the tip of the iceberg ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required