What factors do auditors consider when determining if an identified control deficiency is a significant deficiency or a material weakness?

For 2007 annual reports, smaller public companies need to assess their internal control over financial reporting.

It doesn't have to be a chore.

Beginning Your Evaluation

Step 3 — Reporting Your Conclusions on Overall Effectiveness, and Deficiencies

Your company's 2007 annual report will include your assessment of the overall effectiveness of your internal controls. In making your determination of whether the company's internal controls are effective, you should begin by assessing any control deficiencies. Is any of them — alone or in combination — serious enough to be a material weakness? If so, you can't conclude that the company's controls are effective. This puts a significant premium on knowing what constitutes a material weakness.

Simply put, a material weakness is one or more control deficiencies that create a reasonable possibility of a material misstatement in your company's annual or interim financial statements. This does not necessarily mean that a material misstatement has occurred, but only that the controls might not be good enough to detect or prevent a material misstatement on a timely basis.

The SEC's new guidance highlights the factors that you should consider in deciding whether a control deficiency is a material weakness. For example:

• How susceptible is the related financial reporting element to loss or fraud?
• How significant are the financial statement amounts or the transaction totals that are exposed to the deficiency?

If you identify any material weaknesses, you must describe them in your assessment of the internal controls that appears in your annual report. You should also consider including the following in your assessment:

• A analysis of how the material weakness affects the company's financial reporting and internal controls
• Your current plans (or the actions you've already taken) to address the material weakness

Finally, you should describe these material weaknesses to the audit committee and your external auditor, along with any control deficiencies you've found that didn't rise to the level of a material weakness, but which you think are important enough to merit their attention. Control deficiencies of this kind are defined as "significant deficiencies" in the SEC's rules.

I am pleased to introduce Thomas Ray, member of the accounting faculty at Baruch College and former Chief Auditor at the PCAOB, who will be guest blogging for us this week.

In his remarks at the AICPA Conference on Current SEC and PCAOB Developments last month, Brian T. Croteau, SEC Deputy Chief Accountant, noted some encouraging signs related to public companies' evaluations of their internal control. For the second year in a row, the number of material weaknesses reported by companies in circumstances in which they had not also identified a material misstatement had increased, which suggests that companies are performing a more rigorous analysis of the effectiveness of their controls.

The encouragement came with a caution, however, as Croteau noted the frequency with which internal control issues are identified in SEC staff consultations. He then discussed the importance of properly identifying, understanding, and describing control deficiencies.

In my experience, identifying and evaluating the severity of internal control deficiencies is often difficult and has been a challenge for both companies and their auditors. Croteau's comments in this area are therefore both helpful and timely.

Here are four tips for evaluating internal control deficiencies, based on Croteau's remarks and relevant guidance included in the PCAOB's Auditing Standard No. 5 and elsewhere.

1. The misstatement is not the deficiency.                                                                                                                        Often, an internal control deficiency is identified after the discovery of a misstatement in the financial statements. Companies must look beyond the misstatement to understand how it happened and which control should have either prevented or detected the misstatement. Perhaps, there is not a control in place to deal with the type of misstatement that occurred, which also would be considered a deficiency. The internal control deficiency is not that "we did not properly account for the transactions."
2. Is it a design or operating deficiency?
   Companies should first understand the design of the control and carefully evaluate whether it would prevent or timely detect misstatements if it operates in accordance with its design. If it would not reliably prevent or detect misstatements, then there is a design deficiency.
   Sometimes, a control is well designed, but the person performing that control was not adequately trained or did not perform and document the steps required to perform the control effectively, which allowed the misstatement to end up in the financial statements. This may be considered an operating deficiency.
3. How often and how big?
   There are two components that must be evaluated to assess the severity of a control deficiency: the likelihood that the deficient control will not prevent or timely detect a misstatement, and the magnitude of the potential misstatement resulting from the deficiency.
   Companies should identify the complete population of transactions that a control is intended to address and the size and number of misstatements the deficient control would permit to assess whether the deficiency would allow a material misstatement. An omitted disclosure also can be the source of a material misstatement. Controls over the completeness and accuracy of disclosures may be different and require a different type of analysis.
4. What do we know, and what should we expect?

   Croteau emphasized the importance of the likelihood and magnitude analysis, highlighting what has been termed the "could factor."

   The evaluation of whether it is reasonably possible that a material misstatement could occur and not be prevented or detected on a timely basis requires careful analysis that contemplates both known errors, if any, as well as potential misstatements for which it is reasonably possible that the misstatements would not be prevented or detected in light of the control deficiency. This latter part of the evaluation, also referred to as analysis of the so called 'could factor,' often requires management to evaluate information that is incremental to that which would be necessary, for example, for a materiality assessment of known errors pursuant to SAB 99.

   — Brian T. Croteau, Deputy Chief Accountant, Office of the Chief Accountant, Remarks before the 2015 AICPA National Conference on Current SEC and PCAOB Developments

   Finally, Croteau pointed out that companies should give ongoing consideration to implementing or redesigning controls as necessary in connection with the application of new accounting standards and policies. In addition, companies need to remember their obligations to disclose material changes to their internal control, including in situations where such changes are made in advance of the adoption of a new standard, but also affect current period financial reporting.

What factors should auditors consider when evaluating the severity of a deficiency in a control that directly addresses a risk of material misstatement?

How do you determine significant deficiency vs material weakness?

How auditors identify significant deficiencies in internal control systems?

What factors should an auditor consider when evaluating the control environment?