How to evalulate a deficiency in an entity level control? 2607

  • If a company fails a control around background, would this be considered a material weakness? It seems that potential for misstatement would be limitless, if employees are potentially unethical or incompetent?
    Note that we have controls, such as business conduct guidelines and an ethics hotline, which I think would cover the risk related to unethical behavior.
    However, I don’t think we have any other controls covering competence. We had an annual performance evaluation control, but that failed testing as well. Someone had suggested that the flux analysis would cover any risk of incompetence, but my thoughts are that if incompetent people are performing the fluxes, does that really cover any risk?
    I would appreciate any thoughts on this, or any ideas as to why this would not be considered a material weakness. Thanks.

  • I guess it depends on the company and the business they are in.
    We didn;t consider this too important and dropped this from our ELC a couple of years ago.

  • Hi Mike, would you mind elaborating on your response?
    The company is a large high tech company, relatively small in the past, and growing at a rapid rate, especially in the last year. As it is a software company, there are a number of complexities in accounting, including SOP 97-2 for software revenue recognition, FAS123R for stock options, SOP 98 for capitalization of software costs, etc.
    In what cases would background checks be unimportant? Would there have to be other controls that compensate for ensuring that employees are competent? Currently, we do not have any others in scope for the year.

  • Background checks will not ensure competency (assuming you mean criminal checks). They help to ensure that you are not hiring known criminals.
    Instead of background checks, how do you ensure that you are hiring quality, competent staff in all areas?
    More important in the accounting department would be an assessment of the current staff. How many are CPA’s? How many years of experience? How do they keep up with new accounting pronouncements? Do you have a robust internal audit review of processes?
    I think that there are multiple ways to identify controls over the accuracy of your financial statements.
    Failure of performing background checks is not a material weakness or a significant defioiency in my mind unless you have a prior MW or SD due to incompetent staff.

  • By background check, I actually meant criminal check, verification of education, and verification of prior work history. This is currently a key control in our entity level control RCM. If background checks don’t even matter, then we will have to consider removing it as a key control.
    However, I found this PwC white paper, published in conjunction with COSO, at
    The White Paper states the following: ‘An entity’s failure to perform substantive background investigations, touching on all of the areas identified, for individuals being considered for employment or for promotion to those positions outlined above would be a strong indicator of a significant deficiency in internal control over financial reporting. The federal sentencing guidelines support this.’
    Further the white paper states: ‘Knowing what the minimum requirements are is difficult because the programs and controls must be looked at as a whole. Following is a list of circumstances, which, in and of themselves , are strong indicators of significant deficiencies.’
    The company has had a MW weakness in the past (not sure if it was due to incompetence, or some other reason). There have been employees fired for incompetence within the finance department (don’t know if having done a background check would have prevented this though), some of them recent hires. The company has grown tremendously within the last couple years, as well as having gone public. A lot of the management positions may be staffed with individuals that may have been perfectly competent to deal with operating a smaller business, but lack to expertise to deal with the scope of what the company has now become. In addition, we have failed an ELC around annual performance reviews (not sure how to rank this deficiency either). Other than that, we have a control around Job Descriptions existing for key positions, but to me a job description is useless without a background check or annual performance review to confirm the individual meets the job description.
    Could I have your opinion on all of this, as I am going to present this to my manager, who is quite against considering this control as neither a significant deficiency nor a material weakness, due to the reasons I mentioned in my original post. Am I totally wrong about this? I just don’t want to look like an idiot.
    Your input GREATLY appreciated.

  • I would maybe approach this from another angle.
    Individual controls can fail if the person performing, or reviewing, does not have the capability to perform the task. This would be a control failure.
    As kymike points out background checks would be consdiered entity level controls and whilst PwC may say that this is a ‘strong indicator’ of a deficiency (they would say that wouldn’t they?) it probably isn’t in and of itself.
    if a failure to perform relevant checks is leading to issues with capability to perfrom tasks/controls then you could have a deficiency.

Log in to reply