Deficiency - design, operation or not at all? 3213



  • Let me use a simple illustration to explain my question. Let’s say we have a control that someone in AP ensures all invoices are properly approved before processing the invoice. The auditor tests the control and cannot see evidence that the invoices have been reviewed by someone in AP so they sample test the invoices and confirms that all have been appropriately approved.
    Now here’s the deal, I have had that occur a few times in my company but the conclusions reported have been as followed:

    • design deficiency - the control does not adequately mitigate the risk because the invoice is not being checked once it has been processed so although it is being reviewed it is not reviewed once entered into the system and set for payment
    • control deficiency - the control is not operating as described because evidence of the AP review is not there. Therefore the control is not operating.
    • design deficiency but control operating OK - the control is not designed per above but the sample testing has shown the invoices are being properly approved anyway by an appropriate individual so operation is ok
    • no deficiency (or maybe documentation deificiency) - the sample test has shown the control is operating so control OK. Maybe recommend updating the wording of the control to something more specific they can test.
      Now I have had all of the above reported to me for similar circumstances at different locations. Clearly I think there needs to be some consistency… I am particularly intrigued that in some instances I get a design failure but and opertaing effectiveness pass.
      So what do you guys think? What would be your interpretation if the independent testing teams came back with the above (apart from the Testing Manager is failing to apply some form of QA…)?
      Knowing my luck I will find 4 different opinions…


  • Let me use a simple illustration to explain my question. Let’s say we have a control that someone in AP ensures all invoices are properly approved before processing the invoice. The auditor tests the control and cannot see evidence that the invoices have been reviewed by someone in AP so they sample test the invoices and confirms that all have been appropriately approved.

    Knowing my luck I will find 4 different opinions…
    Sorry you’ve had to wait so long for a first opinion.
    Anyhow, I would expect this ‘deficiency’ to be seperately categorised as ‘Evidencing’ or ‘Documentation’. Our auditors (E-and-Y) do this and report deficiencies like:
    Part a) - here are your real control gaps; and
    Part b) - here’s a list of things that could have been documented better
    Internally we would categorise the gap/issue in the 3rd of 4 tiers for internal reporting which effectively means ‘we need to fix this at some point in the next quarter or two but it’s not going to be escalated right now.’
    Arguably it’s neither a design nor an operating effectiveness gap as the control is designed appropriately and operates as described but obtaining evidence was a challenge. However, other audit firms may employ a different reporting convention.
    One could potentially argue for an escalation of evidencing issues to be significant/material if they were particularly widespread.


Log in to reply