For banks that cross the $1 billion asset threshold, FDIC Part 363 guidance requires an integrated audit, which mandates that the independent public accountant issue an opinion on the institution’s internal controls over financial reporting in addition to the opinion issued on the annual financial statements. Control deficiencies discovered can impact management and the auditor’s ability to conclude that the control structure was effective during the year. 

With dynamically changing work environments, innovative customer solutions rolling out, new technology implemented, personnel changes, and the occasional human error, even those institutions with the strongest internal control structures will at some point find themselves facing a financial reporting control failure. Having control failures can feel daunting, especially for institutions newly subjected to integrated audit requirements and inexperienced in the processes of testing controls and concluding on the effectiveness of internal controls over financial reporting. However, identifying control issues early can provide management with the opportunity to reduce the severity of the control failures found by taking steps to address and correct the matter by year-end. 

As defined in AU Section 325, a control deficiency occurs when the design or operation of a control does not allow management or employees, in the normal course of business of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. A deficiency in design can occur when a control necessary to meet the control objective is missing. This can often occur when new transactions are entered into—like new derivatives, or an acquisition—and the institution has not documented and tested the additional controls necessary to address the risk related to financial reporting. A design deficiency also can occur when the existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. 

A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. For instance, through testing over the daily review of a particular report, management determines that the reviewer has not completed the review for several of the sampled days, or not completed the review timely. 

Early identification of control failures is key for allowing management adequate time to correct or remediate the failure. The recommended approach is to perform testing in two to three rounds, with one to two interim testing dates and final testing performed at year-end. The ability to remediate will depend on the frequency of the control operation and the timing of when the failure occurs. The control must be designed effectively and operate effectively for a sufficient period of time after the failure is discovered and corrected to allow for a representative population to retest. 

When a control failure is discovered, the following steps should be taken to address and remediate the control: 

  1. Determine the cause of the control failure. Common causes of control failures include missing controls for new processes, lack of segregation of duties built into controls, back-up plans not in place for performing controls when process owners are on vacation or sick leave, and employees performing controls but not adequately documenting their performance.
  2. Conduct retraining or redesign as necessary. Process owners should be made aware of the control failure and educated as to the potential impact on the management and audit reports. Work with process owners to determine what roadblocks might exist to them successfully performing controls and come up with solutions to determine how controls can operate effectively in the future. 
  3. Determine the remediation date. This is the date management has determined remediation has occurred and believes controls will operate effectively going forward. 
  4. Retest the control. A full sample should be selected and tested for the remediation period, or the period starting at the remediation date through year-end. For example, if procedures require a sample of 30 from a population to be tested, all 30 items must be selected from the remediation period to test effectiveness, as the control is considered to have not been operating effectively before the remediation date. 
  5. Communicate with your independent auditor. As the auditor also will be required to test the control during the remediation period, early communication will help reduce audit inefficiencies from testing controls during a period in which management has determined they have failed. 

In some instances, the control deficiency will be discovered too late in the testing period to be able to remediate. In this case, management may consider any complementary or compensating controls in place to reduce the effect of the control failure on management and the independent auditor’s conclusion on the overall effectiveness of the control structure. A complementary control is a second control that addresses the same financial statement risk and has been determined to be operating effectively. Complementary controls may eliminate a potential control deficiency. A compensating control is a second key control that management believes would catch the control failure in the event the first key control fails. Compensating controls can reduce the severity of a control failure but cannot eliminate the deficiency. The impact of complementary and compensating controls on the significance of any deficiency findings reported during the audit process is ultimately up to the judgment of the institution’s independent auditor. 

One final matter to note: While remediation of a control can lead to the conclusion that financial reporting controls were operating effectively as of year-end, the fact remains that there was a control failure that occurred during the period under audit, which the independent auditor must consider in their evaluation. However, management’s ability to detect and address these control deficiencies and bring them to the attention of the auditor in advance of their independent testing performed also can affect the auditor’s conclusion on the effectiveness of the internal controls.

If you have questions or would like assistance, reach out to your BKD Trusted Advisor™ or submit the Contact Us form below. 

Related FORsights

Let's Connect

Subscribe to our content or get in touch with us today

Subscribe Contact Us