How to Evaluate Internal Control Deficiencies in Your Audit
When evaluating internal control deficiencies, you can reduce stress by knowing the difference between material and immaterial weaknesses, what to do to fix them, and how your auditor can help.
No one wants to see the word "deficiency" on their auditor’s report. After all the time and resources your team spent getting audit-ready, having a control deficiency can feel like a personal failure. More importantly, if your audit objectives were to shorten the sales cycle, like becoming SOC 2 compliant to streamline customer due diligence processes, then the deficiency could undermine your business goals as well.
It's easier to manage—and prevent—control deficiencies when you understand three key things: how to identify material and immaterial weaknesses, the steps to fix each deficiency, and what your auditor can do to help.
What is an Internal Control Deficiency?
Internal controls are designed to mitigate risk in your company's systems. Internal control deficiencies are weaknesses in the policies, procedures, processes, and technologies used to reduce risk. These deficiencies highlight areas where your staff are unlikely to prevent or detect an issue or misstatement on a timely basis, exposing your systems to fraud, breaches, or threat actors.
When you have internal control deficiencies, you are less likely to identify issues before they become larger problems, potentially leading to fraudulent transactions and fines and penalties for compliance violations.
Internal controls fall into three categories: preventive, detective, and corrective. Here are some examples of control deficiencies for each category:
Preventive controls keep issues from happening. A preventive control deficiency would be failing to segregate duties or limit access according to the principle of least privilege. For example, your policy for access review only covers new hires and those who leave, not employees who change positions internally.
Detective controls identify when an issue happens. A detective control deficiency would be failing to identify a known operating system or software vulnerability. For example, researchers discover a vulnerability in software you use, but you fail to act on that vulnerability.
Corrective controls fix issues found through detective controls. A corrective control deficiency would be failing to install software or operating systems with security updates. For example, employees aren't regularly rebooting their laptops to receive important updates.
What is the Difference Between a Design Deficiency and an Operational Deficiency?
A control deficiency means that people using processes or technologies as part of their daily job functions won't be able to prevent or detect an issue. This could be because of a design or operational deficiency.
A design deficiency means:
A control is missing, or
An existing control is operating as intended but fails to prevent a material misstatement.
An example of a design deficiency might be an antivirus software that fails to update with the latest malware signatures.
An operational deficiency means:
A properly designed control fails to operate as intended or
The person performing the control lacks the ability to perform the control effectively.
An example of an operational deficiency might be a failure to include phishing in the company’s annual cybersecurity awareness employee training when phishing awareness was part of the training materials.
How Do I Identify Control Deficiencies?
Whenever possible, it's best to uncover control deficiencies proactively. Implement discovery processes like risk assessments and internal audits to help you find control deficiencies before they cause problems. Don't wait for a high-stakes, expensive external audit to identify a control deficiency.
When identifying control deficiencies, start with historical patterns and where you know there have been fraud attempts or areas where peer organizations have had issues. Also, look for more complex tasks with more room for error. Pay close attention to areas where you may have newer staff members or new systems where your team may not be as comfortable with the controls.
Use penetration testing and red teaming to see if your controls work. Continuously monitor control effectiveness with alerts for deficiencies.
Automated systems can also streamline how you identify control deficiencies by scanning your infrastructure code, catching potential issues, and creating a remediation workflow for detected control issues. APIs and custom tests can help gather evidence for reporting and remediation.
Identifying Control Deficiencies with a Risk Assessment
Risk assessments evaluate the probability of a risk affecting an organization and its potential impact. With a well-executed risk assessment, decision-makers can evaluate where control deficiencies might exist and how to prioritize them within the organization's strategy, budget, and timelines.
Risk assessments help you identify areas where controls are lacking and gaps where no controls exist. They also illuminate resource shortages that impact how controls are applied, such as not enough people for adequate separation of duties.
There are six risk assessment frameworks: quantitative, qualitative, semi-quantitative, asset-based, vulnerability-based, or threat-based. Each framework has pros and cons, so you may consider combining them for maximum coverage:
Quantitative: Each risk is assigned a dollar value based on loss of production, impact on the company's reputation, or potential legal costs, for example. While this framework puts control deficiencies into terms your leadership can easily understand, not all risks can be easily measured in dollars.
Qualitative: Through conversations with people throughout the organization, an assessor labels each risk as high, medium, or low based on the feedback they gather. This framework can quickly provide a general picture of a risk's priority, but the outcome can be subjective.
Semi-Quantitative: This framework combines quantitative and qualitative methods. Organizations assign each risk a numerical value, such as one to ten or one to 100, and then prioritize the risks that score in the highest third.
Asset-Based: The asset-based framework inventories all the software, hardware, and networks that handle an organization's information. The assessor evaluates the existing controls' effectiveness and each asset's vulnerabilities. Then, they assess the risk for each asset. This works well for IT-related assessments but not for less tangible policies or processes.
Vulnerability-Based: The assessor focuses on the known weaknesses within the controls and evaluates the risk based on those areas. This framework typically encompasses more potential risks than the asset-based framework, but you are working within the vulnerabilities you know about. You may not capture the full range of potential threats for your organization.
Threat-Based: This framework looks at the conditions that create risk beyond physical assets or known vulnerabilities. By focusing on the threat, the assessor can prioritize the best solution based on impact and cost. Solutions could include improving a current control, such as increasing cybersecurity training to mitigate phishing attacks, or adding a new control, such as a new monitoring system.
Identifying Control Deficiencies With an Internal Audit
An internal audit team familiar with your business processes and control systems can run regular stress tests on your company's internal controls to review their effectiveness. They can also bring new information, such as updated threats or new systems, to identify and fix any control deficiencies based on those new parameters.
Here are some best practices for documenting and reporting findings:
Document the issue, the cause of the issue, what is required to fix the control deficiency, and a recommended timeline based on the severity of the potential threat. Tie each issue to the risk it poses and the business objective it aligns with. For example, a potential data breach would affect your organization's goal to maintain a strong security posture and shorten your sales cycle.
Create a plan to evaluate the remediation before the next internal audit. Verify that the solution fixed the root issue and the control deficiency wasn't simply a symptom of something larger.
How Do I Assess Control Deficiencies?
Control deficiencies can be immaterial, meaning they are lower risk, unlikely to affect operations, and can be fixed over time. More serious deficiencies can be classified as a significant deficiency or a material weakness, both of which could substantially increase the chance of a major negative event, such as a data breach.
According to the Secure Controls Framework (SCF), a material weakness is a deficiency, or a combination of deficiencies, in an organization's cybersecurity or data protection controls where reasonable threats that directly or indirectly affect the assurance that the organization can adhere to its stated risk tolerance likely will not be prevented or detected in a timely manner.
A significant deficiency is a control weakness that may not be severe enough to lead to a data breach but could still impact operations and an organization's security goals. If not addressed quickly, it could also rise to a material level of risk.
When assessing the severity of a deficiency, the key is whether the problem creates a “reasonable possibility” that the organization will fail to meet customer commitments or protect customer data. “Reasonable possibility” has nothing to do with likelihood—it focuses on the impact that incorrect statements have on people’s decision-making processes.
Even if the control deficiency has a low likelihood of leading to a data breach, it can cause a reasonable possibility of undermining how someone views your organization’s valuation. While the phrase “reasonable possibility” is vague, it remains the current standard for material weakness.
If you’re evaluating your control environment prior to undergoing a formal audit, you can ask the following questions:
Does my risk assessment comprehensively review all high-risk and high-probability security and privacy risks?
Does this control mitigate a “high-risk” issue on my risk assessment?
If the control fails to work properly, would the increased data breach risk undermine the organization’s current financial projections and posture?
Do I have compensating controls that can mitigate the risk of a potential misstatement?
In addition to the likelihood of a deficiency, you also need to assess the magnitude of the misstatement. What systems, processes, and constituents would this deficiency affect? Without a good understanding of the magnitude, your remediation may not address the full scope of the issue.
For example, if your employees keep falling for phishing emails, a quick fix might be to block more emails and install more spam filters. But this won't help your employees recognize phishing attempts, opening up your systems to potential threat actors.
Multiple immaterial control deficiencies, especially if they aren't identified and addressed, can lead to more serious issues, such as significant deficiencies or material weaknesses. For example, shared passwords and poor log management can combine to make it easy for a staff member to download confidential customer information without detection.
How Do I Fix Control Deficiencies?
The best way to go about mitigating control deficiencies is to find them before they occur. Preventive steps such as risk assessments, internal audits, and continuous monitoring help you stay ahead of any control gaps or design flaws.
But once you've identified a control deficiency, either through internal tests or found by your auditor, you need to remediate the problem quickly. This includes:
Identify the issue's root cause. Was it a design issue or an operational flaw? Assess why the control failed and what processes that control affected.
Create a remediation plan with clear next steps. Assign roles and timelines to make sure the processes are updated effectively.
Invest in technologies that implement the appropriate technical controls. Automate your controls and monitoring to make sure the remediation worked.
Train your team or hire additional staff with the appropriate skills and experience. Make sure everyone knows how the control is supposed to function and their role in compliance.
What are the Reporting Requirements for Control Deficiencies?
Many organizations will need to report control deficiencies to shareholders and regulators depending on their status and the industry they serve. Reporting mainly applies to public companies, but if an incident occurs, private companies will be required to report as well.
The Sarbanes-Oxley Act (SOX) of 2002 requires the leadership of a public company to establish internal controls and assess the effectiveness of those controls in its annual Internal Controls report. These controls must also be verified annually by an independent auditor. Public companies must immediately report material control weaknesses and significant deficiencies through Form 8-K for material changes as well as the management annual assessment and audit committee communications.
HIPAA-covered healthcare organizations must report material weaknesses and personal health information (PHI) data breaches to the Department of Health and Human Services.
Organizations with government contracts must report significant deficiencies and material weaknesses to the contracting agency. Should there be an incident due to a material weakness, there are strict timelines for reporting, such as 72 hours of discovering the cybersecurity breach for any Department of Defense contracts.
Verify your reporting requirements with your legal counsel and auditor. Reporting obligations can change and may vary by jurisdiction.
Best Practices for Communicating Control Deficiencies with Stakeholders
You'll need to share with your stakeholders and get support for fixing control deficiencies. Here are five best practices when communicating control deficiencies with senior management and staff:
Start with impact: Use business terms to explain why addressing these control deficiencies is important. Tie them to business goals and highlight the parts of the organization affected by the deficiency and the solution.
Provide context: Where applicable, give your stakeholders industry benchmarks and historical trends to help them understand why these changes need to be made. Show examples of other organizations that had similar issues.
Avoid technical jargon: Your stakeholders may not be as familiar with acronyms like GDPR or terms like material weakness. Define necessary terms and use examples where helpful.
Propose clear solutions and next steps: Work with impacted teams to determine the best solution, who will be responsible for implementing the solution, and the expected timelines. Be clear about any other deadlines that might be affected and why the change in prioritization is necessary.
Maintain confidence in your systems: You want to ensure your stakeholders remain confident that your systems, controls, and teams can identify and remediate deficiencies. Showcase how your processes identified deficiencies before they became issues. In addition, explain what recommendations—like automation—you suggest to keep issues from happening again.
How Can My Auditor Help?
While your auditor needs to maintain independence, the professional rules of ethics allow them to provide some advisory services. Your auditor can provide "advice, research materials, and recommendations that assist management in performing its functions and making decisions."
Your auditors won't be able to implement the new controls for you. However, they can use their experience to give you ideas about best practices when implementing them. For example, some ways that your auditors can help include:
Offering informational sessions about cybersecurity issues
Providing information about technologies that can help fill control gaps
Providing advice about how to improve policies and procedures
Engaging in a best practices review
Benchmarking your cybersecurity infrastructure and procedures against an established framework
Automation for Preventive Detection and Remediation
Built by auditors and security experts, Drata's automation enables you to identify internal control gaps and weaknesses. With Drata, you get a compliance playbook that walks you through the process step-by-step and access to compliance experts who can answer any questions.
Drata's continuous control monitoring enables you to address emerging issues now rather than security crises later. Its automated monitoring, evidence collection, asset and personnel tracking, and access control workflow automation enable you to address emerging issues now rather than security crises later.
To see how Drata can help you identify and remediate control deficiencies, book a demo today.
Control Deficiencies Frequently Asked Questions (FAQs)
Below we answer some of the most common questions surrounding control deficiencies.
What's the Difference Between a Control Deficiency, a Material Weakness, and a Significant Deficiency?
A control deficiency is any weakness in the policies, procedures, processes, and technologies used to mitigate risk. They can be immaterial, meaning they won't lead to a cybersecurity incident, but they still need to be addressed promptly, such as documentation that needs to be updated.
A significant deficiency would be more serious than an immaterial deficiency and could impact operations or cause security issues. An example might be 50% of new hires not getting background checks completed despite that being a requirement for all employees.
A material weakness would be the highest level of severity and could cause significant security issues or a data breach. For example, your organization doesn't automatically expire third-party vendor access to customer data when the contract ends, leading to potentially exposed customer information.
How Can I Tell if a Deficiency is Serious Enough to Report?
Your organization should report a deficiency if it could have a material impact on financial statements, cause operational disruptions, impact data security, or create compliance risk. If investors care or regulators are concerned, you should report it. If you aren't sure, talk to your auditor.
How Long Does it Take to Fix a Control Deficiency?
The amount of time it takes to remediate a control deficiency will depend on its severity and the processes it impacts. Updating an automated approval issue that stopped working could fix the deficiency immediately. Adding another team member to remedy a segregation-of-duties issue or updating security training to include new phishing trends could take months.
For any remediation, though, always plan to test the fix for a few weeks to make sure it is working as intended.
How Can I Prevent Control Deficiencies?
Automation, continuous monitoring, and regular risk assessments are the best ways to prevent control deficiencies. Create a culture of compliance where everyone understands the importance of internal controls and their role in maintaining them.
