How to Evaluate Internal Control Deficiencies in Your Audit
When evaluating internal control deficiencies, you can reduce stress by knowing the difference between material and immaterial weaknesses, what to do to fix them, and how your auditor can help.
Seeing or hearing the word “deficiency” during an audit is often a jolt to a person’s system. If you put a lot of time and effort into getting audit ready, having a control deficiency can feel like a personal failure. More importantly, if your audit objectives were to shorten the sales cycle, like becoming SOC 2 compliant to streamline customer due diligence processes, then the deficiency could undermine your business goals as well.
When evaluating internal control deficiencies, you can reduce stress by knowing the difference between material and immaterial weaknesses, what to do to fix them, and how your auditor can help.
What is an Internal Control Deficiency?
Internal control deficiencies occur when the auditing process finds weaknesses in the policies, procedures, processes, and technologies used to reduce risk. Technical or physical internal controls may not eliminate all risk, but they mitigate it to achieve the company's accepted tolerance level.
Since internal controls fall into three categories, some examples of deficiencies an audit might find include:
Preventive controls: Failing to segregate duties or limit access according to the principle of least privilege
Detective controls: Failing to identify a known operating system or software vulnerability
Corrective controls: Failing to install software or operating systems with security updates
There are two components that must be evaluated to assess the severity of a control deficiency: the likelihood that the deficient control will not prevent or detect a misstatement and the magnitude of the potential misstatement resulting from the deficiency.
Internal control deficiencies often increase risks because effective controls typically:
Identify issues before they become larger problems.
Detect fraudulent transactions.
Prevent fines and penalties for compliance violations.
What Is the Difference Between a Design Deficiency and an Operational Deficiency?
A control deficiency means that people using the processes or technologies as part of their daily job functions won’t be able to prevent or detect an issue.
A design deficiency means:
A control is missing, or
An existing control, when operating as intended, fails to prevent a material misstatement.
An example of a data protection design deficiency might be an antivirus software that fails to update with the latest malware signatures.
An operational deficiency means:
A properly designed control fails to operate as intended, or
The person performing the control lacks the ability to perform the control effectively.
An example of an operational deficiency might be a failure to include phishing in the company’s annual cybersecurity awareness employee training when phishing awareness was part of the training materials.
How Do I Assess Control Deficiencies?
When assessing a control deficiency’s severity, the key is whether the problem creates a “reasonable possibility” that the organization will fail to meet customer commitments or protect customer data. “Reasonable possibility” has nothing to do with likelihood—it focuses on the impact that incorrect statements have on people’s decision-making processes.
Even if the control deficiency has a low likelihood of leading to a data breach, it can cause a reasonable possibility of undermining how someone views your organization’s valuation.
While the phrase “reasonable possibility” is vague, it remains the current standard for material weakness. If you’re evaluating your control environment prior to undergoing a formal audit, you can ask the following questions:
Does my risk assessment comprehensively review all high-risk and high-probability security and privacy risks?
Does this control mitigate a “high-risk” issue on my risk assessment?
If the control fails to work properly, would the increased data breach risk undermine the organization’s current financial projections and posture?
Do I have compensating controls that can mitigate the risk of a potential misstatement?
How Do I Fix Control Deficiencies?
While the audit might tell you about a control deficiency, it likely existed before the auditor started the review, meaning that you can take both preventive and reactive steps.
From a proactive, pre-audit point of view, you can:
Use penetration testing and red teaming to see if your controls work.
Continuously monitor control effectiveness with alerts for deficiencies.
Use automation to remediate detected control issues.
If your auditor identifies a control deficiency, you can remediate the problem by:
Identifying the issue’s root cause.
Investing in technologies that implement the appropriate technical controls.
Hiring additional staff with the appropriate skills and experience.
How Can My Auditor Help?
While your auditor needs to maintain independence, the professional rules of ethics allow them to provide some advisory services. Your auditor can provide “advice, research materials, and recommendations that assist management in performing its functions and making decisions.”
Your auditors won’t be able to implement the new controls for you. However, they can use their experience to help give you ideas about best practices to implement. For example, some ways that your auditors can help include:
Offering informational sessions about cybersecurity issues.
Providing information about technologies that can help fill control gaps.
Providing advice about how to improve policies and procedures.
Engaging in a best practices review.
Benchmarking your cybersecurity infrastructure and procedures against an established framework.
Automation for Preventative Detection and Remediation
Built by auditors and security experts, Drata’s automation enables you to identify internal controls gaps and weaknesses. With Drata, you get a compliance playbook that takes you step-by-step through the process and access to compliance experts who can answer any questions you have.
Drata’s continuous control monitoring enables you to achieve continuous assurance, with automated monitoring, evidence collection, asset and personnel tracking, and access control workflow automation.
To see how Drata can help you identify and remediate control deficiencies, book a demo today.