information on the responsibility of the auditor to evaluate impacts of misstatements on an audit and the
            impact of misstatements that go uncorrected on the financial statements.

            The technical literature focuses not on controls per se, but rather on deficiencies of “key” controls.
            Control evaluation is not described as dichotomous (either good or bad) but as types of deficiency. CITPs
            must be familiar with these terms, definitions, and the application thereof. Because of the convergence of
            technical standards, there is a common set of definitions for three types of control deficiency.

            These definitions are included in AU-C section 265, Communicating Internal Control Related Matters
                                29
            Identified in an Audit.  The severity of such deficiency is further defined as a combination of magnitude
            — of misstatement caused by the control deficiency (CD) — and probability — that such control will
            actually fail to prevent, or detect and correct, a misstatement of an account balance or disclosure. There
            is also a list of material weakness (MW) indicators, and a list of CDs that would at least be significant
            deficiencies (SD).

            The PCAOB has identical definitions and information in AS5, An Audit of Internal Control Over Financial
                                                                          30
            Reporting That is Integrated with an Audit of Financial Statements.  Obviously, CITPs in B&I, where the
            entity is an issuer, will be concerned with the issues related to these terms. Because of the prevalence of
            this definition, all CITPs need to know and understand them.


            Control deficiency
            Control deficiency (CD). The design or operation of the control does not allow management or
            employees, in the normal course of performing their assigned functions, to prevent, or detect and correct
            misstatements in a timely basis.

              Deficiency in design occurs when there is not a control in place to meet the control objective, or when
               a control is designed such that even when it is working as it should, the control objective is not met.
              Deficiency in operation exists when a control has been designed properly but is not functioning as
               designed, or the person who is assigned to perform the control is unable to do so due to a lack of
               authority or competency.


            Significant deficiency
            Significant deficiency (SD). A significant deficiency is a deficiency, or a combination of deficiencies, in
            internal control that is less severe than a material weakness, yet important enough to merit attention by
            those charged with governance.






            29
              See Section .A5 of AU-C 265 for definitions of reasonably possible and probable.
            www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-C-00265.pdf, accessed September
            7, 2019.
            30
              See Section .A5 of AU-C 265 for definitions of control deficiency, significant deficiency, and material weakness.
            www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-C-00265.pdf, accessed September
            7, 2019.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-50