How to Avoid Significant Control Findings During an Audit

This article was updated in December 2019.

The stock value of a public company can drop significantly when an independent auditor finds a material weakness. Financial statement disclosures, internal control over financial reporting (ICFR) assessment reports, and independent audit reports all act as verification to stockholders that it’s safe to invest in a business—and a material weakness can undermine the assurance those reports provide to investors.

Before a material weakness happens, there are steps financial teams can take to build confidence in their controls and help avoid audit-related issues in the future. Here are some key areas for consideration.

Use Risk Strategically

Even the most diligent companies and the most fraud-aware organizations may unexpectedly receive a significant deficiency or material weakness observation on occasion. In these scenarios, a healthy organization responds to internal controls issues by addressing the source, being diligent in their ongoing efforts, and refusing to let it undermine their competency.

Risk is integral to the pursuit of value, so strategic-minded enterprises don’t strive to eliminate risk—or even to reduce it. Instead, they seek to manage risk exposures across all parts of their organizations so that, at any given time, they incur just enough of the right kinds of risk to effectively pursue strategic goals. This perspective represents a critical change from the traditional business view of risk, which is that it’s best to be avoided.

Consider Risk-to-Reward Potential

The graphic below, which is a reproduction of a chart originally produced by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), represents the idea of finding the sweet spot of risk—accomplished by decision makers focusing on managing the right amount of risk.


Too little risk-taking and a company will be bogged down addressing minutia with minimal impact. Too much risk-taking, and the company may not meet objectives or face undesirable consequences.

Conduct a Risk Assessment

A risk assessment is invaluable in identifying the areas of importance that can adversely affect your organization. These types of assessments rank the likelihood of the risk’s occurrence and the impact to the organization because the approach easily establishes a hierarchy for priorities. They’re also subjective, because the likelihood and impact of each type of risk will vary for each organization.

It’s prudent for organizations to conduct an enterprise-wide risk assessment to establish a baseline of risk appetite or risk tolerance and then map to key environmental or operational impacts, such as:

  • Implementing a new enterprise resource planning system
  • Performing a merger or acquisition
  • Monitoring and addressing changes to regulatory compliance and financial guidance

A risk assessment may also be conducted over an entire organization, a process—such as period-end financial reporting—or over a department.

For more information on how to conduct a risk assessment and build out a risk management plan, please read our article.

Communicate with the Auditor

Although the defining guidance to a public-company auditor follows different guidelines on process and controls deficiencies than management, the approach to assessing internal control over financial reporting should be similar.

Because external auditors conduct detailed evaluations of risk for many different companies, they can provide management with tremendous insights on key findings among public companies following regulatory changes as well as a process for working with internal audit teams.

Ask Questions

Auditors expect those they’re auditing to have questions about the process, so organizations shouldn’t feel any hesitation asking their auditor for advice based on what they’re seeing in the marketplace. This is especially true if there have been any regulatory changes.

For example, asking an auditor about his or her reliance on the work of specific internal audit teams can often inform management if their organization’s internal controls will need to be retested. If the auditor accepts the testing of an internal audit team, then an organization can have confidence in its current results.

Verify Compliance

Within a short period of time, several factors came together to alter the financial reporting compliance landscape.

In 2013, COSO released their new framework on internal control and some common noteworthy threads in auditor inspections by the Public Company Accounting Oversight Board (PCAOB) led to promulgation of Staff Audit Practice Alert 11.  New standards were also added to the mix, including guidance relevant to related parties and going concern uncertainties.

With the changing regulatory environment, it’s even more important for organizations to stay abreast of changing requirements and to verify their methodology matches the times. Missing or poorly executing new compliance requirements increases the likelihood of an internal-control issue.

Take time before an audit occurs to verify an organization is current on its regulatory compliance; this assurance goes a long way toward strengthening internal controls.

Revisit Foundational Controls

Assumptions are often made about the condition of the most basic internal controls, such as segregation of duties (SOD), but significant issues can occur when these assumptions are wrong.

In the case of SOD, problems such as material misstatement due to errors or fraud have an increased potential to arise when a single individual is allowed to execute two or more conflicting sensitive transactions.

SOD is usually synonymous with IT-system access rights because a majority of critical functions are often performed through the enterprise system. However, because SOD requires technical and policy coordination, it can often fall through the cracks at the executive level.

Similar high-consequence oversights can easily occur with other foundational controls as well—so they’re worth assessing before an audit occurs.

Assess Key Controls

When assessing foundational controls, organizations should verify diligence around the following:

  • SOD
  • Account reconciliation reviews
  • Budget variance analyses
  • Reporting hotlines

See our article on foundational controls for more information as well as our article on SOD.

Align Governance with Interests

By addressing the roles and composition of an organization’s governing body, the possibility of misstatements is diminished. Assigning a separate risk management function, either internally, externally, or co-sourced provides this incremental objectivity and assurance.

Address Common Issues

In an informal survey conducted by Moss Adams, we found the following governance issues among publicly traded companies:

  • Independence. Of the more than 16,500 companies surveyed, 12.5% of respondents fell short of the guidance that a majority of their board be independent directors without a financial or family-related stake in the organization. When there’s a lack of independence, a company is exposed to the significant risk of cronyism, because objectivity in oversight is compromised when board directors are interested parties in business decisions.
  • Financial expertise. Nearly 25% of respondents indicated they didn’t have a financial expert on their audit committee. Audit committees without a nonexecutive director who has recent, relevant, financial experience face an increased risk of account misstatements.
  • Risk management. More than half of the responding companies—67.7%—reported the absence of a separate risk management function. Informal reviews may be more appealing in terms of practical considerations; however, managing risk is most effective when conducted through a rigorous, repeatable process, which provides increased objectivity.

Next Steps

Whether an organization is responding to a control deficiency observation or a material weakness identified by an independent auditor—or if management simply wants to thwart the possibility of either—there are steps financial leaders can take to improve their controls' permeability. Regardless, it’s important financial leaders be diligent about their efforts.

Controls can often be strengthened by a focus on risk, improved communication with your auditor, questioning the status of regulatory compliance, revisiting foundational controls, and evaluating the effectiveness of your governing body.

We’re Here to Help

Gaining insight into current best practices and success strategies can help your company avoid deficiencies and better align with current and future marketplace trends. For more information on internal controls and risk mitigation, contact your Moss Adams professional.