We would consider, for example, your untimely review, an exception (assuming there's time left in the year to expand the sample size). If we found another failure then it would be a deficiency. Same thing on a test of 25, if we found 1 selection fails, it's an exception and we test more. If we find another, it's a deficiency and we remediate. It depends on why the control failed though--if it was something egregious, or if the process owner informs us that testing more will only result in more failures, we would need to deem it a deficiency with only 1 exception.
------------------------------
Andrew Sabia
Internal Audit Manager
RBC Bearings
------------------------------
Original Message:
Sent: 05-17-2023 12:15 PM
From: Gene Padgett
Subject: From control issue to deficiency
In the State of SOX survey reports in the past, there was often a question around when the respondents had control issues that resulted in deficiencies, significant deficiencies and/or material weaknesses. Some reports showed as many as 35% of the respondents said "no". My question is are most companies making a distinction between control failures or issues and control deficiencies? Or, like our company, all failures are considered a deficiency? Perhaps it's nomenclature, but if there's a control failure, we automatically label it as a deficiency. It may be something as simple as failure to approve an account reconciliation timely. We'd label that as a deficiency, thus it's nearly impossible to have a year with no deficiencies like the 35% of respondents depicted below.
------------------------------
Gene Padgett
Chief Accounting Officer
Valmont Industries
------------------------------