In the State of SOX survey reports in the past, there was often a question around when the respondents had control issues that resulted in deficiencies, significant deficiencies and/or material weaknesses. Some reports showed as many as 35% of the respondents said "no". My question is are most companies making a distinction between control failures or issues and control deficiencies? Or, like our company, all failures are considered a deficiency? Perhaps it's nomenclature, but if there's a control failure, we automatically label it as a deficiency. It may be something as simple as failure to approve an account reconciliation timely. We'd label that as a deficiency, thus it's nearly impossible to have a year with no deficiencies like the 35% of respondents depicted below.
We would consider, for example, your untimely review, an exception (assuming there's time left in the year to expand the sample size). If we found another failure then it would be a deficiency. Same thing on a test of 25, if we found 1 selection fails, it's an exception and we test more. If we find another, it's a deficiency and we remediate. It depends on why the control failed though--if it was something egregious, or if the process owner informs us that testing more will only result in more failures, we would need to deem it a deficiency with only 1 exception.
Thank you Andrew. That actually makes more sense to me, and further highlights that not all failures are created equally. Your process sounds more consistent with how we handle these at prior companies. Much appreciated.
2900 University BlvdAmes, IA 50010