Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Audit Chapter 7
Microlesson · 5-min read

SA 265 – Deficiency in Internal Control: Definition and Types

## SA 265 – Deficiency in Internal Control

### What is a Deficiency in Internal Control?

A deficiency in internal control exists when:

TypeDescription
Control Design DeficiencyA control is designed or implemented in a way that it is unable to prevent, detect, or correct misstatements on a timely basis
Missing ControlA control necessary to prevent, detect, or correct misstatements is absent

> Think of it this way: either the control exists but doesn't work, or it simply doesn't exist at all.

---

### Significant Deficiency

Definition: A deficiency (or combination of deficiencies) in internal control that, in the auditor's professional judgement, is of sufficient importance to merit the attention of Those Charged with Governance (TCWG).

  • Not every deficiency is a significant deficiency — significance depends on auditor's professional judgement.
  • Significance depends on both: (i) likelihood that misstatement will occur, and (ii) magnitude/potential size of the misstatement.

---

### Factors Auditor Considers in Deciding if a Deficiency is Significant

#Factor
aLikelihood that the deficiency leads to a material misstatement
bFS amount exposed to the deficiency
cSusceptibility of related assets to loss or fraud; related assertions
dVolume of activity in the assertion exposed to the deficiency
eCause and frequency of exceptions detected due to the deficiency
fInteraction of the deficiency with other deficiencies
gSubjectivity and complexity in determining accounting estimates
hImportance of the control relating to financial reporting process

For (h) — Controls of particular importance include:

  • Period-end financial reporting process
  • Fraud-related controls
  • Significant accounting policies
  • General monitoring controls

Worked example

### Example 1

Example 1: A company has a control requiring dual authorisation for payments above ₹50,000. However, the control was designed to apply only to cash payments and not to online transfers. A misstatement occurred via an unauthorised online transfer.

Analysis: This is a Control Design Deficiency — the control was designed in a way that it could not prevent/detect the misstatement in online payments. Whether it is a significant deficiency depends on the volume and value of online transactions and the likelihood of similar misstatements occurring.

### Example 2

Example 2: A manufacturing company has no control in place to verify physical stock against recorded inventory at year-end.

Analysis: This is a Missing Control deficiency. Given inventory is often a material line item, the auditor would very likely classify this as a Significant Deficiency, considering: (i) high likelihood of misstatement, (ii) potentially large FS amount exposed, and (iii) high volume of inventory transactions.

⚠️ Common exam mistakes

  • Confusing 'control design deficiency' with 'missing control' — design deficiency means the control exists but is flawed; missing control means no control exists at all.
  • Assuming every internal control deficiency is automatically a significant deficiency — significance requires professional judgement and assessment of both likelihood and magnitude.
  • Ignoring the factor of 'interaction with other deficiencies' — two individually minor deficiencies can together constitute a significant deficiency.
  • Overlooking that significance depends on BOTH the likelihood of misstatement occurring AND the magnitude of potential misstatement — not just one of these.
Reference:
← Previous
SA 265 – Communicating Deficie
Next →
SA 560 – Subsequent Events
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic