Is there an elephant in the room? Or did someone just find a SAS70 Audit internal control deficiency/exception?
Posted by: SAS70ExPERT
Auditing, CIO, Compliance, Risk management, SAS 70, Security, Third-party services
As a CIO or CSO, what should you do when a SAS 70 auditor finds an exception or an internal control that is not working during your SAS70 audit? Sometimes, in extreme cases as in a family death — there is silence, screaming and shouting, grieving, and then finally acceptance. When an auditor meets with the Chief Executive Officer, it is key that you understand the difference between a material weakness and an internal control deficiency.
A “material weakness” is a internal control deficiency or combination of control weaknesses such that they result in a significant misstatement of revenue or expenses in your financial statements.
A deficiency in internal control exists either in design or operation of a control. A design deficiency exists when you forgot that you had to reconcile inventory. You have been concentrating on sell, sell, sell, and you forgot you had to determine how much inventory you had on hand each month. It happens. An operational deficiency occurs when your Accounting Manager just didn’t perform up to par and the reconciliations they were supposed to do for inventory just weren’t done each month.
Knowing the difference during these difficult economic times is important. So when the white elephant comes into the room, take a deep breath — If you understand the differences in a material weakness and a significant deficiency, you have the information you need to discuss the results of the SAS70 audit and determine the next steps. Sas70ExPERT@gmail.com