Deviation from Internal Control

Deviation from internal control is the situation when company designs internal control but it cannot manage the transaction outside the normal business operation. We consider it a non-occurrence transaction or “One-off” as it is not highly likely to happen again in the future. The company does not expect this kind of transaction to happen, so there is no control in place to manage it.

Internal control is procedures that the company set to increase the efficient and effective business operation, minimize risk, and achieve the business objective. Internal control will need to separate into small cycles such as sale, purchase, payroll, fixed asset, and cash.  The management who design internal control needs to understand each business process and make proper control for each one. However, when any transaction happens outside normal business, the internal control will not be able to deal with it. The control may not be able to prevent or detect risk associate with it.

Example of deviation from internal control

ABC is a manufacturing company that supplies the raw material to factories within the country. It never does any business outside the country and does not have any plan to do so in the future as well.

However, one of the key customers asks ABC to send some material to oversea branch which is not in the contract. ABC has reject this request as it is not their business operation, but this client keeps asking the manager. In order to maintain a good relationship, ABC’s management accepts this work. They ask the staff to prepare material and send it through DHL. There is no process in selecting logistics, management decide to select DHL and approve on the fee as a special case.

As we can see this is the one-off transaction which management will not expect to do it again. So there is no control or procedure to manage it, management also has no intention to set up internal control for the flow which will never happen again.

Impact to Auditor

During the initial stage, auditor will inquiry with management to understand the business operation of the workflow. Furthermore, they will perform a walkthrough to validate the process and control.

Finally, the auditor will perform a test of control to obtain additional evidence and reduce the substantive work. So what should auditor do when they detect the “one-off” transaction during the validation.

First, the auditor has to access the impact of misstatement of this transaction if there are any. Due to the ineffective internal control on this transaction, it may be the misstatement that impacts the financial statement.  Auditor needs to access the misstatement whether it will affect their opinion on financial statements or not.

Second, auditor also needs to perform further testing to conclude if there are anymore similar transaction occurs during the year. We have to ensure that this is really the one-off error. Sometimes, it is the flow which the company did not think of when designing internal control.  This kind of transaction is very risky, so there more it happens, the higher the risk.

Finally, auditor also requires to access the likelihood of transactions in the future. If it can happen in the future, the control should be in place. So the auditor should raise this issue in a management letter to show the internal control weakness and provide proper recommendations.