Deficiencies in Design, Implementation, or Operating Effectiveness

As described in Government Auditing Standards, auditors may consider different levels of internal control assessment depending on the objectives of the audit. These levels are (1) assessing the design, 2) assessing the design and implementation, or (3) assessing the design, implementation, and operating effectiveness of controls.79

  • The design of internal control is assessed by determining whether controls individually and in combination are capable of achieving an objective and addressing the related risk. A deficiency in design exists when a necessary control is missing or is not properly designed so that even if the control operates as designed, the control objective would not be met. For example, if an agency does not have a documented cost estimating process, or has one that is missing a key best practice such as cost risk and uncertainty analysis, this condition is a deficiency in the design of the control.
  • The implementation of internal control is assessed by determining if the control exists and has been placed into operation. A deficiency in implementation exists when a control is properly designed but not implemented correctly in the internal control system. For example, if an agency has a cost estimating policy in place but fails to communicate that policy to its organizations implementing the policy, this condition is a deficiency in the implementation of the control.
  • The operating effectiveness of internal control is assessed by determining whether controls were applied at relevant times during the period under evaluation, the consistency with which they were applied, and by whom or by what means they were applied. A deficiency in operating effectiveness exists when a properly designed control does not operate as designed or the person performing the control does not have the necessary competence or authority to perform the control effectively. For example, if the agency has a cost estimating policy in place but cannot develop a robust cost risk and uncertainty analysis because of a lack of trained staff, this condition is a deficiency in the operating effectiveness of the control.

Finally, a control cannot be effectively implemented if it was not effectively designed, and a control cannot be operating effectively if it was not effectively designed and implemented. For example, a cost estimate created in accordance with agency cost estimating policy will not be reliable if that agency’s cost estimating policy does not fully address each of the 12 steps of the cost estimating process.

  1. GAO, Government Auditing Standards, GAO-18-568G (Washington, D.C.: July 2018).↩︎