The following points of focus highlight important characteristics relating to this principle:

In conducting monitoring activities, the organization may identify matters worthy of attention. Those that represent a potential or real shortcoming in some aspect of the system of internal control that has the potential to adversely affect the ability of the entity to achieve its objectives are referred to as internal control deficiencies. In addition, the organization may identify opportunities to improve the efficiency of internal control, or areas where changes to the current system of internal control may provide a greater likelihood that the entity's objectives will be achieved. Although identifying and assessing potential opportunities is not part of the system of internal control, the organization will typically want to capture any opportunities identified and communicate those to the strategy or objective-setting processes.

Deficiencies in an entity's components of internal control and underlying principles may surface from a variety of sources:

Reporting on internal control deficiencies depends on the criteria established by regulators, standard-setting bodies, and management and boards of directors, as appropriate. Results of ongoing and separate evaluations are assessed against those criteria to determine whom to report to and what is reported. Alternatively, any criteria established by the board of directors or management typically is based on the entity's facts and circumstances and on established laws, rules, regulations, and standards.

Communicating internal control deficiencies to the right parties to take corrective actions is critical for entities to achieve objectives. Additionally, the scope and approach of the evaluations, as well as any internal control deficiencies, need to be communicated to those conducting the overall assessment of effectiveness of internal control.

The nature of matters to be communicated varies depending on how the deficiency is evaluated against appropriate criteria, individuals’ authority to deal with circumstances that arise, and the oversight activities of superiors. Deficiencies may be reported to senior management and the board of directors depending on the reporting criteria as established by regulators, standard-setting bodies, or the entity, as appropriate. Internal control deficiencies are usually reported both to the parties responsible for taking corrective action and to at least one level of management above that person.

This higher level of management provides needed support or oversight for taking corrective action and is positioned to communicate with others in the entity whose activities may be affected. Where findings cut across organizational boundaries, the deficiencies are reported to all relevant parties and to a sufficiently high level to drive appropriate action. For instance, deficiencies relating to a board member or sub-committee where the board member or sub-committee is not independent to the extent required, or where the board did not provide sufficient oversight, would be reported as prescribed by the entity's reporting protocols to the full board, the chair of the board, lead director, and/or the nominating/governance or other appropriate board committees.

In considering what needs to be communicated, it is necessary to look at the implications of findings and the entity's reporting directives. It is essential that not only a particular transaction or event be reported, but also that related faulty procedures be re-evaluated. Alternative communications channels should also exist for reporting sensitive information such as illegal or improper acts. Additionally, deficiencies may need to be reported externally depending on the type of entity and the regulatory, industry, or other compliance requirements to which it is subject.

After internal control deficiencies are evaluated and communicated to those parties responsible for taking corrective action, management tracks whether remediation efforts are conducted on a timely basis. Those responsible for taking corrective actions are usually different from those conducting the monitoring activities. The organization exercises judgment in determining how deficiencies are remediated and that judgment should be applied by those responsible for selecting, developing, and deploying controls to effect principles.

As is the case with the initial communication of internal control deficiencies, deficiencies that are not remediated on a timely basis are usually communicated to at least one level of management above the party responsible for taking corrective action. In addition, management may need to revisit the selection and deployment of monitoring activities, including a mix of ongoing and separate evaluations, until corrective actions have remediated the internal control deficiency.