There are many potential sources for identifying internal control deficiencies, including the entity's monitoring activities, other components, and external parties that provide input relative to the presence and functioning of components and relevant principles.

The term "internal control deficiency" refers to a shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives. An internal control deficiency or combination of deficiencies that severely reduces the likelihood that the entity can achieve its objectives is referred to as a "major deficiency." As illustrated below, a major deficiency is a subset of internal control deficiencies. As such, a major deficiency is by definition also an internal control deficiency.

When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control. A major deficiency exists in the system of internal control when management determines that a component and one or more relevant principles are not present or functioning or that components are not operating together.

A major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component. Similarly, a major deficiency in a relevant principle cannot be mitigated to an acceptable level by the presence and functioning of other principles.

In determining whether components and relevant principles are present and functioning, management can consider controls to effect principles. ^{fn 7} For instance, in assessing whether the principle Assesses Fraud Risk may not be present and functioning, the organization can consider controls to effect other principles, such as those relating to Establishes Structure, Authority, and Responsibility and Enforces Accountability. By considering controls initially considered in the context of other principles, management may be able to determine that the principle Assesses Fraud Risk is present and functioning.

Management exercises judgment to assess the severity of an internal control deficiency, or combination of deficiencies, in determining whether components and relevant principles are present and functioning, and components are operating together, and ultimately in determining the effectiveness of the entity's system of internal control. Further, these judgments may vary depending on the category of objectives.

Regulators, standard-setting bodies, and other relevant third parties may establish criteria for defining the severity of, evaluating, and reporting internal control deficiencies. The Framework recognizes and accommodates their authority and responsibility as established through laws, rules, regulations, and external standards.

In those instances where an entity is applying a law, rule, regulation, or external standard, management should use only the relevant criteria contained in those documents to classify the severity of internal control deficiencies, rather than relying on the classifications set forth in the Framework. The Framework recognizes that any internal control deficiency that results in a system of internal control not being effective pursuant to such criteria would also preclude management from concluding that the entity has met the requirements for effective internal control in accordance with the Framework (e.g., a major non-conformity relating to operations or compliance objectives, or a material weakness relating to compliance or external reporting objectives).

For internal reporting and operations objectives, senior management, with board of director oversight, may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving these objectives.