Simply put; an instance or activity that did not occur as per expectations is considered as deviation. For an activity it is not necessary that it must occur as per expectations but also non-occurrence can be considered as deviation. In short, any thing that given rise to conflict between expectation and what actually happened is deviation.
To run business operations effectively and efficiently so that shareholders’ wealth is maximized, management implements internal control system that standardize many important activities of the business. It details what should happen and what should not happen so that no inherent problem can compound to cause problems for entity to achieve business objectives. Same standards helps developing expectations. Any departure from set standards or rules or guidelines or expectations arising out of such standards is considered deviation from controls. Deviations are considered wrong as they may cause obstruction in achieving business’ targets.
The term deviation includes:
- any business event that occurred that was not expected to occur
- any business event that didn’t occur that was expected to occur
- a control exists but did not operated effectively i.e. it has not prevented or detected and corrected a misstatement on timely basis
- a control is absent
- anything that may cause obstruction in achieving business objectives
In auditing, auditor gains understanding of the management’s internal control system in order to assess risk of material misstatement i.e. probability that financial information is materially misstated and then associates this risk to his engagement to measure audit risk. By understanding internal control system he develops an expectation regarding control risk which is simply probability of deviation from internal controls. Higher the deviation, higher the risk of material misstatement.
Most of the time while conducting tests of controls that basically tests if there is any deviation, auditor applies conducts these procedures on sampling basis. For this auditor establishes tolerable rate of deviation that lets auditor obtain reasonable assurance regarding population.
However, we must understand,especially while conducting tests of controls on sampling basis that deviation can be of two types:
- a deviation that is expected to repeat and is a representative of population
- a deviation that is not representative of population and is not expected to repeat rather a one-off event and needs to be analyzed in isolation. Such deviation is called anomaly. Such deviations must not be considered while developing inferences regarding population.