"Deficiencies in an entity’s enterprise risk management may surface from many sources, including the entity's ongoing monitoring
procedures, separate evaluations and external parties.
The term “deficiency” refers to a condition within the enterprise risk management process worthy of attention. A deficiency,
therefore, may represent a perceived, potential or real shortcoming, or an opportunity to strengthen the process to increase
the likelihood that the entity’s objectives will be achieved."
COSO