How to Overcome a Material Weakness
When a company faces a material weakness (MW) due to ineffective internal controls, it can result in a myriad of unwanted consequences. However, it can also be an opportunity to identify new ways to become more efficient and build stronger governance.
When undetected, MWs can create disruptions and material consequences for a company. Some examples include:
- The shift in management’s focus away from the initial strategy
- Potential financial restatements and decrease in company valuation
- Increase in audit fees by an average of 150 percent(1)
- Leadership turnover (over 62% of CFOs who reported deficiencies resigned or were pushed out of their organization)
This article provides the key information your company needs on relevant control frameworks, control deficiencies, leading causes, and solutions.
Internal controls regulatory landscape
Internal control frameworks include a set of processes that help organizations design, implement, and evaluate compliance with controls. The end goal is always to create and preserve value for an organization while managing and minimizing risk.
There are three types of internal controls(2):
- Financial controls
- Operational controls
- Regulatory and compliance controls
In today’s world, businesses rely more and more on complex tech systems for the data used to support the management of their financial and operational functions.
In addition, they are also reliant on their internal control systems to be able to address the significant risks posed by flaws and deficiencies in their tech systems, such as fraud or asset loss.
Financial controls’ regulatory landscape:
- SOX(3):
The Sarbanes-Oxley Act (SOX) is a federal law requiring publicly traded companies registered with the Securities and Exchange Commission to include internal controls for processes and systems impacting financial reporting. SOX laws aim to ensure accurate and reliable financial reporting and build trust with investors. To comply with SOX, companies must establish internal control over financial reporting (ICFR).
- ICFR(2):
Internal control over financial reporting (ICFR), consists of those controls that support and enforce the accuracy, reliability, and integrity of a company’s financial statements. Part of ICFR includes following generally accepted accounting principles (GAAP).
- COSO(4): The Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal controls framework is used by US companies to assess and report on the design and operating effectiveness of their ICFR. COSO provides detailed guidance to managers when designing or mapping internal controls when used for audit risk assessments and by risk management teams.
There are several frameworks that can assist companies with developing and refining their operational and compliance controls. Here are a few examples.
- COBIT(5): The Information Systems Audit and Control Association (ISACA) developed the Control Objectives for Information and Related Technology (COBIT) framework which is designed for IT governance and management.
- ISO(6):
The International Organization for Standards creates ISO frameworks on a wide variety of topics. The most commonly used ISO frameworks for internal auditors are ISO:9001 for quality auditing and ISO:27001 for security management.
- Service Organization Controls (SOC)(7): The American Institute of Certified Public Accountants (AICPA) has created the SOC reporting framework. There are three types of SOC reports:
- SOC 1 is an attestation of controls at a service organization covering an entity’s internal control over financial reporting.
- SOC 2 covers the entity’s security controls plus any of the following additional domains: availability, processing integrity, confidentiality, or privacy.
- SOC 3 covers the same areas as SOC 2 but with less details. Therefore it can be freely distributed to the public.
Three types of control deficiencies
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect risks on a timely basis.
Additionally, control deficiencies can rise to a significant deficiency or material weakness.
A significant deficiency(8) is a deficiency, or a combination of deficiencies, in internal control over financial reporting, that is less severe than a material weakness yet important enough to merit attention by those responsible for oversight of the company's financial reporting.
A material weakness(8) is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
Current trends
A study done by KPMG in 2023 reveals that MW disclosures increased from 4% in 2021 to 7% in 2023(9). The leading causes for the MWs included:
- Insufficient or inexperienced accounting personnel
- Lack of financial reporting oversight and review processes
- Lack of appropriate procedures
- Software, security, and access management
Moreover, there is usually more than one overlapping issue or challenge.
These trends are especially critical for pre-IPO companies to pay attention to. Companies that
establish SOX compliance before going public have less risk of identifying and reporting a material weakness once they become public.
AdviseUp’s recommendations for remediating material weaknesses
Material Weakness Remediation Phases
It takes companies an average of
one year to properly remediate a material weakness. Therefore, if you discover a material weakness, it’s important to jump into action right away to remediate it. Here are some important considerations:
- Treat this initiative as a proper project, allocating dedicated internal resources to ensure its success.
- Set the right tone from the top so that teams take controls seriously and develop remediations not to just satisfy your auditors but to improve your processes.
- Engage subject matter experts who are willing to not only recommend improvements but to roll their sleeves and get their hands dirty.
- Scope, Scope, Scope! Evaluate your scope of processes and systems to ensure that your remediation efforts are accurate and effective without going overboard.
AdviseUp has developed a comprehensive playbook that will help you in the process. Work with the experts at AdviseUp today!
Resources
(1) How a Material Weakness Can Cost You; Stephen Taub; CFO; Nov. 19, 2004
(2) A layperson’s guide to internal control over financial reporting (ICFR); Kayla J. Gillan; PCAOB; March 31, 2006
(3) H.R.3763 - Sarbanes-Oxley Act of 2002
(4) Committee of Sponsoring Organizations (COSO)
(5) Control Objectives for Information Technologies (COBIT)
(6) International Organization for Standardization (ISO)
(7) AICPA SOC Standard Overview
(8) PCAOB Control Deficiencies Definition
(9) Trends in Material Weakness; KPMG; 2023
