Material Weakness in Internal Controls: The Real Impacts
- Published
- Feb 29, 2024
- Topics
- Share
The Sarbanes-Oxley (“SOX”) Act emerged two decades ago and has continued to transform how we think about governance, internal controls, and overall financial transparency. Most important to SOX compliance is the concept of deficiencies: whether they are deficiencies, significant deficiencies, or a material weakness in internal controls over financial reporting (“ICFR”). Addressing these weaknesses is not just a regulatory requirement but a critical step to ensure investor confidence and the overall integrity of financial reporting.
What is a material weakness?
A material weakness sounds bad, but what does it mean, how does it impact a company, and who needs to know about it? A material weakness is defined as a deficiency, or combination of deficiencies in ICFR such that there is a reasonable possibility that a material misstatement of a company’s annual or interim financial statements will not be prevented or detected on a timely basis. A material weakness is identified through rigorous assessments of internal controls and is disclosed in a company’s financial statements. This can impact a company’s reputation, market value and, if not remediated, result in significant consequences and costs. It can ultimately lead to operational and resource challenges, business disruption, and negative impacts to ongoing financial reporting.
A key takeaway is the “possibility” or “what if,” as it is not always directly linked to an identified error or restatement. One or more deficiencies identified can aggregate to the level of material weakness. Many stakeholders within an organization are impacted, including those charged with governance (e.g., senior management and the audit committee). Remediating a material weakness can be complex and challenging, but it can be addressed with proper support and a structured approach and process, turning a risk into an opportunity for improvement.
Causes and effects of a material weakness
Several causes of deficiencies may aggregate to a material weakness:
- Inadequate segregation of duties arising from insufficient resources or accounting personnel.
- Ineffective risk assessment processes, and failure of the organization to sufficiently evaluate risk on an ongoing basis.
- Improper oversight of the work performed by third-party service providers.
- Ineffectively designed information technology (“IT”) policies and procedures, or an over-reliance on IT tools.
- Improper review and approval over information utilized in the performance of a control, including system or application reports.
- Inadequate controls over complex or non-routine transactions, such as mergers and acquisitions or business combinations.
These are issues that may cause or contribute to a deficiency. While some of these issues may seem small, they can easily lead to a material weakness if they are centered in an area with enough risk or aggregated with other deficiencies. It is important to understand the impact a material weakness can have on a company, its people and culture, its business, and reputation with stakeholders and investors as good stewards of governance.
A significant result of a material weakness is the initial disclosure of the error and what it does to the company’s stock price, but this is not the only effect. It can be very disruptive to the business, including effects to:
- Executive leadership’s tone at the top and concerns over the adequacy of their people.
- Resource strain and burnout from lack of support by executive leadership, which can cause frustration and possible turnover.
- Loss of investor confidence can decline stock prices.
- Loss of customer and stakeholder confidence, which may influence future sales and opportunities.
- Reputational damage within the industry.
- Increased scrutiny from stakeholders and auditors over processes, procedures, and controls.
- Time, energy, and effort necessary to remedy the deficiency or deficiencies will shift management’s focus, which can result in additional issues or deficiencies in other areas.
How to avoid and remediate deficiencies
- Proper planning and assessment of controls are key, including allocating the right amount of resources. Create a continuous improvement process within the assessment program each year and build awareness of good governance across the organization.
- A risk-based approach is paramount. Confirm and understand the risks that pose a threat to the company’s financial statements and reporting processes. Understand how the balance sheet and income statement accounts relate to the individual processes and risks factors aligned to those processes.
- Make sure that technology is adequately governed and policies, procedures, and controls over IT are well designed, including user (logical) access and cybersecurity risks/controls.
- Communication is key. Stay close to your external auditors during the process. Understand their risk assessment and procedures as they assess controls.
Lastly, accelerate your program and start planning and evaluating early, including creating a continuous improvement process. The key to remediation of deficiencies is early identification. Allowing sufficient time for remediation and ensuring adequate resources are in place will prevent many challenges from occurring, including difficult discussions with your auditors.
Constant communication is essential. Management, auditors, service providers, executives, and the board should have open lines of communication to confirm that risks are mitigated. If deficiencies arise, protocols can be more easily and timely implemented with the involvement of professionals who have experience navigating this area.
What's on Your Mind?
Start a conversation with Gerald
Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.