The PCAOB defines a material weakness as, “a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.” Companies with material weaknesses are required to report them in their public SEC filings in the period in which they were
identified; this may result in both reputational risk and increased costs associated with the following: Considering the costs of a material weakness, it is important to implement and manage an effective control environment, including an established approach for assessing
and remediating control deficiencies that do arise. Businesses need to be confident in their ability to quickly detect, report and remediate control deficiencies and evaluate each of them for the purpose of classifying them as a “Deficiency”, “Significant Deficiency” or “Material Weakness.” Some of the most common causes of material weaknesses include deficiencies in a company’s control environment. These
may be related, but not limited, to the following: All of the above can lead to the “reasonable possibility” that a material financial misstatement will not be detected in a timely manner, which is the very definition of a material
weakness. Material weaknesses must be reported to the public via SEC filings in the period in which they were identified, which makes early and timely detection a top priority. If a previously unidentified material weakness is discovered, the SEC may issue a comment letter questioning whether the material weakness was present (and should have been reported) in a previous period. The sooner you detect a potential material weakness, the faster you can remediate it, the
better it will reflect on your company. A significant deficiency is less severe than a material weakness in that it is unlikely to have a material impact on financial statements, but it is, “important enough to merit attention by those responsible for oversight of the company’s financial reporting,” according to the PCAOB. An example of a significant deficiency, as stated by the SEC, would be if a company’s accounting function reviews significant or unusual modifications to the sales contract terms but does not review changes in the standard shipping terms. Presuming individual sales transactions are not material to the company – and since the accounting function has compensating controls in place to detect more severe modifications – the SEC determined that any effect on revenue recognition would be “more than inconsequential, but less than material.” Once you identify a control deficiency, you must assess its importance and determine whether it rises to the level of a significant deficiency or material weakness. When assessing the magnitude of a control deficiency, many factors are relevant to this conclusion:
Remember: The SEC has regularly reiterated that the existence of a material weakness does not depend on the actual magnitude of an error or misstatement but rather on the reasonable possibility that a material weakness could occur and not be detected or prevented. Therefore, even immaterial misstatements could lead to a material weakness conclusion. For example, in 2018, Costco discovered that an unauthorized party had gained access to its financial reporting systems. Despite finding no evidence of material misstatements on financial reports and immediately launching remediation efforts, the company classified it as a material weakness, and as a result, stock prices dropped by nearly 4%, according to Bloomberg. Creating a management framework: Prevention, detection and remediation stepsHow to prevent and detect material weaknessesSome of the most effective strategies for preventing and, if necessary, detecting material weaknesses include the following: 1. Establish effective monitoring controls Validate that controls are present and functioning throughout the year and not just at the end of the year. Conduct testing earlier in the year, leaving management more time to address and remediate any identified control deficiencies. 2. Constantly reinforce the company’s culture and tone at the top Ensure that executive leadership stresses the importance of internal controls, addresses deviations to company policies in a timely manner and leads by example. Management should communicate the rationale and value of a control environment by highlighting its benefits to the business, beyond regulatory compliance. 3. Perform risk assessments throughout the year Prioritize ongoing risk assessments, especially when there are significant changes to people, processes or systems. This helps dictate what controls or processes need to be established to address new or emerging risks. In cases where there are significant changes to people, processes or systems, such as the implementation of a new ERP system, a company may want to consult a third-party well-versed in process improvement and internal controls. 4. Provide sufficient training to company personnel Highlight expectations and reinforce the “why” of the policies, procedures and controls to all process and control owners. 5. Ensure strong communication and buy-in from all key stakeholders Ensure that alignment and understanding about internal controls exists across the entire company. Incorporate this into company communications, handbooks and policies. 6. Establish an effective internal audit function Use the internal audit function to keep a pulse on the company and to identify process improvements and strategic opportunities throughout the year. 7. Implement documented policies Create, implement and train employees on formal policies to ensure alignment on “ways of doing business” and employee expectations. 8. Consider a third-party diagnostic An independent review of the company’s internal controls can be an effective way to optimize the design and efficiency of a control environment, address control deficiencies and provide guidance to management on the most effective and efficient way to remediate any control gaps that are identified. How to Remediate a Material WeaknessIf a material weakness is detected, it is important to have a plan of action. Management should take most, if not all, of the following steps: 1. Ensure there is consensus on the root cause of the material weakness This consensus is crucial for appropriately addressing the issue. Once the root cause is identified and agreed upon, management should create a remediation plan. This entails the following:
2. Contemplate the need for additional funding or resources Depending on the material weakness, remediation efforts may be costly to the company in terms of time, money and resources. Management must contemplate the need for additional funding within the budget for remediation efforts. Sources of remediation costs may include but are not limited to the following:
When determining the company’s resource plan, it is important to consider internal capacity, as well as employees’ existing obligations. If individuals within the company devote time to remediation efforts, this will take them away from their day job, potentially jeopardizing deadlines, due dates or critical tasks, like SEC reporting. 3. Disclose the material weakness in quarterly and annual SEC filings (10Q/10K) Material weakness disclosures should not be boilerplate but rather should allow investors to understand the root cause of the issue and indicate the pervasiveness of its effects on internal control over financial reporting. Disclosures should also include management’s plan for remediation and an estimated timeline for remediation. These disclosures must be updated on a quarterly basis, demonstrating progress made against remediating the material weakness throughout the year. 4. Update all key stakeholders throughout the year Keep all key stakeholders, including the audit committee and external auditors, abreast of progress throughout the year. 5. Contract with a third party to assist with new implementations If expertise or resource gaps exist, consider bringing on a third party to assist with implementing new processes, controls or policies, and any associated training. An external partner can also help test the new controls, processes and policies established by management, providing valuable insight and benchmarking to the process. The bottom line: You can’t afford to passively manage controlsA proper control environment starts with the tone from the top and must live within the fabric of an organization. Build a control environment that sets you up for success, and measure and manage that design for operating effectiveness regularly. Expect that deficiencies will arise, and have a plan, ahead of time. Most material weaknesses start out as control deficiencies. Catch them and remediate them before they have a chance to grow. And finally, have an established material weakness action plan so you are equipped to handle any situation that arises. What factors should auditors consider when evaluating the severity of a deficiency in a control that directly addresses a risk of material misstatement?There are two components that must be evaluated to assess the severity of a control deficiency: the likelihood that the deficient control will not prevent or timely detect a misstatement, and the magnitude of the potential misstatement resulting from the deficiency.
What is the auditor's responsibility for communicating control deficiencies that are severe enough to be considered significant deficiencies or material weaknesses?4. The auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit. The written communication should be made prior to the issuance of the auditor's report on the financial statements.
What factors should an auditor consider when evaluating the control environment?Control environment factors include the following:. Integrity and ethical values.. Commitment to competence.. Board of directors or audit committee participation.. Management's philosophy and operating style.. Organizational structure.. Assignment of authority and responsibility.. Human resource policies and practices.. How do you identify a control deficiency?How Do You Evaluate Internal Controls Deficiencies?. Assess the Control Environment. ... . Evaluate Risk Assessment. ... . Investigate Control Activities. ... . Examine Information and Communication Systems. ... . Analyze Monitoring Activities. ... . Index Existing Controls. ... . Understand which Controls Are Relevant to the Audit.. |