CFO’s Guide to Significant Deficiencies and Material Weaknesses

The PCAOB defines a material weakness as, “a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”

Companies with material weaknesses are required to report them in their public SEC filings in the period in which they were identified; this may result in both reputational risk and increased costs associated with the following: 

  • Investors may lose confidence in the company and its stock, resulting in a decline in stock prices.
  • External audit fees may increase to compensate the auditor for any incremental procedures performed to address the material weakness. 
  • Legal fees may rise with increased legal advice and support. 
  • Financiers may find lending too risky, jeopardizing the company’s chances of getting loans (or getting loans at a reasonable and competitive interest rate).
  • Executives and Governing Boards may come under fire for lack of oversight and governance. 

Considering the costs of a material weakness, it is important to implement and manage an effective control environment, including an established approach for assessing and remediating control deficiencies that do arise. Businesses need to be confident in their ability to quickly detect, report and remediate control deficiencies and evaluate each of them for the purpose of classifying them as a “Deficiency”, “Significant Deficiency” or “Material Weakness.”

Understanding the sources and stakes of material weaknesses

Some of the most common causes of material weaknesses include deficiencies in a company’s control environment. These may be related, but not limited, to the following:

  • Inadequate segregation of duties: An example is an individual who performs incompatible tasks, such as a controller who approves his or her own purchase requisitions. 
  • Ineffective risk assessments: For instance, failing to assess risk on a continuous basis could lead to new and unidentified exposures or risk categories as business practices change (e.g., the company adopts a new ERP or acquires another business).
  • Insufficient management review procedures: Inappropriately designed or executed management review controls (controls over subjective, complex areas such as goodwill impairments) can lead to material misstatements; for example, this can manifest as controls that are not designed precisely enough to address all relevant risks or inadequate documentation supporting the execution of the controls.
  • Inappropriate reliance on accounting software or third-parties: An example would be using third-party service organizations that do not provide a SOC 1, type II report, or leveraging accounting software that does not have sufficient functionalities like audit logs or the ability to implement change controls.

All of the above can lead to the “reasonable possibility” that a material financial misstatement will not be detected in a timely manner, which is the very definition of a material weakness. 

Material weaknesses must be reported to the public via SEC filings in the period in which they were identified, which makes early and timely detection a top priority. If a previously unidentified material weakness is discovered, the SEC may issue a comment letter questioning whether the material weakness was present (and should have been reported) in a previous period. 

The sooner you detect a potential material weakness, the faster you can remediate it, the better it will reflect on your company. 

Material weakness vs. significant deficiency: How to tell the difference

A significant deficiency is less severe than a material weakness in that it is unlikely to have a material impact on financial statements, but it is, “important enough to merit attention by those responsible for oversight of the company’s financial reporting,” according to the PCAOB. 

An example of a significant deficiency, as stated by the SEC, would be if a company’s accounting function reviews significant or unusual modifications to the sales contract terms but does not review changes in the standard shipping terms. Presuming individual sales transactions are not material to the company – and since the accounting function has compensating controls in place to detect more severe modifications – the SEC determined that any effect on revenue recognition would be “more than inconsequential, but less than material.”

Once you identify a control deficiency, you must assess its importance and determine whether it rises to the level of a significant deficiency or material weakness. When assessing the magnitude of a control deficiency, many factors are relevant to this conclusion:

  • The presence of compensating controls that mitigate the risk of a potential misstatement. In order to be reliable, compensating controls must be operating effectively. 
  • The potential magnitude of the misstatement that could result from the deficiency (e.g., the total monthly transaction amounts exposed to the deficiency). 
  • Risk factors such as the nature of the account, susceptibility of the related asset to fraud or loss, relationship of the control in question to other controls and possible future consequences of the deficiency.
  • Whether the control deficiency is important enough to merit the attention of whoever is responsible for overseeing the company’s financial reporting. 
  • Whether the deficiency would prevent a prudent official from concluding that the transaction would ensure financial statements conform with GAAP. 
  • Whether specific indicators of material weakness exist, such as identification of fraud on the part of senior management or ineffective oversight of the company’s external financial reporting and internal control over financial reporting by the audit committee.
  • Whether there is a “reasonable possibility” that the controls will fail to prevent a material misstatement of the account balance or disclosure. 

Remember: The SEC has regularly reiterated that the existence of a material weakness does not depend on the actual magnitude of an error or misstatement but rather on the reasonable possibility that a material weakness could occur and not be detected or prevented. Therefore, even immaterial misstatements could lead to a material weakness conclusion.  

For example, in 2018, Costco discovered that an unauthorized party had gained access to its financial reporting systems. Despite finding no evidence of material misstatements on financial reports and immediately launching remediation efforts, the company classified it as a material weakness, and as a result, stock prices dropped by nearly 4%, according to Bloomberg. 

Creating a management framework: Prevention, detection and remediation steps

How to prevent and detect material weaknesses

Some of the most effective strategies for preventing and, if necessary, detecting material weaknesses include the following:

1. Establish effective monitoring controls 

Validate that controls are present and functioning throughout the year and not just at the end of the year. Conduct testing earlier in the year, leaving management more time to address and remediate any identified control deficiencies.

2. Constantly reinforce the company’s culture and tone at the top

Ensure that executive leadership stresses the importance of internal controls, addresses deviations to company policies in a timely manner and leads by example. Management should communicate the rationale and value of a control environment by highlighting its benefits to the business, beyond regulatory compliance.

3. Perform risk assessments throughout the year 

Prioritize ongoing risk assessments, especially when there are significant changes to people, processes or systems. This helps dictate what controls or processes need to be established to address new or emerging risks. In cases where there are significant changes to people, processes or systems, such as the implementation of a new ERP system, a company may want to consult a third-party well-versed in process improvement and internal controls. 

4. Provide sufficient training to company personnel 

Highlight expectations and reinforce the “why” of the policies, procedures and controls to all process and control owners.   

5. Ensure strong communication and buy-in from all key stakeholders

Ensure that alignment and understanding about internal controls exists across the entire company. Incorporate this into company communications, handbooks and policies.

6. Establish an effective internal audit function

Use the internal audit function to keep a pulse on the company and to identify process improvements and strategic opportunities throughout the year.

7. Implement documented policies

Create, implement and train employees on formal policies to ensure alignment on “ways of doing business” and employee expectations.

8. Consider a third-party diagnostic 

An independent review of the company’s internal controls can be an effective way to optimize the design and efficiency of a control environment, address control deficiencies and provide guidance to management on the most effective and efficient way to remediate any control gaps that are identified. 

How to Remediate a Material Weakness

If a material weakness is detected, it is important to have a plan of action. Management should take most, if not all, of the following steps:

1. Ensure there is consensus on the root cause of the material weakness 

This consensus is crucial for appropriately addressing the issue. Once the root cause is identified and agreed upon, management should create a remediation plan. This entails the following:

  • Identifying key stakeholders, tasks and deadlines.
  • Monitoring progress against the remediation plan.
  • Holding individuals and process owners accountable. 

2. Contemplate the need for additional funding or resources

Depending on the material weakness, remediation efforts may be costly to the company in terms of time, money and resources. Management must contemplate the need for additional funding within the budget for remediation efforts. Sources of remediation costs may include but are not limited to the following:

  • Investing in new IT systems.
  • Hiring additional in-house or outsourced experts or temporary resources. 

When determining the company’s resource plan, it is important to consider internal capacity, as well as employees’ existing obligations. If individuals within the company devote time to remediation efforts, this will take them away from their day job, potentially jeopardizing deadlines, due dates or critical tasks, like SEC reporting.  

3. Disclose the material weakness in quarterly and annual SEC filings (10Q/10K)

Material weakness disclosures should not be boilerplate but rather should allow investors to understand the root cause of the issue and indicate the pervasiveness of its effects on internal control over financial reporting. Disclosures should also include management’s plan for remediation and an estimated timeline for remediation. These disclosures must be updated on a quarterly basis, demonstrating progress made against remediating the material weakness throughout the year. 

4. Update all key stakeholders throughout the year

Keep all key stakeholders, including the audit committee and external auditors, abreast of progress throughout the year. 

5. Contract with a third party to assist with new implementations

If expertise or resource gaps exist, consider bringing on a third party to assist with implementing new processes, controls or policies, and any associated training. An external partner can also help test the new controls, processes and policies established by management, providing valuable insight and benchmarking to the process.

The bottom line: You can’t afford to passively manage controls

A proper control environment starts with the tone from the top and must live within the fabric of an organization. Build a control environment that sets you up for success, and measure and manage that design for operating effectiveness regularly. Expect that deficiencies will arise, and have a plan, ahead of time. Most material weaknesses start out as control deficiencies. Catch them and remediate them before they have a chance to grow. And finally, have an established material weakness action plan so you are equipped to handle any situation that arises.