A material weakness occurs when one or more of a company’s internal controls fails. A material weakness is not something to take lightly: If a flaw in an internal control results in a material weakness, it might result in a financial report deemed a material misstatement. This means that the organization’s financial data is unreliable and ineffective for assessing the company’s financial health, making it impossible to determine a reasonable company stock price.
When a material weakness is uncovered in a company’s internal controls, auditors have a duty to report it to the audit committee. In fact, every publicly-traded company in the United States must have a qualified audit committee as a part of their board of directors. That committee then requires company management to take steps to fix the controls and material weakness. In addition to reporting to the committee, companies must report a material weakness to the U.S. Securities and Exchange Commission (SEC).
Material weaknesses can damage a company’s credit rating and/or share price, impacting overall valuation. They can lead to high audit fees, and may result in lost confidence from investor groups. Due to the serious consequences that stem from a material weakness, it’s mission critical to make sure that your company has solid prevention and detection policies.
What Is a Material Weakness?
A material weakness is the result of flaws or gaps in one or more areas of a company’s internal controls that cause erroneous financial reporting. Oftentimes a material weakness is not caused by one single thing, but rather a group of control deficiencies that results in significant errors in an organization’s financial statements. Public companies have to work hard to prevent issues in internal controls, and for new companies or those in a rapid expansion phase, the risk that controls are not properly enabled is exponentially higher.
According to MarketWatch, it’s not uncommon for companies to go into the IPO phase with material weakness disclosures — they stated in 2019 that 20% of “big 4-audited IPOs report weaknesses in financial-reporting controls.” The article reported that one recently IPOed company disclosed significant material weakness issues that year, noting that the company said that they did not have enough competent accounting staff and senior management for oversight and error detection, and that their systems were not providing sufficient prevention and detection of human error or inappropriate manipulation of financial data.
A company doesn’t need to be new and on the verge of an IPO to have a material weakness. In 2019 the SEC settled with a major insurance company due to a material weakness in their annuities business that they determined was caused by internal control failures that violated accounting rules. The company had a policy for decades wherein they assumed customers died or couldn’t be found if they did not respond to two mailings spaced five and a half years apart. This allowed them to free up money set aside to cover claims and boosted their profits. After settling with the SEC, the company agreed to pay a $10 million fine.
Another example of material weakness happened when a large American retailer reported internal controls issues in 2018, and the filing resulted in their shares dropping nearly 4%. The retailer reported that IT controls regarding user access and program change management in IT that supported financial reporting led to their need to disclose material weakness.
What Is a Significant Deficiency vs. a What Is a Material Weakness?
A significant deficiency is considered to be less severe than a material weakness. A significant deficiency is unlikely to have material impact on financial statements, but is considered important enough to be brought to the attention of a financial department’s leadership. The SEC provides examples of material weaknesses and significant deficiencies. Once a control deficiency is identified, auditors must determine if it reaches the level of a significant deficiency, or the more consequential material weakness.
When determining if a deficiency is categorized as a material weakness, there are two top things to keep in mind. First, is there any identification of fraud on the part of senior management, or ineffective oversight of the company’s external financial reporting by the audit committee? Second, is there a reasonable possibility to think that internal controls will fail to prevent a serious misstatement of the company’s financial account balance or disclosures? If either of those concerns are present, the issue could reasonably be elevated to the determination of a material weakness. Bear in mind that actual financial misstatements need not have happened for there to be a material weakness that requires reporting. The SEC states that the possibility of misstatement itself can lead to a material weakness and must be reported.
What Causes a Material Weakness?
Common causes of material weaknesses are an inadequate segregation of duties, failure to assess risks on an ongoing basis, lacking management review, or over-reliance on third-party tools that do not meet compliance requirements. In October 2021, PwC reported that over the prior five years an average of 43% of companies going public reported at least one material weakness in their disclosure documentation. They reviewed the IPO filings of more than 850 companies, and the most common causes of material weakness reported were insufficient accounting personnel, and a lack of financial reporting oversights/level of review. Those two causes together amounted to 47% of the material weaknesses reported. The rest of the causes were lumped into insufficient technology systems, lack of procedures, lack of a segregation of duties, and a lingering 4% categorized as “other.”
Here are three scenarios that add risk and increase the possibility of material weakness in internal control systems:
1: Technology Updates
Implementing new technologies always brings a level of risk. Material weaknesses can arise when change management controls associated with new technology are insufficient or leaves gaps in data integrity during program migrations. When organizations implement a new technology, they need to define controls to assure no data is lost or system errors mistakenly implemented. Using a control like running parallel systems during a quality assurance launch period can reduce risk in these scenarios.
2: Staff Transitions
As noted, a frequent cause of material weakness in internal control is insufficient accounting personnel. When team members in accounting and finance groups leave, the result is often a loss of institutional knowledge. In order to prepare for team turnover, leadership should confirm that appropriate information transfer takes place, process documentation is in place, backfills are trained, and team members are properly informed on day-to-day operations.
3: Inadequate Reviews
External, third-party auditors are frequently those validating reports. However, simply receiving a report from a system is not thorough enough to verify the completeness and accuracy of the underlying information technology controls. Organizations need to perform thorough confirmation procedures of the data itself, including source validation and documentation of any manual procedures that take place.
Material Weakness Prevention and Detection Strategies
The common causes of the material weakness section highlights a few ways to prevent material weaknesses, recommending deep data verification, finance and accounting team personnel job duties documentation, and running parallel systems in order to properly assess controls when implementing new technologies. Three additional strategies to prevent and detect material weaknesses are assessing your control environment, leveraging audit technology, and regularly conducting risk assessments.
Strategy 1: Assess Your Control Environment
Internal auditors should continuously revisit and validate controls, and remediate any internal control deficiencies. The first step is to assess the control environment. An organization committed to an effective control environment will operate with integrity and therefore attract and retain competent employees who hold themselves accountable for their internal control responsibilities. Once proper controls are in place, a company must have policies and procedures to mitigate risks. Internal controls in this area include performance reviews, segregation of duties, and security fundamentals like two-factor authentication. In addition, regular, ongoing evaluations of internal controls will keep risks at an acceptable level. Assess monitoring activities on the basis of frequency and quality, as the more consistently an organization is about monitoring and assessing controls and taking corrective action where needed, the more successful it will be when it comes to managing risk.
Strategy 2: Leverage Audit Technology
Internal auditors can reduce the risk of material weaknesses by leveraging the right technology solutions. Conducting work across disconnected spreadsheets, email, and shared drives leaves too many chances for version control issues. Implementing audit management software to centralize process and control documentation, risk assessments, survey results, evidence collection, and testing documentation in a single source of truth makes key information accessible by the right stakeholders. This visibility engages stakeholders throughout the business, facilitating a culture of controls compliance and reducing the risk for possible material weakness vulnerabilities.
Strategy 3: Regularly Conduct Risk Assessments
Perform risk assessments throughout the year. It’s important for an organization to prioritize ongoing, regularly scheduled risk assessments — especially when there are big changes in staff, workflows, or systems. This will help to determine what controls need to be established to prevent new or growing risks. In cases where a department or company is undergoing big changes, an organization may also consider engaging with a third-party consultancy with expertise in process and internal controls.
Build a More Effective Internal Audit Program Today
Remember: Many material weaknesses start out as control deficiencies — so catch and correct them before they have a chance to grow. Using the proper tools can set your business up for success, and with the right audit management software, an audit team can stay on top of their internal controls and significantly reduce their organization’s risks for a material weakness.