Five Key Takeaways From The Most Feared Phrase in Accounting: Material Weakness
SOX Professionals Group Summit
Sue King, Partner, Internal Audit and Enterprise Risk, KPMG LLP
Louis Collins, Partner, Audit, KPMG LLP
No one wants to meet with the audit committee to report a material weakness in ICFR. To help lower the odds of this happening to you, KPMG Partners Sue King and Louis Collins presented the latest research and trends about what drives material weaknesses, remediation strategies, and what to expect from your external auditors.
Also, take a look at the replay and slides from the event. The presenters included up-to-date and relevant examples from SEC filings that illustrate the reasoning behind material weakness assessments.
1. Important factors when defining a control deficiency.
● What is the nature of the control deficiency? Is it a design or operating effectiveness issue? Thoroughly and accurately identifying the nature of the deficiency is a critical first step in the process.
● What is the impact on financial reporting and ICFR? Nuance note: Companies tend to define the impact on financial reporting too narrowly. Deploy the ‘could factor’ and think more broadly about the potential impact of this error and if it could affect other accounts.
● What was the source of the deficiency? Many roads can lead to a control failure. A robust root cause analysis of control deficiencies is necessary to create an effective remediation strategy. It’s also a step in the process that companies tend to shortchange.
● Who found the control deficiency? We hope its management rather than your auditors. We also hope that management discovered the deficiency through the routine operation of controls.
2.The most common types of material weaknesses.
Since 2004, the number of annual adverse auditor attestations have declined from a whopping 16% to 6.3% in 2019.(1) The top 10 themes and processes that drive most material weaknesses have been quite consistent in recent years. Perennially in first place are material adjustments and or numerous auditor adjustments at year-end. Other themes include:
● A combination of control issues. Auditors look at the big picture and, in the aggregate, numerous control adjustments can indicate a material weakness in your internal controls. This often trips up large companies with multiple locations and multiple people conducting control testing.
● IT. This is a very broad category, including information technology, software security issues, and system access issues. IT general control issues do rise to the level of material weakness and often are identified during a system implementation or upgrade.
● Revenue recognition tends to be a common critical audit matter. ASC 606 drove process and system changes, and some companies are still struggling with implementing the right controls. It stands to reason that this area gets the most focus by management and auditors.
● Also, in this strong M&A and SPAC market, two areas where controls may not be adequate are in non-routine transactions and forecasts. This is an instance where deficient controls can undermine good accounting.
3. Make your disclosure meaningful.
Material weaknesses can cause concern for investors. Investors want your disclosure to reassure them that you have the capability to operate a strategic and effective ICFR process.
● Disclosure will be more meaningful to investors if management provides a comprehensive explanation and periodic updates about remediation efforts.
● Discuss the cause of the control failure and the potential impact of each material weakness you’ve identified.
● Important disclosures about material weaknesses evolve over time to demonstrate the impact of the remediation.
4. Thinking about effective remediation.
It’s tempting to analyze the error, rather than the entire system, that produced the material weakness. However, this won’t produce a robust, sustainable solution. This is where that initial root cause analysis comes in. It is the basis for an effective, strategic remediation effort.
● Be realistic about the amount of effort and time required to remediate. You will need a budget for the remediation effort, and funding, staffing, a realistic timeline, and perhaps new or upgraded technology.
● Get the risk assessment right. Make sure the risk is well defined and the controls are designed to mitigate the risk. Also, enhance or remediate the compensating controls.
5. How long will it take to call your remediation a success?
There isn’t a guide that spells out how many times a new or modified control must prove to operate effectively before auditors will conclude the remediation testing. In the meantime, they will continue to test controls in sensitive areas.
● Material weaknesses in recurring or daily controls may take longer to effectively remediate and auditors will test them more frequently than controls over monthly or quarterly processes.
● Evidence of successful remediation will take more time with controls that operate over financial reporting.
● Likewise, personnel or system issues may take more time to remediate.
Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.
(1) Audit Analytics SOX 404 Disclosures, September 2020