Source: RSM US LLP.  PBMares is a member of RSM US Alliance. 

ARTICLE

Control deficiencies are common during a Sarbanes-Oxley Act (SOX) audit. However, the volume and pervasiveness of the deficiencies can escalate the severity from just a control deficiency to a significant deficiency (SD) or, in the worst-case scenario, a material weakness (MW). An MW can be a singular problem, but also often represents a number of significant issues that aggregate to create an overarching weakness.

The discovery of an MW or SD in a company’s internal controls can be harmful in several ways. It signals a heightened risk of a misstatement in financial statements and, if not addressed accurately and in a timely manner, could result in a drop in company valuation and damage to the company’s reputation, not to mention incurring remediation costs.

Frequent areas of concern

With the current evolving regulatory environment, the continued focus on enhancing audit quality including identifying internal control weaknesses, and the significant time and expense required to address them, companies need to be aware of common deficiencies. The following five situations are often identified by auditors and result in MWs. While these are only a few examples, they illustrate how easily and quickly challenges can emerge.

Improper technology implementation or integration

A host of issues within a company’s technology approach can lead to an MW. Some common examples would be inadequate access controls, improper role definition and segregation of duties conflicts. In addition, any new technology implementation involves risk. If effective change management controls are not in place, and systems are not seamlessly integrated, gaps can also emerge that compound existing process and control issues rather than remediate them.

Inadequate use of tools to avoid manual error

Certain companies are not leveraging effective tools, such as analytics and reporting tools, to properly mitigate risk and perform key control activities. This leads to a higher risk of manual workaround solutions and control breakdowns that often scale across accounting processes.

Poor accounting organization structure

Some accounting organizations lack the right number of qualified key accounting personnel to process the volume and complexity of accounting transactions. Personnel challenges have also only increased in recent years as turnover in accounting positions has increased and retaining qualified talent has become more difficult. In these scenarios, knowledge gaps can emerge. In addition, some organizations are decentralized and are challenged to build consistent, sustainable accounting processes. These challenges often lead to scalable control breakdowns.

Improper valuation of long-lived assets or liabilities

Many organizations rely on valuation specialists to aid in determining the fair value of long-lived assets or liabilities. Management must own the ultimate valuation and they may not adequately understand and validate key valuation considerations in some cases.

Ineffective segregation of duties (SOD)

With the increasing complexity of financial systems, difficulty in talent retention, and prevalence of hybrid workforces, proper and timely checks and balances over key roles and potential conflicts can be easily overlooked. The lack of thorough and consistent SOD analysis with effective mitigating controls can lead to accountability issues, an increased opportunity for fraud and a significantly weakened internal control environment.

The takeaway

SOX compliance is complex, and with continuing regulatory scrutiny and other factors like employee turnover and subsequent loss of institutional knowledge, a difficult task has become more challenging.

Organizations that are new to SOX compliance should invest in developing the accounting infrastructure (people, process, technology) to avoid MWs. Those that have experienced a recent MW should invest resources toward addressing root causes head-on to avoid long-term increased audit fees, legal fees, reputational harm and cultural challenges.

This article was written by Eliot Mitchell and originally appeared on 2024-01-12.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/understanding-root-causes-of-material-weaknesses-in-internal-controls.html

 

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.