A material weakness is often the result of deficiencies in one or more of a company’s internal controls. Material weaknesses can have damaging effects on a company’s credit rating and share price, and lead to higher audit fees and loss of investor confidence. Oftentimes, there is not one simple cause for the material weakness, but rather an aggregation of control deficiencies that could yield a material misstatement in the financial statements. As a result, public companies strive to prevent such deficiencies in internal control. For companies experiencing rapid growth or a period of significant change, however, the risk that controls are not properly designed or operating effectively is significantly heightened.
Fortunately, understanding trends in material weaknesses and the common situations where such deficiencies occur provides companies a path to mitigate the related risks. Here are some common scenarios that add significant risk to a company’s internal control over financial reporting (ICFR).
1. Technology Implementation
While organizational agility is often critical to a company’s success, change management can be challenging for companies to navigate, especially when implementing new technologies. Material weaknesses commonly arise when change management controls associated with a technology implementation are insufficient, as these controls are designed to ensure companies maintain data integrity as they migrate to a new technology solution. When effective change management processes are ignored, data integrity issues can cripple a company’s control environment. As companies implement new technology, proactively establishing a change management process that includes defined controls to ensure data integrity, such as system to system reconciliations during a parallel run period, can significantly reduce the risk of a material weakness.
2. Business Combinations or Divestitures
Business combinations or divestitures are events that often result in control deficiencies. Acquired entities bring a host of previously unconsidered risks driven by a lack of legacy control structure or exposure to markets, geographies, or business partners. In connection with an acquisition, companies should refresh their consolidated risk assessment to ensure key controls are in place to mitigate the risk of material misstatement. This refresh should occur regardless of whether the newly acquired business operates largely independently or if its operations are quickly integrated. Similarly, refreshing the risk assessment is advisable with a divestiture, as materiality thresholds could be impacted, resulting in changes to key versus non-key control classification.
Furthermore, transactions drive a number of complex technical accounting, financial reporting, and valuation matters. Companies need to ensure their teams have the appropriate skills and competence to solve these challenging issues. Companies are often exposed to a risk of a material misstatement when they lack key controls and clear documentation supporting management’s inputs, judgments, and review of accounting conclusions.
3. Turnover of Accounting and Finance Personnel
When key accounting and finance personnel leave an organization, the result is often a void in the control environment. Significant transactions, such as business combinations or divestitures, can exacerbate these issues; attempting to work through the complex accounting and financial reporting issues from these transactions with a depleted team and in a compressed timeframe, leaves companies exposed to potential material weaknesses. When turnover occurs, management should ensure proper knowledge transfer, and furthermore, that accountability for transitioned tasks is fully addressed. Companies can prepare for this scenario before it occurs by having robust process documentation in place, including process narratives, desktop procedures, and job aides.
4. Adoption of New Accounting Standards
Companies face multiple control risks when they adopt a new accounting standard. In addition to establishing the appropriate processes and controls post adoption, companies should ensure effective controls surrounding the adoption are in place. For example, during the adoption of the new revenue standard, controls should be designed to validate that a representative population of contracts or transactions has been evaluated to support the technical accounting conclusions. These types of controls are frequently overlooked as companies are working through high volumes of data within a short adoption window.
5. Failure to Address Completeness and Accuracy
Increasingly, external auditors are validating the completeness and accuracy of key reports and data inputs that are leveraged in the execution of key controls. In other words, obtaining a report from a system is often insufficient to prove completeness and accuracy of the design and effectiveness of the underlying information technology controls. Companies should perform validation procedures to ensure any editable or custom system driven reports are populated by the appropriate data tables using consistent queries. Additionally, if editable files, such as an Excel workbook, support the execution of key controls, further validation efforts are necessary. Beyond source data validation, any manual procedures that are performed to refine queried data should be thoroughly documented.
Most public companies will encounter one or more of these common scenarios. Establishing a robust controls environment and ensuring ICFR programs are properly calibrated to mitigate the impending risk is critical to avoiding material weaknesses and the resulting negative impacts.
Matt Farrell is senior manager for Riveron, a business advisory firm that brings consulting, public accounting and industry experience to its clients. Riveron is based in Dallas, with additional offices in Atlanta, Chicago, Denver, Houston, Minneapolis, New York City, and Washington, DC.