Share

10 Steps to Remediate Material Weaknesses

Background

Editor’s note: This article was originally published on May 4, 2021. It was updated on August 23, 2023.

Many companies end up reporting material weakness(es) in the early stages of becoming public or acquiring private companies. Getting rid of a material weakness requires a strategy, proper remedial action planning, and adequate time to demonstrate sustained operational effectiveness (typically a minimum of 3 months). Transitioning from an emerging growth company and a non-accelerated filer (404 (a)) to an accelerated or large accelerated filer (404 (b)) requiring external auditor opinion on internal controls over financial reporting (ICFR) can also present additional weaknesses as controls are now evaluated through the lens of the Public Accounting Oversight Board (PCAOB) standards vs. the Security and Exchange Commission’s (SEC’s).

Key Considerations in Material Weakness Remediation

With recent emphasis by the PCAOB on components and quality of review elements of controls, existing controls that seemingly appear to be perfectly designed and working for many years seem to have gaps if the review is deficient due to any factors such as quality of inputs, segregation of duties, and lack of documentation highlighting review criteria. The following areas most often lead to an increase in the number of internal control issues, and at times, in material weakness-related disclosures:

• Lack of adequate internal expertise to provide a qualitatively sufficient review.
• Insufficient assessment of segregation of duties across processes.
• Inadequate evaluation of the accounting treatment of non-routine and complex transactions.
• Lack of sufficient Information Technology General Controls (ITGCs), particularly in areas of access management, change management, and controls over the use of third-party service providers.

For a company that has disclosed a material weakness in its ICFR, their eagerness to disclose that it has remediated those weaknesses is obvious. Before making such a conclusion, management needs to ensure that it has enough basis to do so. This is a challenging path, as management needs to take into account its ICFR framework, accounting standards, applicable guidance from the SEC and PCAOB, and its own resource constraints in coming up with a remediation plan acceptable to all stakeholders, such as process owners, audit committees or board of directors, and internal and external auditors. The following discusses key aspects in implementing an effective remediation plan:

1. Determine the Root Cause
   Perform a root cause analysis of your material weakness and the risk factors associated with it. Many times, these are qualitative factors: lack of education regarding policies and procedures, lack of proper documentation, and lack of adequate data. An agreement on the root cause is the first step in developing a remediation plan.
2. Build Your Remediation Team
   Successful remediation will involve various stakeholders to ensure their concerns are addressed. While the process owner (head of the department or similar) may be the lead in charge of the remediation process, inputs from various stakeholders, such as internal auditors for technical expertise, senior management for additional resources such as people or technology tools, IT Department for required data inputs, and external vendors for providing any outsourced services is required. The nature, timing, and extent of their involvement will vary, but their inputs are important ingredients to a practical and effective solution.
3. Develop a Remediation Plan Aligned with All Stakeholders
   The remediation team may come up with alternatives that work for its own needs but does not address the needs of others. Remediation can take a variety of different forms, such as formalizing an existing operational control into the ICFR, tweaking the existing process, and outsourcing certain activities to enhance competency or segregation of duties. All such alternatives should be evaluated to ensure it addresses the identified root causes and mitigates the risks.
4. Perform a Feasibility Exercise
   Remedial action plans should be feasible, backed by an appropriate cost-benefit analysis, and not be termed “best laid plans” that never actually work. Management may decide to perform a feasibility study on the best alternative to see if the alternative can be truly implemented and estimate resource requirements from personnel, system, and budgetary perspectives.
5. Obtain Buy-In from Stakeholders
   Once alternatives are rated in terms of feasibility and management is keen to implement the remediation, it is necessary to share the remediation plan with internal and external stakeholders and other governance related committees (for significant changes) to ensure alignment. This buy-in makes effective implementation easier.
6. Make a Timely Decision
   A remediation simply designed and implemented is not sufficient to remove material weakness. Any controls, including remediation, need to have been performed consistently to enable assessment of its operating effectiveness either by management or its external auditors for a sustained period (typically a minimum of 3 months).
7. Update SOX Documentation
   Once implemented, the remediated procedures and related controls should be incorporated in the formal SOX process documentation as soon as possible to enable various SOX compliance procedures, such as testing, to be performed in a timely manner so that the effectiveness of the newly implemented remediation can be assessed and monitored.
8. Evaluate and Monitor
   Consistency and auditability are key to demonstrating an effective remediation. Management needs a sufficient basis to demonstrate the effectiveness of its remediation and should document its testing of remediated controls in a timely manner. Effective monitoring criteria to perform the control on a consistent basis needs to be formalized to ensure sustained execution occurs.
9. Disclose
   It is not prudent to continue material weakness-related disclosures from quarter to quarter, let alone from year to year. Following the above steps would allow management to disclose the elimination of material weakness totally or to demonstrate progress in its steps to achieve remediation effectively.
10. Educate
    It is important to educate the key leadership, process owners, and controls owners on SOX compliance requirements and expectations. Additionally, it is important to drive a risk-managed culture to reduce the potential for future material weaknesses.

Summary

SOX compliance requires a cultural shift and a mindset change to make it a sustainable framework for companies to drive accuracies in the externally reported financial reports and boost investor confidence. Education for all involved throughout the process of remediation is essential. Management needs to prioritize its allocation of resources to ensure that areas of material weaknesses and hence higher risk areas continue to remain addressed. Those charged with SOX governance need to think of material weaknesses in two parallels: (1) Remediation of existing material weaknesses and (2) Taking steps to alleviate future ICFR issues that could lead to future material weaknesses.

Centri’s SOX Advisory and Internal Audit team is well-versed across a variety of industries. We have the expertise to ensure your business gets the support it needs to be fully SOX-compliant and set up for a successful future. We can help you establish internal controls that are a value add for your business, remediating material weaknesses, recommending process improvements, and enhancing the reliability of your financial statements. Contact us to learn more.