View full PDF here.
The management of public companies is responsible for maintaining a strong internal environment, including implementing and executing well-designed controls and applying timely remedial actions on control issues identified. Although the change approved in March 2020 by the SEC related to accelerated/non-accelerated filer definitions increased the thresholds for small reporting companies requiring external auditor attestation, it did not establish any thresholds for management’s assessment, which emphasizes management’s primary responsibility of having effective governance towards maintaining, certifying, and disclosing its assessment of internal controls over financial reporting.
Many companies end up reporting material weakness(es) in early stages of being in public or acquiring private companies. Getting rid of a material weakness requires a strategy and requires proper remedial action planning and adequate time to demonstrate sustained operational effectiveness for a period of at least 3-6 months. Transitioning from a smaller reporting company and a non-accelerated filer (404 a) to an accelerated filer (404 b) requiring external auditor opinion on internal controls over financial reporting can also present additional weaknesses as controls are now evaluated through the lens of PCAOB standards (vs. SEC’s).
Key Considerations in Material Weakness Remediation
With recent emphasis by PCAOB on components and quality of review elements of controls, existing controls that seemingly appear to be perfectly designed and working for many years, seem to have gaps if the review is deficient due to any factors such as quality of inputs, segregation of duties, lack of documentation highlighting review criteria (Management Review Controls), etc. The following areas are seen to lead to an increase in number of internal control issues and at times in material weakness related disclosures:
- Lack of adequate internal expertise to provide a qualitatively sufficient review
- Insufficient assessment of segregation of duties across processes, and inadequate considerations in review of non-routine and complex transactions, especially management review controls
- Lack of sufficient Information Technology General Controls (ITGC’s) particularly in areas of access management, change management and controls over use of third-party service providers
For a company that has disclosed a material weakness in its control environment, their eagerness to disclose that it has remediated those weaknesses is obvious. Before making such a conclusion, management needs to ensure that it has enough basis to do so. This is a challenging path, as management needs to take into account its internal control framework, best practices, accounting standards, applicable guidance from SEC and PCAOB and its own resource constraints in coming up with a remediation acceptable to all stakeholders such as process owners, audit committees or board of directors, and internal and external auditors. The following discusses key aspects in implementing an effective remediation plan:
- Analyze a root cause
Perform a root cause analysis of your material weakness and risk factors associated with it. Many times, these are qualitative factors: lack of education regarding policies and procedures, lack of proper documentation, lack of inadequate data, etc. An agreement on the root cause is the first step in developing remediated procedures.
- Build your remediation team
A successful remediation should involve acceptance of various stakeholders to ensure their concerns are addressed. While the process owner (head of the department or similar) may be the lead in charge of the remediation process, inputs from various stakeholders such as internal auditors for technical expertise, senior management for additional resources such as people or technology tools, IT Department for required data inputs, and external vendors for providing any outsourced services is required. The nature, timing and extent of their involvement will vary, but their inputs are important ingredients to a practical and an effective solution.
- Develop a resolution plan aligned with management, internal and external auditors
The remediation team may come up with alternatives that work for its own control environment. Remediation can take a variety of different forms such as formalizing an existing operational control into the SOX program, tweaking the existing process, outsourcing certain activities to enhance competency or segregation of duties, etc. All such alternatives should be evaluated to ensure if it addresses the root causes identified and mitigates the concerned risks.
- Perform a feasibility exercise
Remedial action plans should be feasible and backed by an appropriate cost-benefit analysis and not be termed as “best laid plans” that never actually worked. Management may decide to perform a feasibility study on the best alternative to see if the alternative can be truly implemented and estimate resource requirements from personnel, system and budgetary perspectives.
- Obtain buy-in from stakeholders
Once alternatives are rated in terms of feasibility and management is keen to implement the remediation, it is necessary to share the remediation plan with internal and external stakeholders and other governance related committees (for significant changes) to ensure alignment. This buy-in eases effective implementation.
- Make a timely decision
A remediation simply designed and implemented is not sufficient to remove material weakness. Any controls, including remediation, need to have been performed consistently to enable assessment of its operating effectiveness either by management or its external auditors for a sustained period (approximately 3-6 months).
- Update SOX documentation
Once implemented, the remediated procedures and related controls should be incorporated in the formal SOX process documentation as soon as possible to enable various SOX compliance procedures such as testing to be performed in a timely manner so that the effectiveness of the newly implemented remediation can be monitored.
- Evaluate and Monitor
Consistency and auditability are key to demonstrating an effective remediation. Management needs a sufficient basis to demonstrating the effectiveness of its remediation and hence should document its testing of remediated controls in a timely manner. Effective monitoring criteria to perform the control on a consistent basis needs to be formalized to ensure sustained accurate execution has occurred.
It is not prudent to continue material weakness related disclosures from quarter to quarter, let alone from year to year. Following the above steps would allow management to disclose elimination of material weakness totally or to demonstrate a progress in its steps to achieve remediation in a timely manner.
It is important to educate the key leadership, process owners, and controls owners on SOX Compliance expectations. Additionally, it is important to drive a risk-managed culture to reduce the potential for future material weaknesses.
SOX compliance is a habit, a cultural shift, and a mindset change to make it a sustainable framework for companies to drive accuracies in the financial reports to boost investor confidence. Education for all involved throughout the process of remediation is essential. Management needs to prioritize its allocation of resources to ensure that areas of material weaknesses, and hence, higher risk areas continue to remain addressed. Those charged with SOX governance need to think of material weaknesses in two parallels: (1) Remediation of Existing Material Weaknesses; and (2) Take steps to alleviate new internal control issues that could lead to new material weaknesses.
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality finance and accounting consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, valuation services, technical accounting research, and CFO advisory services for companies of various sizes and industries. From complex technical accounting transactions to periodic financial reporting, our professionals can offer any organization the specialized expertise and multilayered skill sets to ensure the project is completed timely and accurately.
Eight Penn Center
1628 JFK Boulevard, Suite 500
Philadelphia, PA 19103
New York Office
530 Seventh Avenue
New York, NY 10018
8310 South Valley Highway
Englewood, CO 80112