10 Steps to Remediate Material Weaknesses

Background

Many companies end up reporting material weakness(es) in the early stages of becoming public or acquiring private companies. Getting rid of a material weakness requires a strategy, proper remedial action planning, and adequate time to demonstrate sustained operational effectiveness (typically a minimum of 3 months). Transitioning from an emerging growth company and a non-accelerated filer (404 (a)) to an accelerated or large accelerated filer (404 (b)) requiring external auditor opinion on internal controls over financial reporting (ICFR) can also present additional weaknesses as controls are now evaluated through the lens of the Public Accounting Oversight Board (PCAOB) standards vs. the Security and Exchange Commission’s (SEC’s).

Key Considerations in Material Weakness Remediation

With recent emphasis by the PCAOB on components and quality of review elements of controls, existing controls that seemingly appear to be perfectly designed and working for many years seem to have gaps if the review is deficient due to any factors such as quality of inputs, segregation of duties, and lack of documentation highlighting review criteria. The following areas most often lead to an increase in the number of internal control issues, and at times, in material weakness-related disclosures:

  • Lack of adequate internal expertise to provide a qualitatively sufficient review.
  • Insufficient assessment of segregation of duties across processes.
  • Inadequate evaluation of the accounting treatment of non-routine and complex transactions.
  • Lack of sufficient Information Technology General Controls (ITGCs), particularly in areas of access management, change management, and controls over the use of third-party service providers.

For a company that has disclosed a material weakness in its ICFR, their eagerness to disclose that it has remediated those weaknesses is obvious. Before making such a conclusion, management needs to ensure that it has enough basis to do so. This is a challenging path, as management needs to take into account its ICFR framework, accounting standards, applicable guidance from the SEC and PCAOB, and its own resource constraints in coming up with a remediation plan acceptable to all stakeholders, such as process owners, audit committees or board of directors, and internal and external auditors. The following discusses key aspects in implementing an effective remediation plan:

  1. Determine the Root Cause
    Perform a root cause analysis of your material weakness and the risk factors associated with it. Many times, these are qualitative factors: lack of education regarding policies and procedures, lack of proper documentation, and lack of adequate data. An agreement on the root cause is the first step in developing a remediation plan.
  2. Build Your Remediation Team
    Successful remediation will involve various stakeholders to ensure their concerns are addressed. While the process owner (head of the department or similar) may be the lead in charge of the remediation process, inputs from various stakeholders, such as internal auditors for technical expertise, senior management for additional resources such as people or technology tools, IT Department for required data inputs, and external vendors for providing any outsourced services is required. The nature, timing, and extent of their involvement will vary, but their inputs are important ingredients to a practical and effective solution.
  3. Develop a Remediation Plan Aligned with All Stakeholders
    The remediation team may come up with alternatives that work for its own needs but does not address the needs of others. Remediation can take a variety of different forms, such as formalizing an existing operational control into the ICFR, tweaking the existing process, and outsourcing certain activities to enhance competency or segregation of duties. All such alternatives should be evaluated to ensure it addresses the identified root causes and mitigates the risks.
  4. Perform a Feasibility Exercise
    Remedial action plans should be feasible, backed by an appropriate cost-benefit analysis, and not be termed “best laid plans” that never actually work. Management may decide to perform a feasibility study on the best alternative to see if the alternative can be truly implemented and estimate resource requirements from personnel, system, and budgetary perspectives.
  5. Obtain Buy-In from Stakeholders
    Once alternatives are rated in terms of feasibility and management is keen to implement the remediation, it is necessary to share the remediation plan with internal and external stakeholders and other governance related committees (for significant changes) to ensure alignment. This buy-in makes effective implementation easier.
  6. Make a Timely Decision
    A remediation simply designed and implemented is not sufficient to remove material weakness. Any controls, including remediation, need to have been performed consistently to enable assessment of its operating effectiveness either by management or its external auditors for a sustained period (typically a minimum of 3 months).
  7. Update SOX Documentation
    Once implemented, the remediated procedures and related controls should be incorporated in the formal SOX process documentation as soon as possible to enable various SOX compliance procedures, such as testing, to be performed in a timely manner so that the effectiveness of the newly implemented remediation can be assessed and monitored.
  8. Evaluate and Monitor
    Consistency and auditability are key to demonstrating an effective remediation. Management needs a sufficient basis to demonstrate the effectiveness of its remediation and should document its testing of remediated controls in a timely manner. Effective monitoring criteria to perform the control on a consistent basis needs to be formalized to ensure sustained execution occurs.
  9. Disclose
    It is not prudent to continue material weakness-related disclosures from quarter to quarter, let alone from year to year. Following the above steps would allow management to disclose the elimination of material weakness totally or to demonstrate progress in its steps to achieve remediation effectively.
  10. Educate
    It is important to educate the key leadership, process owners, and controls owners on SOX compliance requirements and expectations. Additionally, it is important to drive a risk-managed culture to reduce the potential for future material weaknesses.

Summary

SOX compliance requires a cultural shift and a mindset change to make it a sustainable framework for companies to drive accuracies in the externally reported financial reports and boost investor confidence. Education for all involved throughout the process of remediation is essential. Management needs to prioritize its allocation of resources to ensure that areas of material weaknesses and hence higher risk areas continue to remain addressed. Those charged with SOX governance need to think of material weaknesses in two parallels: (1) Remediation of existing material weaknesses and (2) Taking steps to alleviate future ICFR issues that could lead to future material weaknesses.

Centri’s SOX Advisory and Internal Audit team is well-versed across a variety of industries. We have the expertise to ensure your business gets the support it needs to be fully SOX-compliant and set up for a successful future. We can help you establish internal controls that are a value add for your business, remediating material weaknesses, recommending process improvements, and enhancing the reliability of your financial statements. Contact us to learn more.

Editor’s note: This article was originally published on May 4, 2021. It was updated on October 11, 2023.

About Centri Business Consulting, LLC

Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reportinginternal controlstechnical accounting researchvaluationmergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.

Centri’s Capital Conference

The Centri Capital Conference is a one-day event held at Nasdaq on April 22, 2025. This platform will connect investors with executives from presenting companies in various emerging and rapid-growth sectors, including disruptive technologylife scienceshealthcare, and more. The conference will feature industry panels, dynamic speakers, and networking opportunities and will give growth-oriented private and public companies a place to showcase their innovations.

For more details, contact us at capitalconference@centriconsulting.com.

Philadelphia
Eight Penn Center
1628 John F Kennedy Boulevard
Suite 500
Philadelphia, PA 19103
New York City
530 Seventh Avenue
Suite 2201
New York, NY 10018
Raleigh
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
Tampa
615 Channelside Drive
Suite 207
Tampa, FL 33602
Atlanta
1175 Peachtree St. NE
Suite 1000
Atlanta, GA 30361
Boston
50 Milk St.
18th Floor
Boston, MA 02109
Tysons Corner
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
Denver
One Tabor Center
1200 17th St.
Floor 26
Denver, CO 80202
Centri Everywhere
1-855-CENTRI1
virtual@CentriConsulting.com

11/20/2024

Bridging The GAAP: November 2024

Centri’s Bridging the GAAP newsletter highlights this month’s news, developments and emerging...

Read More

11/13/2024

Key Tax Insights for Loss Corporations: Navigating Sections 382, 383, and 384

Many corporations, even if profitable from a book perspective, may generate tax...

Read More

11/13/2024

How Centri Can Help Your Foreign Listing on a U.S. Exchange

The United States continues to be the destination of choice for many...

Read More

Related Services