Share

Key Considerations in Material Weakness Remediation

Key Considerations in Material Weakness Remediation

The management of public companies are responsible for maintaining a strong internal environment, including implementing and executing well-designed controls, and applying timely remedial actions on control issues identified. Although the recent change approved by the SEC related to accelerated/non accelerated filer definitions increased the thresholds for small reporting companies requiring external auditor attestation, it did not establish any thresholds for management’s assessment, which emphasizes management’s primary responsibility of having effective governance towards maintaining, certifying and disclosing its assessment of internal controls over financial reporting.

With recent emphasis by PCAOB on components and quality of review elements of controls, existing controls that seemingly appear to be perfectly designed and working for many years, seem to have gaps if the review is deficient due to any factors such as quality of inputs, segregation of duties, lack of documentation highlighting review criteria (Management Review Controls), etc. The following areas are seen to lead to an increase in the number of internal control issues and, at times, in material weakness related disclosures:

• Lack of adequate internal expertise to provide a qualitatively sufficient review
• Insufficient assessment of Segregation of Duties across processes, and inadequate considerations in review of non-routine and complex transactions, especially Management Review Controls
• Lack of sufficient Information Technology General Controls (ITGC’s) particularly in areas of access management, change management and controls overuse of third-party service providers

For a company that has disclosed a material weakness in its control environment, their eagerness to disclose that it has remediated those weaknesses is obvious. Before making such a conclusion, management needs to ensure that it has enough basis to do so. This is a challenging path, as management needs to take into account its internal control framework, best practices, accounting standards,  applicable guidance from the SEC and PCAOB and its own resource constraints in coming up with a remediation acceptable to all stakeholders such as process owners, audit committees or board of directors, and internal and external auditors. The following points discuss key aspects in implementing an effective remediation plan:

1. Analyze the root cause

Perform a root cause analysis of your material weakness and risk factors associated with it. Many times, these are qualitative factors: lack of education regarding policies and procedures, lack of proper documentation, lack of inadequate data, etc.  An agreement on the root cause is the first step in developing remediated procedures.

2. Build your remediation team

A successful remediation should involve acceptance of various stakeholders to ensure their concerns are addressed. While the process owner (head of the department or similar) may be the lead in charge of the remediation process, inputs from various stakeholders such as internal auditors for technical expertise, senior management for additional resources such as people or technology tools, IT Department for required data inputs, and external vendors for providing any outsourced services is required. The nature, timing and extent of their involvement will vary, but their inputs are important ingredients to a practical and an effective solution.

3. Develop a resolution plan aligned with management, internal and external auditors

The remediation team may come up with alternatives that work for its own control environment. Remediation can take a variety of forms such as formalizing an existing operational control into the SOX program, tweaking the existing process, outsourcing certain activities to enhance competency or segregation of duties, etc. All such alternatives should be evaluated to ensure if it addresses the root causes identified and mitigates the concerning risks.

4. Perform a feasibility exercise

Remedial action plans should be feasible and backed by an appropriate cost-benefit analysis and not be termed as “best-laid plans” that never actually worked. Management may decide to perform a feasibility study on the best alternative to see if the alternative can be truly implemented and estimate resource requirements from personnel, system and budgetary perspectives.

5. Obtain buy-in from stakeholders

Once alternatives are rated in terms of feasibility and management is keen to implement the remediation, it is necessary to share the remediation plan with internal and external stakeholders and other governance related committees (for significant changes) to ensure alignment. This buy-in eases effective implementation.

6. Make a timely decision

A remediation simply designed and implemented is not sufficient to remove material weakness. Any controls, including remediation, need to have been performed consistently to enable assessment of its operating effectiveness either by management or its external auditors for a sustained period (approximately 3-6 months).

7. Update SOX documentation

Once implemented, the remediated procedures and related controls should be incorporated in the formal SOX process documentation as soon as possible to enable various SOX compliance procedures such as testing to be performed in a timely manner so that the effectiveness of the newly implemented remediation can be monitored.

8. Evaluate and Monitor

Consistency and auditability are key to demonstrating an effective remediation. Management needs a sufficient basis to demonstrate the effectiveness of its remediation and hence should document its testing of remediated controls in a timely manner. Effective monitoring criteria to perform the control on a consistent basis needs to be formalized to ensure sustained accurate execution has occurred.

9. Disclose

It is not prudent to continue material weakness related disclosures from quarter to quarter, let alone from year to year. Following the above steps would allow management to disclose elimination of material weakness totally or to demonstrate progress in its steps to achieve remediation in a timely manner.

Impact of COVID-19 on 2020 Remediation Plans

We are more than two months into the COVID-19 pandemic, and we are re-orienting ourselves on how we do things both on a professional and personal level. Those charged with SOX governance need to think of material weaknesses in two parallels: (1) Remediation of Existing Material Weaknesses; and (2) Take steps to alleviate new internal control issues that could lead to new material weaknesses.

COVID-19 could delay your remediation plans already in place and could significantly constrain the financial and personnel resources of an organization. Management needs to prioritize its allocation of resources to ensure that areas of material weaknesses, and hence, areas higher in risk continue to remain addressed.

Further, management should evaluate if any changes in its control environment or procedures could lead to newer risks on ITGC or other business processes and avoid potential control issues that may lead to newer material weaknesses. Refer to the Centri Alert on April 3, 2020, Internal Control Considerations for potential shifts in risks in people, process, and technology aspects and several considerations in financial reporting processes.