In the first quarter of 2023, material weaknesses increased by 25%. For businesses, there's no greater alarm than a material weakness. Even the possibility of a material weakness can cause panic inside the company and shareholders. And as recent cases indicate, merely mentioning a material weakness appears to solicit an adverse reaction from investors, dropping stock prices.

Material weakness and how it impacts your business

A material weakness is a flaw in an internal control that results in a material misstatement. This means the organization's financial data is unreliable and ineffective for evaluating its financial soundness and, therefore, a reasonable stock price. 

Material weakness occurs when one or more of a company's internal controls over financial reporting (ICFR) fails. Companies must disclose material weaknesses in their SEC filings when they are identified. If auditors find a material weakness, they must notify the audit committee to correct the identified issue. 

Investors, auditors, and analysts rely on companies to report accurate financial information. Companies with weak or inadequate internal controls create opportunities for misstatements, fraud, and poor management decisions, leading to shareholder losses. When material weaknesses are reported, it can result in reputational risk and increased costs stemming from: 

• Loss of investor confidence in the company and its stock, causing a decline in stock price
• Increase legal and external audit fees for any services performed to manage the material weakness
• Loss of confidence in executives and the board may for a lack of oversight and governance
• Higher interest rates on credit and loans

Because the potential costs of material weakness are so high, it is essential to implement and manage an effective control environment, especially an established process for assessing and remediating control deficiencies. Enterprises must be confident they can quickly detect and remediate control deficiencies or material weaknesses.

Sources of material weaknesses

Control environment deficiencies are the most common cause of material weakness. Other causes include:

• Financial close process: includes a range of issues related to the timely gathering of data for use in the close process. There may also be accounting policy and procedure issues that prevent timely, accurate, or complete information from being reported.
• Personnel inadequacies and SOD: issues related to deficiencies in the number, training, qualifications, and conduct of employees. 
• IT general controls: controls across IT domains (access to programs and data, computer operations, system change management, and system implementation). Deficiencies in IT general controls can be more pervasive and impact the reliability of business process controls or data.
  

What's the difference between a material weakness and other control deficiencies?

To put things in perspective, let's first define the vocabulary.

Deficiency in ICFR exists when the design or operation of a control(s) does not allow employees to perform their function to prevent, detect, and correct misstatements quickly. 

Deficiency in design exists when: 

• A control required to meet an objective is missing, or 
• An existing control is not correctly designed to fulfill the control objective even when functioning properly. 

Deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the authority or training to perform the control effectively.

Material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the company's financial statements will not be prevented, detected, or corrected on a timely basis. A material weakness must be communicated in writing to management and governance according to AU-C section 265 of the AICPA.

Significant deficiency is a deficiency, or a combination of deficiencies, in an internal control less severe than a material weakness yet substantial enough to merit attention by management and governance. A significant deficiency must also be communicated in writing to management and governance.

Other deficiencies: A control weakness is less severe than a material weakness or a significant deficiency but still requires management's attention. These deficiencies can be reported to management orally or in writing.

How to prevent and detect material weaknesses

Some of the most effective strategies for preventing and detecting material weaknesses include the following:

Detect internal control violations like segregation of duties (SoD) and ITGCs

Internal controls have many functions, the most important being maintaining data safety, integrity, and regulation compliance. Internal controls are also used to maintain accountability and safeguard your data and applications against fraud and theft. Internal control automation embeds the rules and processes that make up your internal controls so that they function unassisted. For example, automated controls can help your organization:

• Define access to data
• Ensure regulatory compliance
• Increase cost-efficiency
• Allow for continuous controls monitoring
• Increase efficiency 
• Reduce the risk of fraud
• Restrict and control data manipulation
• Support accurate reporting 
• Improved security posture
• Log changes and access to data

Risk remediation

Remediation is crucial in addressing access control incidents where policies have determined the existence of a violation. Remediation involves multiple participants from the business, audit, and IT to determine the appropriate corrective action. 

The following are considerations for remediation: 

• Access risk remediation requires two significant types of corrective actions. 
• When a user has access to conflicting entitlements that pose "inherent risk," the security configuration in the application requires updating. 
• Reassigning user roles where the violation is caused by the user having access to two or more conflicting roles. 
• Role security configuration is the root cause of most access policy violations. However, updating roles in an ERP system with hundreds or thousands of active users can negatively affect business performance. However, with Enterprise Roles Manager, new roles should be safely simulated to test for SoD conflicts before being deployed into production, eliminating the risk of adverse performance impacts.
• Companies and auditors get bogged down during remediation because of the difficulty in changing the security design to allow business users to perform their tasks. 
• Role redesign analysis examines violations and creates "target" roles that can be reconfigured and tested for access policy compliance before deploying the compliant roles into the production system.
  

Prevent control risks

Segregation of duties is a control used to prevent fraud, theft, misuse of information, and other security breaches. This is accomplished by dividing a process into separate tasks so no one user has control over an entire process. SoD is the most effective way to place controls over your organization's assets and prevent financial misstatements and fraud. SoD serves a two-fold purpose:

It ensures that you have oversight and review of access and control of conflicts within your organization, and it helps you prevent fraud or theft because it requires two people to conspire to hide transactions and errors. SoD controls provide a layer of checks and balances on the activities of your users and help you keep track of access violations. 

Lookback analysis

Having insight into who is entering and maintaining data within your enterprise applications is a critical audit function for all organizations. During a look-back analysis, auditors review prior-period evidence to understand inaccuracies and assess the reliability of management’s process. Auditors may require a lookback analysis to review prior-period evidence of potential risk and to evaluate the effectiveness of the access controls management process. This is done by detecting incidents where the risk detected during the audit analysis may have materialized. 

For example, the SoD controls analysis identifies the users who violate one or more SOD policies. Once the violations are detected, and most of the risk is remediated or mitigated by fixing security roles or changing user access assignments, the remaining unmitigated "residual" risk requires lookback analysis. Residual risks exist in most complex ERP systems because the labor-intensive remediation process involves process changes or additional staff. All of these options are time-consuming and expensive. 

Residual risk requires auditors to perform a lookback analysis to detect users that performed conflicting activities where the risk was not mitigated. For example, if users in the payables department could create and pay a supplier, how many of those users performed such transactions during the audit period? This analysis qualifies SoD risks by identifying and quantifying the financial exposure from SoD violation transactions, e.g., creating a supplier and paying that supplier. Historically a monumental task, this type of analysis can be automated with modern solutions and advanced analytics capabilities.

Transaction monitoring 

Transaction monitoring improves visibility into financial, operational, and risk management controls. Transaction monitoring allows management to track transactions across IT infrastructure and detect, alert, and correct unexpected business or technical changes. Transaction monitoring provides visibility into the flow of transactions across the IT infrastructure. Transaction monitoring scans risk across business processes, like Financial Close, Order-to-Cash, and Procure-to-Pay. It allows businesses to investigate transaction errors within their ERP that do not comply with SoD, governance policies, regulatory requirements, or business performance objectives. 

Managing controls passively is risky

An effective control environment sets you up for success by regularly measuring and managing control design for operating effectiveness. Even well-designed control environments will have occasional control deficiencies. And because most material weaknesses start as control deficiencies, it is essential to catch and remediate them before they grow.

What to learn more about how SafePaaS can help you prevent material weakness?