ARTICLE | January 12, 2024

Authored by RSM US LLP

For more information, please contact Mark Stamer at mstamer@dopkins.com.

Control deficiencies are common during a Sarbanes-Oxley Act (SOX) audit. However, the volume and pervasiveness of the deficiencies can escalate the severity from just a control deficiency to a significant deficiency (SD) or, in the worst-case scenario, a material weakness (MW). An MW can be a singular problem, but also often represents a number of significant issues that aggregate to create an overarching weakness.

The discovery of an MW or SD in a company’s internal controls can be harmful in several ways. It signals a heightened risk of a misstatement in financial statements and, if not addressed accurately and in a timely manner, could result in a drop in company valuation and damage to the company’s reputation, not to mention incurring remediation costs.

Frequent areas of concern

With the current evolving regulatory environment, the continued focus on enhancing audit quality including identifying internal control weaknesses, and the significant time and expense required to address them, companies need to be aware of common deficiencies. The following five situations are often identified by auditors and result in MWs. While these are only a few examples, they illustrate how easily and quickly challenges can emerge.

Improper technology implementation or integration

A host of issues within a company’s technology approach can lead to an MW. Some common examples would be inadequate access controls, improper role definition and segregation of duties conflicts. In addition, any new technology implementation involves risk. If effective change management controls are not in place, and systems are not seamlessly integrated, gaps can also emerge that compound existing process and control issues rather than remediate them.

Inadequate use of tools to avoid manual error

Certain companies are not leveraging effective tools, such as analytics and reporting tools, to properly mitigate risk and perform key control activities. This leads to a higher risk of manual workaround solutions and control breakdowns that often scale across accounting processes.

Poor accounting organization structure

Some accounting organizations lack the right number of qualified key accounting personnel to process the volume and complexity of accounting transactions. Personnel challenges have also only increased in recent years as turnover in accounting positions has increased and retaining qualified talent has become more difficult. In these scenarios, knowledge gaps can emerge. In addition, some organizations are decentralized and are challenged to build consistent, sustainable accounting processes. These challenges often lead to scalable control breakdowns.

Improper valuation of long-lived assets or liabilities

Many organizations rely on valuation specialists to aid in determining the fair value of long-lived assets or liabilities. Management must own the ultimate valuation and they may not adequately understand and validate key valuation considerations in some cases.

Ineffective segregation of duties (SOD)

With the increasing complexity of financial systems, difficulty in talent retention, and prevalence of hybrid workforces, proper and timely checks and balances over key roles and potential conflicts can be easily overlooked. The lack of thorough and consistent SOD analysis with effective mitigating controls can lead to accountability issues, an increased opportunity for fraud and a significantly weakened internal control environment.

The takeaway

SOX compliance is complex, and with continuing regulatory scrutiny and other factors like employee turnover and subsequent loss of institutional knowledge, a difficult task has become more challenging.

Organizations that are new to SOX compliance should invest in developing the accounting infrastructure (people, process, technology) to avoid MWs. Those that have experienced a recent MW should invest resources toward addressing root causes head-on to avoid long-term increased audit fees, legal fees, reputational harm and cultural challenges.

This article was written by Eliot Mitchell and originally appeared on 2024-01-12.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/services/risk-fraud-cybersecurity/understanding-root-causes-of-material-weaknesses-in-internal-controls.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

Dopkins & Company, LLP is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how the Dopkins & Company, LLP can assist you, please call us at 716.634.8800.

For more information, contact

Mark B. Stamer CPA

As a member of the Assurance Services Department, Mark primarily focuses on consulting services provide to a variety of the firm’s closely-held businesses. Mark helps streamline processes and provide management with financial information by researching, analyzing, and preparing financial statements. As a member of the Firm’s Forensic Accounting Group, he routinely assists in forensic accounting matters, litigation support services, and fraud prevention techniques.