Article

Understanding root causes of material weaknesses in internal controls

Identifying potential vulnerabilities in your SOX compliance approach

January 11, 2024

Key takeaways

Companies are navigating elevated internal control demands, which may cause material weaknesses.

A material weakness can result in potential financial and reputational harm. 

Identifying and addressing the root causes of material weaknesses is critical to correct issues. 

#
Risk consulting Business risk consulting

Control deficiencies are common during a Sarbanes-Oxley Act (SOX) audit. However, the volume and pervasiveness of the deficiencies can escalate the severity from just a control deficiency to a significant deficiency (SD) or, in the worst-case scenario, a material weakness (MW). An MW can be a singular problem, but also often represents a number of significant issues that aggregate to create an overarching weakness.

The discovery of an MW or SD in a company’s internal controls can be harmful in several ways. It signals a heightened risk of a misstatement in financial statements and, if not addressed accurately and in a timely manner, could result in a drop in company valuation and damage to the company’s reputation, not to mention incurring remediation costs.

Frequent areas of concern

With the current evolving regulatory environment, the continued focus on enhancing audit quality including identifying internal control weaknesses, and the significant time and expense required to address them, companies need to be aware of common deficiencies. The following five situations are often identified by auditors and result in MWs. While these are only a few examples, they illustrate how easily and quickly challenges can emerge.

Improper technology implementation or integration

A host of issues within a company’s technology approach can lead to an MW. Some common examples would be inadequate access controls, improper role definition and segregation of duties conflicts. In addition, any new technology implementation involves risk. If effective change management controls are not in place, and systems are not seamlessly integrated, gaps can also emerge that compound existing process and control issues rather than remediate them.

Inadequate use of tools to avoid manual error

Certain companies are not leveraging effective tools, such as analytics and reporting tools, to properly mitigate risk and perform key control activities. This leads to a higher risk of manual workaround solutions and control breakdowns that often scale across accounting processes.

Poor accounting organization structure

Some accounting organizations lack the right number of qualified key accounting personnel to process the volume and complexity of accounting transactions. Personnel challenges have also only increased in recent years as turnover in accounting positions has increased and retaining qualified talent has become more difficult. In these scenarios, knowledge gaps can emerge. In addition, some organizations are decentralized and are challenged to build consistent, sustainable accounting processes. These challenges often lead to scalable control breakdowns.

Improper valuation of long-lived assets or liabilities

Many organizations rely on valuation specialists to aid in determining the fair value of long-lived assets or liabilities. Management must own the ultimate valuation and they may not adequately understand and validate key valuation considerations in some cases.

Ineffective segregation of duties (SOD)

With the increasing complexity of financial systems, difficulty in talent retention, and prevalence of hybrid workforces, proper and timely checks and balances over key roles and potential conflicts can be easily overlooked. The lack of thorough and consistent SOD analysis with effective mitigating controls can lead to accountability issues, an increased opportunity for fraud and a significantly weakened internal control environment.

The takeaway

SOX compliance is complex, and with continuing regulatory scrutiny and other factors like employee turnover and subsequent loss of institutional knowledge, a difficult task has become more challenging.

Organizations that are new to SOX compliance should invest in developing the accounting infrastructure (people, process, technology) to avoid MWs. Those that have experienced a recent MW should invest resources toward addressing root causes head-on to avoid long-term increased audit fees, legal fees, reputational harm and cultural challenges.

RSM contributors

Related insights


The cornerstone of your enterprise risk management strategy

RSM’s IT risk assessment methodology leverages modern survey tools, data analytics and quantitative risk scoring to right-size our results and allow scaling based on the nature of your organization.