Guide for Management — Next Steps After Identifying a Deficiency in Internal Control Over Financial Reporting
Introduction
For purposes of this Guide, the terms
“material weakness” and “significant deficiency” refer
to a deficiency, or a combination of deficiencies, in
internal control that represent the most significant
level of severity in accordance with applicable laws and
regulations in your particular geography.
Company management is
responsible for evaluating the severity of a company’s deficiencies in
accordance with its local laws and regulations. It is important to evaluate
whether a deficiency constitutes a material weakness or significant
deficiency1 at the time it is identified, and not solely at the balance sheet
date.
This Guide provides information
relevant to entities when a deficiency has been identified in internal control,
including general information technology controls (GITCs).
This Guide primarily focuses on
activities that are performed after it has been concluded that a deficiency
exists.
This Guide generally applies to all companies, including SEC
registrants, public interest entities, and non- public interest entities.
Throughout the Guide, to the extent that the guidance is specific to SEC
registrants, that has been specifically identified.
Glossary of Terms
Internal
control components and principles used in the context of this Guide are
as defined by the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) in Internal Control — Integrated Framework (2013)
(“COSO Framework”). The five internal control components are control
environment, risk assessment, control activities, information system and
communication, and monitoring activities. Each component is associated with a
set of principles that have a significant bearing on the presence and
functioning of the component. Accordingly, if a relevant principle is not
present and functioning, the associated component cannot be present and
functioning.
- “Present” refers to the determination that components and relevant principles exist in the design and implementation of the system of internal control to achieve specified objectives.
- “Functioning” refers to the determination that components and relevant principles continue to exist in the conduct of the system of internal control to achieve specified objectives.
Direct
controls are those controls that directly address risks of material
misstatement at the account/assertion level (i.e., they are intended to directly
prevent or detect misstatements due to fraud or error relating to accounts or
disclosures and their relevant assertions). Direct controls may address single
risks of material misstatement or risks on an overall, pervasive basis across
accounts or disclosures (e.g., controls related to closing the books and
preparing the financial statements).
Direct controls typically
include controls related to the following components of internal control:
- Control activities.
- Information system and communication.
Indirect controls are those controls
that do not themselves directly address risks of material misstatement at the
account/assertion level, but rather contribute to or affect the effectiveness of
the direct controls (e.g., programs and controls within the control environment
that contribute to and support the effective operation of direct controls).
Indirect controls typically include:
- Programs and controls related to the following
components of internal control:
- Control environment.
- Risk assessment.
- Monitoring activities.
- Information system and communication.
- General information technology (IT) controls related to the control activities component (excluding general IT controls that directly address risks of material misstatement, which would be considered direct controls).
Organization
This Guide consists of the
following sections:
- Section 1. Identification of a Deficiency and Evaluation of the Severity of a Deficiency
- Section 2. Communication of a Material Weakness or Significant Deficiency
- Section 3. Disclosure of a Material Weakness or Significant Deficiency
- Section 4. Remediation of a Material Weakness or Significant Deficiency
- Section 5. Unique Scenarios That Relate to a Material Weakness or Significant Deficiency
The sections follow the typical sequence of events after a
deficiency has been identified. Depending on the company’s facts and
circumstances, certain considerations or sections may not be applicable. Within
each section, examples and additional information applicable to each subsection
are provided under “Resources,” as applicable.
Section 1. Identification of a Deficiency and Evaluation of the Severity of a Deficiency
This section provides key reminders regarding the evaluation of
the severity of a deficiency.
1a. Deficiency Definitions
A deficiency in internal
control over financial reporting (ICFR) exists when the design or operation
of a control does not allow management or employees, in the normal course of
performing their assigned functions, to prevent or detect misstatements on a
timely basis.
When a deficiency is
identified, it falls into one of two categories: a deficiency in design or a
deficiency in operation. A deficiency in design exists when either a control
is not properly designed to meet the control objective or a control to meet
the specific control objective does not exist. A deficiency in operation
exists when the control itself does not operate as designed or the control
performer does not possess the necessary authority or competence to perform
the control effectively.
Upon the identification of a
deficiency, it is important to evaluate the severity of the deficiency in a
timely manner. Deficiencies are classified as a: (1) control deficiency, (2)
significant deficiency, or (3) material weakness (as applicable).
The definition of each type
of deficiency is as follows:
- A control deficiency, according to COSO, is a shortcoming in a component or components and relevant principle(s) of internal control that reduces the likelihood that a company can achieve its objectives.
- A significant deficiency is a deficiency, or a combination of deficiencies, important enough to merit attention by those charged with governance.
- Certain laws and regulations, such as those from the United States Securities and Exchange Commission (SEC), define an additional level of severity: a material weakness. A material weakness is a deficiency, or a combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.
The company may need to consider different definitions of
deficiencies and the severity of deficiencies in accordance with its local
laws and regulations.
1b. Analyzing the Root Cause of a Deficiency
A robust analysis of the
root cause of all deficiencies identified is essential. Prior to concluding
on the severity of a deficiency, it is imperative to understand the root
cause of the deficiency (i.e., why, specifically, did the control fail).
After the root cause of the deficiency has been fully assessed, the severity
of the deficiency can be evaluated and concluded upon, and the appropriate
next steps can be determined.
Analyzing the root cause of a deficiency may include the
following considerations:
- Does the deficiency constitute a deficiency in the control’s design or in its operating effectiveness?
- Does the root cause of the deficiency indicate that deficiencies in other controls contributed to the deficiency in question?
- Do the preliminary remediation activities provide insight into what the root cause of the deficiency might be?
- Does the root cause of the deficiency imply potential deficiencies in indirect controls? Has the severity of any deficiencies identified in indirect controls also been assessed?
- Does the deficiency relate to issues with the competence or capabilities of company personnel, the processes in place at the company, or the company’s use of technology?
- What specific control step(s) failed that resulted in the deficiency in question?
- Does the root cause reveal why the control failed (i.e., what caused the control performer to not act appropriately) as opposed to only identifying the control failure (i.e., what the control performer did not do appropriately)?
1c. Evaluation of the Severity of a Deficiency
Upon completion of the root
cause analysis, the severity of the deficiency can be appropriately
evaluated.
The key steps necessary to
evaluate the severity of a deficiency include:
- Gather the facts.
- Consider the potential misstatement.
- Consider compensating controls.
- Conclude.
The framework below depicts a typical sequence of judgments
in considering the requirements for evaluating the severity of a deficiency.
Depending on the facts and circumstances associated with the deficiency,
certain considerations may not be applicable or necessary.
Step 1. Gather the Facts
Obtaining a full understanding of the facts and
circumstances related to the nature and cause of a deficiency is an
important starting point in forming a judgment as to its severity, which
includes consideration of both quantitative and qualitative factors. In
addition to the items referenced above in subsection 1b, “Analyzing the Root
Cause of a Deficiency,” see the additional considerations below to
assist in understanding the nature and cause of the deficiency:
- When the deficiency was identified, who identified it, and the location/business unit where it was identified.
- If the deficiency relates to a misstatement, who identified the misstatement; whether the identification was the result of the operation of a control whose purpose is specifically designed to detect the misstatement; and whether there is sufficient evidence that the control operates routinely (and therefore would detect other misstatements).
- The nature of the control that failed (e.g., preventive or detective, lower-level process or higher-level review, manual or automated).
- The frequency of deviations in the operating effectiveness of the control in relation to the number of times the control operates (e.g., the number of deviations found relative to the number of selections and the total number of instances of the control within the relevant population).
- The risk of material misstatement and the relevant assertion or the component of internal control to which the deficiency relates.
- Whether the related risk of material misstatement that the control is intended to address is a significant risk, including a fraud risk.
- For general IT control deficiencies, the general IT control area and the related IT risk and technology elements affected.
- For indirect control deficiencies, qualitative factors that increase the severity of the deficiency identified, including susceptibility to fraud (including the risk of management override), pervasiveness of the deficient control across the company, the relative significance of the deficient control to the component of internal control, an indication of increased risks of material misstatement or history of misstatements to which the deficient control may have contributed, and whether the deficiency in the indirect control contributed to a deficiency in a control that directly addresses a risk of material misstatement.
- Whether the deficiency relates to an indicator of a material weakness or significant deficiency.2 Refer to subsection 1d, “Indicators of a Material Weakness or Significant Deficiency,” below.
- The size of the account, disclosure, or total of transactions that are subject to the deficient control or the volume of activity in the accounts and disclosures exposed to the deficiency.
- Whether the deficiency relates to an actual misstatement; if so, the actual amount of the misstatement.
- The period of time that the deficiency has existed (e.g., whether the control was operating effectively for part of the year, whether the control was determined to be deficient in the prior year as well).
Step 2. Consider the Potential Misstatement
The severity of a
deficiency should be evaluated by considering if there is a reasonable
possibility that the company’s ICFR would fail to prevent or detect a
misstatement of a financial statement amount or disclosure, as well as
the magnitude of the potential misstatement resulting from the
deficiency or deficiencies. When there is an actual misstatement and a
corresponding deficiency is identified, the actual misstatement is not
the only consideration when classifying the severity of the deficiency.
Rather, the magnitude of the potential misstatement needs to be
considered.
Risk factors affect
whether there is a reasonable possibility that a deficiency, or a
combination of deficiencies, will result in a misstatement of an account
balance or disclosure. These factors include, but are not limited to,
the following:
- The nature of the financial statement accounts, disclosures, and assertions involved.
- The susceptibility of the related asset or liability to loss or fraud.
- The subjectivity, complexity, or extent of judgment required to determine the amount involved.
- The interaction or relationship of the control with other controls, including whether they are interdependent or redundant.
- The interaction of the control deficiencies with other deficiencies in internal control.
- The possible future consequences of the deficiency.
- The cause and frequency of the exceptions detected as a result of the deficiency.
- The importance of the controls to the financial
reporting process — for example:
- General monitoring activities (such as oversight of management).
- Controls over the prevention and detection of fraud.
- Controls over the selection and application of significant accounting policies.
- Controls over significant transactions with related parties.
- Controls over significant transactions outside the company’s normal course of business.
- Controls over the period-end financial reporting process (such as controls over non-recurring journal entries).
Multiple deficiencies
that affect the same financial statement account balance or disclosure
increase the likelihood of misstatement and may, in combination,
constitute a material weakness or significant deficiency,3 even though such deficiencies may individually be less severe.
Therefore, the company should consider whether individual control
deficiencies that affect the same significant account or disclosure,
relevant assertion, or component of internal control collectively result
in a material weakness or significant deficiency.3 Refer to subsection 1e,
“Aggregation Considerations.”
Below are criteria that
may be used to evaluate the severity of each deficiency, individually
and in the aggregate, consisting of three elements that are not viewed
discretely, but rather in combination:
- The likelihood (reasonable possibility) of one or more misstatements occurring.
- The potential magnitude of the misstatement(s) resulting from the deficiency or deficiencies (i.e., material or immaterial). When multiple deficiencies result in misstatements that offset one another, there may be a need to consider those misstatements from an absolute value perspective.4
- The existence of compensating or redundant (alternate) controls that might mitigate the severity of the deficiency.
Likelihood and magnitude are often considered in
combination, not separately.
For example, in a population consisting
of a large number of small dollar transactions for which the
operating effectiveness of the control is not always effective,
there may be a reasonable possibility of an
immaterial misstatement occurring, yet there is a remote
possibility of that same deficiency resulting in
a material misstatement in the same population. Therefore, a
reasonable possibility of an immaterial misstatement
exists.
Step 3. Consider Compensating Controls and Redundant (Alternate) Controls
Compensating Controls
A compensating control
is one that does not by itself fully address a risk of misstatement to a
remote likelihood, but nevertheless reduces the possibility (likelihood)
of a material misstatement to a remote likelihood. A compensating
control does not therefore “take the place” of the deficient control,
but may result in limiting the severity of the deficiency. The effect of
compensating controls is evaluated individually and in the aggregate
when assessing a deficiency. To have a mitigating effect, the
compensating control should operate at a level of precision that would
prevent or detect and correct misstatements in the financial statements
on a timely basis, including addressing the risks of material
misstatement the deficient control was intended to address.
Redundant (Alternate) Controls
A redundant (alternate)
control is one that, by itself, reduces the risk of misstatement to a
remote likelihood and hence is a “redundant control” (or an “alternate
control”) (i.e., the risk of material misstatement is addressed by the
redundant control such that there is a remote possibility of a
misstatement). When there is an effective redundant control that
addresses the same risk of material misstatement as the deficient
control, the deficient control is typically classified as only a
deficiency and it may not be necessary to further consider the
likelihood and magnitude of the potential misstatement. While the
initial control identified remains a deficiency, in the future, the
redundant control may be identified as the relevant control in place of
the deficient control.
In order to rely on a compensating or redundant control
in evaluating the severity of the deficiency, the compensating or
redundant control should be evaluated for design and implementation
effectiveness, and if applicable, operating effectiveness.
Step 4. Conclude
A company concludes on
the severity of the deficiency based on all the facts and considerations
gathered. Consider the indicators of material weakness or significant
deficiency5 (see subsection
1d), aggregation of more than one deficiency (see subsection 1e), and
the view of a prudent official. The “prudent official” test is meant to
cause us to pause to consider whether someone in the prudent management
or conduct of his or her own affairs (e.g., a third-party user of the
financial statements) would, in evaluating the same facts and
circumstances, reach the same conclusion on whether they have reasonable
assurance that transactions are recorded as necessary to permit the
preparation of financial statements in conformity with the applicable
financial reporting framework. If such same conclusion cannot be reached
by a prudent official, then the deficiency, or combination of
deficiencies, should be treated as an indicator of a material weakness
or significant deficiency.5
Reminder: The severity of a
deficiency does not depend on whether a misstatement has actually
occurred, but rather on the magnitude of the potential misstatement
resulting from the deficiency or deficiencies, and whether there is a
reasonable possibility that the company’s controls will fail to prevent
or detect a misstatement. Significant deficiencies or material
weaknesses may exist even when there are no misstatements
identified.
1d. Indicators of a Material Weakness or Significant Deficiency
When evaluating the severity
of a deficiency, the company considers if the indicators of a material
weakness or significant deficiency5 are present.
The U.S. SEC and certain
regulators require companies to evaluate whether the following situations
which indicate that a deficiency represents a material weakness
exist:
- Identification of fraud, whether or not material, on the part of senior management. For the purpose of this indicator, the term ”senior management” includes the principal executive and financial officers as well as any other members of senior management who play a significant role in the company’s financial reporting process.
- Restatement of previously issued financial statements to reflect the correction of a material misstatement due to fraud or error.
- Identification by the auditor of a material misstatement of the financial statements under audit in circumstances that indicate that the misstatement would not have been detected and corrected by the company’s ICFR.
- Ineffective oversight of the company’s financial reporting and ICFR by those charged with governance.
Indicators of a
significant deficiency may include:
- Evidence of ineffective aspects of the control
environment, such as:
- Indications that significant transactions in which management is financially interested are not being appropriately scrutinized by those charged with governance.
- Identification of management fraud, whether or not material, that was not prevented by the company’s internal control.
- Failure to implement appropriate remedial action on significant deficiencies previously communicated.
- Absence of a risk assessment process within the company where such a process would ordinarily be expected to have been established.
- Evidence of an ineffective company risk assessment process, such as failure to identify a risk of material misstatement that the auditor would expect the company’s risk assessment process to have identified.
- Evidence of an ineffective response to identified significant risks (for example, absence of controls over such a risk).
- Misstatements detected by the auditor’s procedures that were not prevented, or detected and corrected, by the company’s internal control.
- Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud.
- Evidence of management’s inability to oversee the preparation of the financial statements.
A deficiency may be
concluded to represent a material weakness or significant deficiency6 even if an indicator of a material weakness or significant
deficiency6 is not
present.
For example, scenarios
related to the safeguarding of assets in which a company has lost a
material amount of assets, a cyber breach that has an impact on the
financial statements, or an aggregation of multiple deficiencies may
result in the identification of a material weakness or significant
deficiency6
even if an indicator of a material weakness or significant
deficiency6
is not present.
As part of the evaluation of the severity, the company needs
to consider the identified control deficiencies, both individually and in
the aggregate.
1e. Aggregation Considerations
Once the severity of each deficiency has been evaluated
individually, they are then aggregated to consider their severity in
combination.
Direct Controls
Control deficiencies
that directly relate to a risk of material misstatement can be
aggregated first by significant account or disclosure, and then by
relevant assertion for each significant account or disclosure (e.g., the
revenue significant account and the completeness of revenue, not the
completeness assertion across multiple significant accounts or all
assertions related to revenue).
A combination of control
deficiencies affecting the same assertion, significant account, or
disclosure may increase the likelihood of a material misstatement to
such an extent as to give rise to a higher classification for the
control deficiencies on a collective basis (e.g., a material weakness or
significant deficiency,7 even though the deficiencies individually may have been assessed
as less severe).
The elements and factors to be considered when
evaluating the deficiencies in the aggregate are the same as those we
consider when evaluating each deficiency individually — simply reassess
and conclude for each aggregated group of deficiencies.
Indirect Controls
Deficiencies that
indirectly relate to a risk of material misstatement can be aggregated
by internal control component and principles relevant to each internal
control component.8
Aggregation by Internal Control Component
First, consider the
control deficiencies relevant to each internal control component and
conclude on the component. The factors considered when evaluating the
control deficiencies in the aggregate are the same as those considered
when evaluating each deficiency individually — simply reassess and
conclude for each aggregation. The failure to achieve any relevant
principle represents the most significant level of deficiency (i.e.,
material weakness or significant deficiency,7 depending on the applicable
laws and regulations in your particular geography), and therefore, ICFR
overall is also ineffective.
A material weakness or
significant deficiency7
exists when a component and one or more relevant principles are not
present and functioning or when components are not operating together. A
material weakness or significant deficiency7 in one component cannot be
mitigated to an acceptable level by the presence and functioning of
another component. Similarly, a material weakness or significant
deficiency9 in a relevant principle cannot be mitigated to an acceptable level
by the presence and functioning of other principles.
Aggregation by Internal Control Principle
As applicable by local laws and regulations, the company
considers control deficiencies and conclusions for the principles
relevant to each component of internal control and concludes on the
component. The factors to be considered when evaluating the deficiencies
in the aggregate are the same as those we consider when evaluating each
deficiency individually — simply reassess and conclude. If a principle
was not achieved (i.e., a material weakness exists), then the component
also fails (i.e., other principles within (or outside) of the component
cannot compensate for a failed principle). However, even when each
principle within a component is concluded to be effective on its own
merit, the company also considers whether there are themes in the
deficiencies across the principles in the component that may indicate
that the component overall is ineffective (and therefore a material
weakness).
General Information Technology Controls (GITCs)
The following factors can be considered in making a
professional judgment as to the classification of GITC deficiencies in
the aggregate:
- Determine whether there are related deficiencies or “themes” by type or nature of deficiency (e.g., access, segregation of duties, or change management).
- Considering all deficiencies in GITCs, determine whether there are pervasive issues that are indicative of a significant deficiency or material weakness in the company’s GITCs.
- Determine whether the root cause of the more severe deficiencies in GITCs is indicative of deficiencies in other internal control components.
- Aggregate GITC deficiencies with deficiencies in direct controls that affect the same significant account or disclosure and relevant assertion. Because deficiencies in GITCs and direct controls can result in misstatements to the financial statements, we also consider whether the GITC deficiencies in combination with deficiencies in direct controls affecting the same significant account or disclosure and relevant assertion may, in combination, constitute a material weakness.
- When there are alternate or redundant controls that are operating effectively, the company may not need to further evaluate the GITC deficiencies in aggregate with direct control deficiencies because the IT risk has been addressed; therefore, there is not a reasonable possibility of a misstatement occurring.
1f. Example Factors to Consider in Evaluating the Severity of a Deficiency
Evaluating the severity of a
deficiency involves exercising significant professional judgment and
consideration of the design, implementation, and operating effectiveness of
the impacted controls. The table below is intended to provide examples of
how particular factors may affect the severity evaluation conclusion. The
list below is not intended to be all-inclusive. These factors should not be
considered in isolation, but should be considered together in conjunction
with other specific facts and circumstances related to the deficiency.
|
Factor
|
Less Severe
Deficiency
|
More Severe
Deficiency
|
|
Compensating Controls
|
Compensating controls are present
and operate at a level of precision to prevent or
detect a material misstatement.
|
Compensating controls are not
present or sufficiently precise.
|
|
Redundant (Alternate) Controls
|
Redundant (alternate) controls are
present, tested, and found to be operating
effectively.
|
Redundant (alternate) controls are
not present.
|
|
Resulting Potential Misstatement
|
The resulting potential misstatement
is limited to a known amount that is immaterial.
|
The resulting potential misstatement
is a material amount.
|
|
Aggregation Considerations
|
There are no additional deficiencies
with which to aggregate the deficiency in
question.
|
There are multiple deficiencies with
which to aggregate the deficiency in question.
|
|
Root Cause
|
The root cause of the deficiency
only impacts one account balance and one
assertion.
|
The root cause of the deficiency
impacts multiple account balances and multiple
assertions.
|
|
Design vs. Operating
Effectiveness
|
The deficiency is a deficiency in
operating effectiveness.
|
The deficiency is a deficiency in
design.
|
|
Control Performer Competency
|
The root cause of the deficiency is
not related to the competence of the control
performer.
|
The root cause of the deficiency is
related to the competence of the control
performer.
|
|
Indicators of a Material Weakness or
Significant Deficiency10
|
Indicators of a material weakness or
significant deficiency10 are not present.
|
Indicator(s) of a material weakness
or significant deficiency10 is/are
present.
|
Resources
- 2013 COSO Framework
- SEC Release No 33-8810, Commission Guidance Regarding Management’s Report on Internal Control over Financial Reporting under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (pages 34–38)
- Speech by SEC Chief Accountant Wesley Bricker at the December 2018 AICPA Conference on Current SEC and PCAOB Developments
- Speech by SEC OCA Professional Accounting Fellow Tom W. Collens at the December 2018 AICPA Conference on Current SEC and PCAOB Developments
Section 2. Communication of a Material Weakness or Significant Deficiency
This section outlines
considerations associated with the communications made between company
management, the internal audit function (if applicable), those charged with
governance, and the external auditor (collectively, the “relevant parties”),
both during the assessment of the severity of a deficiency and once it has been
concluded that a material weakness or significant deficiency11 exists. Timely communication related to a material weakness or significant
deficiency11 is a vital
starting point in establishing that the relevant parties are aligned from the
initial identification of the deficiency through concluding on its severity and
disclosing the deficiency (as applicable).
Communications among the
relevant parties should begin as soon as the facts associated with the
deficiency are available. These communications should address the following (the
list below is not intended to be all-inclusive):
- Who identified the deficiency (i.e., management, the internal audit function, or the external auditor).
- The root cause of the deficiency.
- Whether the deficiency represents a deficiency in the design of the control or the operating effectiveness of the control.
- Preliminary remediation plan.
- The period over which the control was deficient.
- Whether there are redundant (alternate) controls in place and whether they are designed, implemented, and operating effectively.
- Whether there are compensating controls in place and whether they are designed, implemented, and operating effectively.
- The potential magnitude of misstatement associated with the deficiency.
- The potential impact to the financial statements and disclosures.
- The volume of transactions subject to the deficient control.
- If there are other controls that depend on the deficient control.
- If any indicators of a material weakness or significant deficiency11 are present.
- If the deficiency relates to issues with the competence or authority of the control performer.
- If the deficiency affects indirect controls or GITCs.
- If there are other deficiencies that may be considered in the aggregate with the deficiency.
Refer to Section 1, “Identification of a Deficiency and
Evaluation of the Severity of a Deficiency”for resources and detailed
considerations of the items above.
Agreement between the relevant parties regarding the facts
associated with the deficiency assists in guiding the next steps of evaluating
the severity of the deficiency, developing a remediation plan (see Section 4, “Remediation of a
Material Weakness or Significant Deficiency”), and determining the appropriate
financial statement disclosures (as applicable when required by local laws and
regulations; see Section 3,
“Disclosure of a Material Weakness or Significant Deficiency,” and Section 4).
2a. Communication of a Material Weakness or Significant Deficiency Between Management, the Internal Audit Function, and the External Auditor
The table below illustrates
the responsibilities of each relevant party within the typical sequence of
events during the assessment of the severity of a deficiency and after it
has been concluded that a material weakness or significant deficiency12 exists.
|
Key Activities
|
Management
|
Internal Audit Function
|
External Auditor
|
|---|---|---|---|
|
Gather the facts
associated with the deficiency (see
above).
|
X
|
X
|
X
|
|
Conduct
recurring joint update meetings between
management, the internal audit function, and the
external auditor until all parties agree on the
conclusion of the severity of the deficiency.
Best practices associated with
conducting recurring update meetings include:
Maintaining transparent and ongoing
dialogue, including frequent update meetings, allows
the relevant parties to fulfil their
responsibilities in a timely manner and alleviates
the pressure that may come with only having a final,
all-encompassing meeting in which all information
related to the severity evaluation process is
communicated at one time.
|
X
|
X
|
X
|
|
Conclude on the
severity of the deficiency.
Management is responsible for
concluding on the severity of the deficiency. The
conclusion on the severity of the deficiency is
often documented in a memo together with the facts
and considerations leading to such conclusion.
Whether written or verbal, the conclusion should be
communicated in such a way that it:
|
X
|
X1
| |
|
Perform an
independent assessment of the conclusions reached
by management.
|
X1
|
X
| |
|
All parties
agree on the severity evaluation conclusion,
remediation plan, and remediation testing
timeline.
|
X
|
X
|
X
|
|
1 The internal audit
function may assist management in evaluating the
severity of the deficiency.
| |||
After all facts are gathered and agreed upon, management
assesses the severity of the deficiency, followed by an independent
assessment by the external auditor. The severity of the deficiency is
generally assessed, and ultimately concluded upon, through multiple
discussions between the relevant parties and the external auditor’s review
of management’s written severity analysis.
2b. Communication of a Material Weakness or Significant Deficiency to Those Charged With Governance
The external auditor is
required to communicate in writing to those charged with governance any
material weakness or significant deficiency14 identified in conjunction with their interim reviews or year-end
audit. It is beneficial for all involved if management, the internal audit
function, and the external auditor can agree on key severity conclusions
prior to communicating with those charged with governance to avoid conveying
differing conclusions. Nonetheless, the best practice is to keep those
charged with governance, including the audit committee, informed and take
them through the journey, to avoid surprises and allow them sufficient time
to fulfill their oversight duties.
It is important that a
communication plan to those charged with governance, including who is
responsible for communicating the severity conclusion and when the
communication will be made, is agreed upon by management, the internal audit
function, and the external auditor. It is a best practice that management
informally notify those charged with governance regarding severity
conclusions as soon as they are reached, rather than relying solely on the
formal written communication requirements of the external auditor.
The communication to those
charged with governance is intended to clearly outline the procedures that
were performed in the evaluation of the severity of the deficiency as well
as the ultimate conclusion as to whether the deficiency represents a
material weakness or significant deficiency.14 Such communication can be executed in a number
of ways, including an in-person meeting between representatives of
management and those charged with governance, an in-person meeting between
representatives of the internal audit function and those charged with
governance, or the external auditor speaking directly with a representative
of those charged with governance (e.g., audit committee chair).
After company management,
the internal audit function, and the external auditor are all made aware of
the deficiency and hold initial discussions, it is important to engage those
charged with governance in transparent discussions from the time a
deficiency that has the potential to rise to a material weakness or
significant deficiency14 is
identified until the severity conclusion is reached. As previously
mentioned, when the severity is concluded, it is beneficial if management,
the internal audit function, and the external auditor can agree on key
severity conclusions prior to communicating with those charged with
governance to avoid conveying differing conclusions.
Those charged with governance and other key stakeholders can
leverage the resources listed in Section 1 to objectively challenge the
procedures performed and conclusions reached regarding the severity of the
deficiency.
2c. Key Takeaways Related to Communicating a Material Weakness or Significant Deficiency
Appropriately preparing for and executing communication
between management, the internal audit function, those charged with
governance, and the external auditor during the assessment of the severity
of a deficiency and once it has been concluded that a material weakness or
significant deficiency15 exists allows for alignment on the ultimate conclusions reached and
the determination of the appropriate disclosures (as applicable if required
by local laws and regulations). When conducted properly, communication
between the relevant parties regarding a material weakness or significant
deficiency15 can
serve to establish that (1) all pertinent facts were included in the
severity evaluation and (2) none of the relevant parties are taken by
surprise at the time the deficiency is formally communicated to those
charged with governance.
Section 3. Disclosure of a Material Weakness or Significant Deficiency
This section outlines considerations regarding management’s
disclosure of a material weakness or significant deficiency16 for external reporting purposes, and specifically the ICFR disclosure
requirements set forth by the SEC in SEC Regulation S-K Item 308 on management’s
disclosure of a material weakness within its consolidated financial
statements.
3a. Describing a Material Weakness or Significant Deficiency in a Disclosure for External Reporting Purposes
Local laws and regulations
may require disclosure of material weaknesses or significant
deficiencies16 in the
company’s periodic or annual reports to external users of the financial
statements.
Key Considerations for Describing a Material Weakness or Significant Deficiency
The level of detail at
which to describe a material weakness or significant
deficiency16 is a
matter of professional judgment. Nonetheless, early agreement between
management and the external auditor regarding a clear description of the
nature of a material weakness or significant deficiency16 inherently allows management
to more accurately identify the appropriate remediation plan, including
which controls will be remediated or newly created and need to be
subsequently tested by the external auditor.
The description of
material weaknesses or significant deficiencies16 in such disclosure should be
at an appropriate level of detail and clarity to allow the reader to
sufficiently answer “yes” to the following questions:
- Does the description appropriately explain the
nature of the identified material weakness or significant
deficiency?16
- Explicitly identify the control that was deficient or missing; describe the root cause of the deficiency; identify whether the deficiency was related to the control’s design, implementation, or operating effectiveness; and provide a description of the risk of material misstatement or assertion that was intended to be addressed by the deficient control. Doing so provides the reader with a clear overview and description of why the control did not address the risk. A common pitfall is explaining the accounting error or “what went wrong” without providing clear details regarding the breakdown of the control.
- Is the description sufficiently detailed to
provide an understanding of what went wrong in the control that
resulted in a material weakness or significant
deficiency?16
- Create a description of the deficiency that is simple enough to enable financial statement users to fully understand what went wrong in the control, but also detailed enough to enable them to understand both the nature of the deficiency and how the related impact resulted in the conclusion. Readability is key and “detailed” does not mean “lengthy” or “convoluted.” Strive for clarity by using simple words when possible and avoid using unnecessary words when describing a deficiency — the latter often confuses the reader.
- Does the description appropriately discuss the
impact of the material weakness or significant deficiency17 on the company’s financial statements?
- Communicate the “potential effect” the material weakness or significant deficiency17 might have on the company’s financial statements. When an actual or potential misstatement has occurred or could occur because of the deficiency, describe the actual or potential misstatement, including the affected account balance(s) and disclosures(s). For more pervasive deficiencies, describe the pervasiveness of the deficiency and explain the broad impact.
- Does the description appropriately discuss
whether the material weakness or significant
deficiency17 in one internal control component
contributes to a material weakness or significant
deficiency17 in another internal control
component?
- If it is determined that a deficiency in one internal control component is contributing to a deficiency at the account balance level or financial statement line-item level, consider illustrating how the nature of the deficiency in the internal control component contributed to the deficiency at the account level. If the account balance level deficiency elevates to a significant deficiency or material weakness, the company considers walking through all of the key considerations included herein for the account balance level deficiency.
- Does the description explain the impact of the
material weakness or significant deficiency17 on the entity’s
ICFR?
- Consider how each material weakness or significant deficiency17 impacts each internal control component and identify the applicable control principles that were not achieved.
In developing and
reviewing such disclosure, the company may consider involving external
legal counsel (or SEC counsel, if applicable). Legal counsel may assist
in drafting the language to be compliant with the applicable laws and
regulations. They may also assist in determining whether the material
weakness or significant deficiency17 indicates a violation of any applicable law
and regulation.
The company’s external
auditor may also be required by applicable laws and regulations to
communicate the material weakness or significant deficiency17 to those charged with
governance and within its attestation report on internal control, if
applicable. The description of the material weakness or significant
deficiency17
within the company’s disclosure for external reporting purposes should
be aligned with the description of the material weakness or significant
deficiency17
within the external auditor’s communication to those charged with
governance and its attestation report on internal control over financial
reporting, if applicable.
Alignment on the description of a material weakness or
significant deficiency17
is reached through ongoing and effective communication, as discussed in
Section 2,
“Communication of a Material Weakness or Significant Deficiency.”
3b. SEC Disclosure Requirements for Management’s Internal Control Over Financial Reporting and Item 9A Material Weakness Disclosure Examples (SEC Registrants Only)
This section outlines the
ICFR disclosure requirements set forth by the SEC in SEC Regulation S-K Item
308 on management’s disclosure of a material weakness within its
consolidated financial statements and provides considerations for developing
the disclosure of a material weakness.
Refer below for additional details on the SEC regulations,
as well as illustrative examples of how a registrant may satisfy its
disclosure requirements within Item 9A of its annual report on Form
10-K.
SEC Regulation S-K 229.307 — (Item 307) Disclosure Controls and Procedures
In accordance with
SEC Regulation S-K Item 307,
“registrants are required to disclose the conclusions of their principal
executive and principal financial officers, or persons performing
similar functions, regarding the effectiveness of their disclosure
controls and procedures (DCP) (as defined in SEC Rules 240.13a-15(e) or
240.15d-15(e)) as of the end of the
period covered by the report, based on the evaluation of these controls
and procedures required by paragraph (b) of SEC Rules 240.13a-15 or 240.15d-15.”
As part of this
disclosure, registrants typically state whether their DCP as of year-end
are “effective” or “ineffective.” As discussed in Deloitte’s Roadmap — SEC Comment
Letter Considerations, Including Industry
Insights, the SEC staff has noted that management
must clearly state, without using any qualifying or alternative
language, its conclusion about whether DCP are “effective” or
“ineffective” as of the end of the respective quarter. Examples of
unacceptable language include phrases such as “adequate,” “effective
except for,” “effective except as disclosed below,” or “reasonably
effective.”
The SEC staff has also
commented regarding instances when registrants refer to the level of
assurance of the design of their DCP. Although registrants are not
required to discuss such assurance, the staff has asked registrants that
choose to do so to also state clearly whether the DCP are, in fact,
effective at the “reasonable assurance” level.
It is important to
consider the conclusion on ICFR as part of developing the DCP
disclosure. Because of the substantial overlap between ICFR and DCP, if
a registrant concludes that ICFR is ineffective, it must also consider
the impact of the material weakness(es) on its conclusions related to
DCP [SEC FRM 4310.9]. If a registrant
concludes that its DCP are effective when a material weakness exists,
the SEC staff often asks for information on the factors the registrant
considered in reaching such a conclusion. Registrants are rarely able to
provide sufficient explanation and are often required to amend their
filings to conclude that DCP were ineffective. There may be rare
instances in which a material weakness in ICFR does not overlap with the
scope of DCP (e.g., a material weakness related to the safeguarding of
assets, but the entity could still determine if and when an asset is
sold or retired). For additional information on the relationship between
DCP and ICFR and SEC comment letter themes identified for DCP and ICFR,
refer to sections 3.5 and 3.6 of Deloitte’s Roadmap — SEC Comment Letter
Considerations, Including Industry Insights,
respectively.
Example: Ineffective DCP Due to
Material Weaknesses in ICFR
Item 9A.
Controls and Procedures
Evaluation
of Disclosure Controls and Procedures
Under the supervision and with
the participation of our current management,
including our CEO and CFO, we evaluated the
effectiveness of our disclosure controls and
procedures as defined in Rules 13a-15(e) and
15d-15(e) under the Securities Exchange Act of
1934, as amended (the “Exchange Act”), as of
December 31, 202X. Based on this evaluation of our
disclosure controls and procedures, our CEO and
CFO have concluded that our disclosure controls
and procedures were not effective as of December
31, 202X, because of certain material weaknesses
in our internal control over financial reporting,
as further described below.18
Notwithstanding the conclusion
by our CEO and CFO that our disclosure controls
and procedures as of December 31, 202X, were not
effective, and notwithstanding the material
weaknesses in our internal control over financial
reporting described below, management believes
that the consolidated financial statements and
related financial information included in this
Annual Report on Form 10-K fairly present in all
material respects our financial condition, results
of operations, and cash flows as of the dates
presented, and for the periods ended on such
dates, in conformity with accounting principles
generally accepted in the United States of America
(“U.S. GAAP”).19
SEC Regulation S-K 229.308 — (Item 308) Internal Control Over Financial Reporting
SEC Regulation S-K Item 308
requires registrants to comply with the following:
- Management’s annual report on internal
control over financial reporting. Provide a report of
management on internal control over financial reporting (as
defined in SEC Rules 240.13a-15(f) or
240.15d-15(f)) that
contains:
- A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the registrant;
- A statement identifying the framework used by management to evaluate the effectiveness of the registrant’s internal control over financial reporting;
- Management’s assessment of the effectiveness of the registrant’s internal control over financial reporting as of the end of the registrant’s most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective. This discussion must include disclosure of any material weakness in the registrant’s internal control over financial reporting identified by management. Management is not permitted to conclude that the registrant’s internal control over financial reporting is effective if there are one or more material weaknesses in the registrant’s internal control over financial reporting; and
- If the registrant is an accelerated filer or a large accelerated filer, or otherwise includes in its annual report a registered public accounting firm’s attestation report on internal control over financial reporting, a statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on the registrant’s internal control over financial reporting.
- Attestation report of the registered public accounting firm. If the registrant, other than a registrant that is an emerging growth company, as defined in Rule 405 of the Securities Act of 1933 (SEC Rule 230.405) or Rule 12b-2 of the Securities Exchange Act of 1934 (SEC Rule 240.12b-2), is an accelerated filer or a large accelerated filer (as defined in SEC Rule 240.12b-2), provide the registered public accounting firm’s attestation report on the registrant’s internal control over financial reporting in the registrant’s annual report containing the disclosure required by this Item.
- Changes in internal control over financial reporting. Disclose any change in the registrant’s internal control over financial reporting identified in connection with the evaluation required by paragraph (d) of SEC Rules 240.13a-15 or 240.15d-15 that occurred during the registrant’s last fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting.
SEC Regulation S-K Item 308(a) — Management’s Annual Report on Internal Control Over Financial Reporting
As registrants are
responsible for drafting their own annual reports on ICFR, this section
highlights common practices followed by SEC registrants to comply with
the requirements of SEC Regulation S-K Item 308(a). Each of the bullets
listed below aligns with the specific requirements of Regulation S-K
Item 308(a).1-3.
- Most registrants state management’s responsibility for establishing and maintaining adequate internal control over financial reporting at the beginning of the ICFR report and include the other required statements in various paragraphs throughout the remainder of the report. Registrants that include within their annual report a registered public accounting firm’s attestation report on their ICFR typically state at the end of the ICFR report that the registered public accounting firm that audited their consolidated financial statements has issued an attestation report on their ICFR.
- Registrants ordinarily use the Internal Control — Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (“the COSO framework”) to evaluate the effectiveness of their ICFR.
- Management’s assessment of the effectiveness of its ICFR primarily depends on whether or not a material weakness was identified. As indicated in SEC Regulation S-K Item 308(a.3), the report must include disclosure of any material weakness identified, and management is not permitted to conclude that its ICFR is effective if there are one or more material weaknesses. In addition, the definition of a material weakness is required to be included within the report whenever a material weakness is identified. A material weakness is defined as a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that a reasonable possibility exists that a material misstatement of the annual or interim financial statements would not be prevented or detected on a timely basis.
A good description of a
material weakness allows financial statement users to sufficiently
answer “yes” to the following questions:
- Does the description appropriately explain the nature of the identified material weakness?
- Is the description sufficiently detailed to provide a prudent official with an understanding of what went wrong in the control that resulted in a material weakness?
- Does the description appropriately discuss the impact of the material weakness on the entity’s financial statements?
- Does the description appropriately discuss whether the material weakness in one internal control component level contributes to a material weakness in another internal control component level?
- Does the description explain the impact of the material weakness on the entity’s ICFR?
Example: Management’s Report on
ICFR
Management, including our CEO
and CFO, is responsible for establishing and
maintaining adequate internal control over
financial reporting20 as defined in Rules 13a-15(f) and 15d-15(f)
under the Exchange Act and based upon the criteria
established in Internal Control — Integrated
Framework (2013) issued by the Committee of
Sponsoring Organizations of the Treadway
Commission (“the COSO framework”).21 Our internal control over financial
reporting is a process designed to provide
reasonable assurance regarding the reliability of
our financial reporting and the preparation of our
financial statements for external purposes in
accordance with U.S. GAAP.
Under the supervision and with
the participation of our management, including our
CEO and CFO, we have conducted an evaluation of
the effectiveness of our internal control over
financial reporting based on the COSO framework.
Based on evaluation under these criteria,
management determined, based upon the existence of
the material weaknesses described below, that we
did not maintain effective internal control over
financial reporting as of December 31, 202X.22
A material weakness is a
deficiency, or a combination of deficiencies, in
internal control over financial reporting, such
that there is a reasonable possibility that a
material misstatement of our annual or interim
financial statements will not be prevented or
detected on a timely basis.23
Control Environment
We did not maintain an effective
control environment, based on the criteria
established in the COSO framework, which resulted
in deficiencies in principles associated with the
control environment. Specifically, these control
deficiencies constitute material weaknesses,
either individually or in the aggregate, relating
to (1) our commitment to integrity and ethical
values and (2) establishing structures, reporting
lines, and appropriate authorities and
responsibilities.
We did not maintain an effective
control environment to enable the identification
and mitigation of risks of accounting errors. The
following were contributing factors to the
material weaknesses in the control environment:
- The tone from executive
management was insufficient to create the proper
environment for effective internal control over
financial reporting and to ensure that:
- The expectations of the board of directors concerning the importance of integrity and ethical values were demonstrated by current and former executive management.
- There was accountability for the performance of internal control over financial reporting responsibilities.
- Personnel with key positions had the appropriate training to carry out their responsibilities.
- Our processes and procedures that guide accountable individuals in applying internal control over financial reporting were not adequate in preventing or detecting omissions in contractual arrangements and agreements that require accounting evaluation.
Deloitte & Touche LLP, our
independent registered public accounting firm, has
audited the effectiveness of our internal control
over financial reporting as of December 31,
202X.24
SEC Regulation S-K Item 308(b) — Attestation Report of the Registered Public Accounting Firm
When a registrant
engages a registered public accounting firm to audit its ICFR, the
registrant is required to include the external auditor’s ICFR
attestation report within its annual report on Form 10-K, typically near
management’s report on ICFR. It is common for the disclosure in
management’s report and the language in the external auditor’s report to
be aligned; most of the time they are the same.
Disclosure of the Remediation Plan and Status for a Material
Weakness
Unlike the requirements listed above, SEC Regulation S-K
Item 308 does not require a registrant to disclose the remediation plan
and status for a material weakness that has been disclosed within
management’s ICFR report. However, SEC Financial Reporting Manual (FRM)
4310.12 states that management
should consider disclosing their “current plans or actions already
undertaken, if any, for remediating the material weakness.” Therefore,
registrants usually disclose the remediation plan and status for a
material weakness in close proximity to their annual ICFR report. It is
a best practice to include information about remedial actions in a
separate section with a separate heading that follows management’s
report on its ICFR. However, if a registrant chooses to include remedial
actions with its report on ICFR, the registrant’s external auditor would
typically disclaim this information in its ICFR opinion (PCAOB AS 2201.C13).
SEC Regulation S-K Item 308(c) — Changes in Internal Control Over Financial Reporting
On a quarterly basis,
registrants are required to disclose any material change in their ICFR
identified during the most recent fiscal quarter that has materially
affected, or is reasonably likely to materially affect, the registrant’s
ICFR. It is a common misconception to associate this requirement with
negative or adverse changes to ICFR. However, the SEC has indicated that
it welcomes disclosure of all material changes to controls, including
positive changes or improvements. For newly public companies, the SEC
has also stated that it would not object if a new registrant elects not
to include quarterly disclosures for changes made to ICFR in its first
year of quarterly reports. If registrants make this election, they will
be required to disclose all current year changes made to ICFR within the
subsequent annual report in management’s first report on ICFR. After the
first ICFR report, the registrant would then be required to identify and
disclose any material changes in its ICFR in each quarterly and annual
report.
Material changes may
include, but are not limited to:
- Identification of a material weakness.
- Remediation of a material weakness, regardless of when the material weakness was identified (e.g., correction of an immaterial restatement).
- Implementation of a significant IT system.
- Integration of a newly acquired entity.
For example, if a
registrant implemented a new IT system (e.g., SAP) during the period
under audit, the related change may be described as follows:
We are in the process of implementing a global
operating and financial reporting information technology system,
SAP, as part of a multi-year plan to integrate and upgrade our
systems and processes. As the phased implementation of this system
occurs, certain changes will be made to our processes and procedures
which, in turn, result in changes to our internal control over
financial reporting. While we expect to strengthen our internal
financial controls by automating certain manual processes and
standardizing business processes and reporting across the global
organization, management will continue to evaluate and monitor our
internal controls as processes and procedures in each of the
affected areas evolve. Except for the changes in connection with
this implementation of SAP, there have been no other changes in our
internal control over financial reporting that occurred during the
quarter ended December 31, 202X, that have materially affected, or
are reasonably likely to materially affect, our internal control
over financial reporting.
If a registrant’s only
change in ICFR was related to the identification of a material weakness
that was already described in management’s ICFR report, the related
change may read as follows:
Except for the
identification of the material weakness above, there were no changes
during the quarter ended December 31, 202X, in our internal control
over financial reporting that materially affected, or are reasonably
likely to materially affect, our internal control over financial
reporting.
When previously identified material weaknesses have been
remediated, resulting in a registrant concluding that its DCP/ICFR were
effective after a period in which the DCP/ICFR had been deemed
ineffective, it is a common pitfall to disclose the remediation of a
material weakness within the report on ICFR (e.g., implementation of
improved internal control policy, hiring of knowledgeable and competent
personnel, enhanced compliance practices) while also concluding that
there have been no material changes in its ICFR. The SEC has typically
commented when a registrant has not clearly and explicitly asserted that
the actions taken to remediate a control represent material changes to
the registrant’s ICFR.
SEC Disclosure Requirements for Material Weaknesses in Form S-1 Risk Factor Disclosures (SEC Registrants Only)
The primary SEC
regulations governing the required content for Form S-1 are Regulation
S-K and Regulation S-X. Therefore, certain sections of SEC Regulation
Item 308 (discussed above) and SEC FRM 4310 are also applicable
for a registrant’s S-1 filings. Specifically, SEC 4310.12 states that
“Management should consider disclosing the following with respect to a
material weakness:
- Describe the nature of the material weakness;
- Describe its impact on the financial reporting and ICFR, if any; and
- Describe management’s current plans or action already undertaken, if any, for remediating the material weakness.”
Accordingly, if
management has identified a material weakness in its ICFR, they are
required to disclose the material weakness in Form S-1. Although there
is no requirement for the location of the disclosure, registrants
typically provide material weakness disclosures within the risk factors
section of Form S-1 after consulting with their external SEC
counsel.
When reviewing the risk
factor disclosures, the SEC is ordinarily looking for the same level of
information that would satisfy Form 10-K’s Item 9A disclosure
requirements when a material weakness is identified.
Refer to the subsection above on management’s ICFR
report for key questions to consider as part of evaluating material
weakness disclosures in Form S-1.
Section 4. Remediation of a Material Weakness or Significant Deficiency
This section outlines (1) the appropriate steps for management
to remediate a control deficiency and (2) key considerations for the internal
audit function (or equivalent monitoring function) (if applicable) as part of
their evaluation of management’s remediated controls. The concepts within this
section apply equally to the remediation of both material weaknesses and
significant deficiencies. The steps performed to remediate deficiencies are
common across all companies, whether publicly listed or private.
4a. Management’s Process for Remediating Control Deficiencies
Remediating a material
weakness or significant deficiency25 requires an appropriate project plan that includes the necessary
remediation procedures, as well as a sufficient period of time to determine
that the remediated controls are operating effectively. The first step is to
obtain a detailed understanding of the relevant facts and circumstances,
including the nature and root cause of the deficiency. As discussed in Section 1b of this Guide,
it is critical that this step be performed when a control deficiency is
initially identified because the remediation process will require a proper
root cause analysis to develop a plan tailored to the identified deficiency
and the related root cause.
If a proper root cause analysis is not performed, this may
lead to both unresolved issues in ICFR and longer periods of unremediated
control deficiencies. Therefore, it is important that the appropriate
stakeholders are involved early in the process to reach an agreement on the
nature and root cause of the control deficiency, as doing so will enable
management to more accurately define the appropriate remediation plan.
Successful Remediation Plan
Successful remediation
of a material weakness or significant deficiency26 depends on the involvement of various stakeholders throughout the
company. As part of developing the remediation plan, it is important to
carefully identify the relevant personnel with appropriate accounting,
process, and control skills, as well as level of authority, to lead the
remediation efforts (the “remediation team”). In addition to management
and the responsible control owners, input from other remediation team
members, such as (1) senior management (for additional resources, such
as people or technology), (2) the IT department (for deficiencies
identified in GITCs or relevant data input), and (3) external vendors
(for providing any outsourced services), will be needed to develop a
practical and effective remediation plan.
It is also common for the internal audit function (or
equivalent monitoring function) (if applicable) to perform remediation
testing procedures, as they often perform ongoing monitoring and testing
of the company’s ICFR, which equips them with the necessary skill set to
evaluate whether the planned remediation procedures actually address the
root cause of the deficient control.
Remediation Procedures
Remediation procedures
consist of the necessary steps to (1) re-design an existing control or
(2) design and implement a new control that addresses the nature and
root cause of the material weakness or significant
deficiency,26 as
well as the actual testing of the operating effectiveness of the
remediated control. Thus, the nature, timing, and extent of the
remediation procedures depend directly on the nature and root cause of
the deficiency, as the remediation plan is typically tailored to the
identified deficiency and the related root cause. It is also important
for the modified or newly implemented control to address the related
risks of material misstatement.
Consequently, the remediation team may consider
reviewing the existing risk assessment documentation to determine
whether the risks have been appropriately identified and will be
addressed by the remediated control, or if an inappropriate risk
assessment led to the control deficiency. If the associated risk has not
been appropriately identified and clearly defined, the related
deficiency may continue to occur regardless of the remediation
procedures performed.
Assign Ownership and Responsibility, and Establish the Timeline and Roadmap for Remediation
The assignment of
ownership and responsibility is important for the remediation team. As
part of determining the extent of the remediation plan, the remediation
team is encouraged to:
- Develop a timeline that includes a complete overview of all the remediation procedures and their assigned due dates. It is recommended that the timeline include the time required for management, the internal audit function (or equivalent monitoring function) (if applicable), and the company’s external auditors to test the operating effectiveness of the remediated controls.
- Develop a project roadmap that visualizes and chronologically breaks down each remediation procedure into actionable work items to be assigned to the various team members and completed by the assigned due date.
- Establish reporting protocols that provide the remediation team with a clear understanding of how, when, and to whom they should report their completed assignments.
- Establish project management protocols to effect ongoing communication and collaboration.
Timely communication among the remediation team is
critical when remediating a material weakness or significant
deficiency.27 Once each team member understands their role and responsibilities,
it is their responsibility to perform their respective tasks and
communicate the status of assignments on a timely basis. It is also
essential to determine whether there is a need for ongoing internal
control training and support across the entire organization to effect
continued compliance.
Perform and Document Remediation Testing Procedures
Once the remediation
team has executed the remediation procedures in accordance with the
developed plan, the next step is to perform and document the remediation
testing procedures. These procedures typically include evaluating the
design and testing the operating effectiveness of the modified or newly
implemented controls. As part of their testing, it is important for the
remediation team to make sure that their work is sufficiently documented
and evidenced to enable an independent third party to re-perform and
rely upon the work.
If remediation testing
is successful, it is recommended that all relevant documentation (e.g.,
control matrices, process narratives, flow charts, risk assessments) be
updated to reflect the changes in ICFR as a result of the
remediation.
After the remediated and/or newly created control
operates effectively for a sufficient period of time and it is concluded
that the deficiency has been remediated, a post-deficiency review may be
completed. This is a leading practice that could include identifying and
discussing lessons learned from remediation and identifying
opportunities for additional training, communication or monitoring, or
opportunities for continuous improvement.
Applicability Considerations
It is a common
misconception that management is responsible only for performing and
documenting remediation testing procedures in connection with
remediating deficiencies if the company is required to comply with
section 404(b) of the Sarbanes-Oxley Act, which establishes requirements
for a company to have an independent audit of its ICFR. However,
management’s responsibility for remediating control deficiencies is the
same across all companies (i.e., listed or non-listed).
In addition, for SEC registrants, management is required
to attest to the effectiveness of the entity’s DCP and ICFR and provide
sufficient evidence to support their assessment regardless of filer
status (i.e., large accelerated, accelerated, non-accelerated, small
reporting company, or emerging growth company) or audit type (i.e.,
integrated or nonintegrated), unless the registrant is a newly public
company. Therefore, when a material weakness is identified, management
is required to disclose the material weakness as well as any remedial
plans or actions that have already taken place.
Communication of the Remediation Status to Those Charged With Governance
As both a material weakness and significant deficiency
merit the attention of those charged with governance (TCWG), it is a
leading practice to communicate the remediation plan and status for a
material weakness or significant deficiency28 to TCWG throughout the entire remediation process. As part of its
oversight and monitoring responsibility, management may consider
identifying a member of TCWG as part of the remediation team for ongoing
and transparent communication between management and TCWG as it relates
to the remediation plan and whether the designed remediation procedures
are responsive to the nature and root cause of the control
deficiency.
4b. Independent Evaluation and Testing of Management’s Remediated Controls
Once management completes their remediation procedures, the
remediated and/or newly created controls are subject to testing by
independent parties, including the internal audit function (or other
independent function, as applicable) and external audit. This section
outlines factors to consider in evaluating and testing the remediated
controls.
Communicating the Remediation Plan
As discussed in Sections 2 and 3 of this Guide, it
is critical that management establish agreement with the internal audit
function or equivalent monitoring function (if applicable) and the
external auditor on the nature of the deficiency as soon as it is
identified because the internal audit function and the external auditor
will be required to evaluate the design of management’s modified or
newly implemented controls and test the operating effectiveness of those
controls (if applicable). Accordingly, it is essential that management
meet with the internal audit function and the external auditor
throughout the remediation process to provide an understanding of the
remediation plan and timeline. As the responsibilities of the internal
audit function and external auditor include evaluating whether (1) the
exposed risk is no longer exposed through the implementation of new
controls or the modification of existing controls and (2) management has
appropriately remediated the control deficiency, the internal audit
function and the external auditor need to have a detailed understanding
of the remediation plan as well as who management has identified to
perform the remediation procedures (i.e., the remediation team).
Management may consider conducting a “remediation
kick-off” meeting with the internal audit function and external auditor
to provide an understanding of how the plan and team are being
developed, followed by an established cadence of recurring touchpoints
to track the status and discuss how the remediation team is performing
against the plan. This level of effective and ongoing communication is
important for the internal audit function and external auditor as they
establish their own plans to evaluate the design of the modified or
newly implemented controls and test the operating effectiveness of those
controls (if applicable).
Testing of Management’s Remediation of Control Deficiencies
Responsiveness of Remediation to the Root Cause of the
Deficiency
Once management
concludes its remediation testing procedures (i.e., they have evaluated
the design and tested the operating effectiveness of the modified or
newly implemented control and determined that the related control
deficiency has been remediated), the internal audit function and the
external auditor evaluate whether the control addresses the related
risks of material misstatement and the root cause of the deficiency. A
leading practice for such an evaluation is to compare the descriptions
of any control deficiencies formally communicated to TCWG to
management’s remediation plan and determine whether management’s
completed and documented remediation procedures respond to the related
root cause based on the internal audit function’s and external auditor’s
own understanding of the control deficiency. If the internal audit
function and external auditor) determine that the nature of management’s
remediation procedures is not responsive to the root cause of the
deficiency and/or the remediated or newly created control does not
address the related risks of material misstatement, they are likely to
conclude that management has not successfully remediated the control
deficiency.
Effective Operation of the Control for a Sufficient Period of
Time
When a control has been
appropriately modified or newly implemented in response to the root
cause of the deficiency, the internal audit function and external
auditor will also assess whether the control has operated effectively
for a sufficient period of time. In addition, if the internal audit
function and external auditor are testing the operating effectiveness of
controls, they need to determine whether there is a sufficient number of
instances to test based on their sampling methodology. Professional
judgment would be exercised as they consider the timing of the
remediation as well as the nature of the deficiency being
remediated.
Considerations for Companies Not Subject to ICFR Reporting
For companies not subject to ICFR reporting, a material
weakness or significant deficiency29 may be identified as part of the evaluation and determination of
the control’s design and implementation, respectively. In this scenario,
the internal audit function (or equivalent monitoring function) and/or
external auditor may consider the need to test the operating
effectiveness of the remediated control to determine if the material
weakness or significant deficiency29 has been remediated. In making this
determination, the internal audit function and/or external auditor may
consider (1) the specific facts and circumstances associated with the
deficiency, such as the root cause of the deficiency, as well as the
nature, timing, and extent of the remediation procedures and the related
risks of material misstatement, and (2) management’s evidence over the
design and implementation and operating effectiveness of the remediated
control in determining whether additional evidence from testing the
operating effectiveness of the remediated control is necessary.
4c. Disclosure Considerations for Remediation of a Material Weakness (SEC Registrants Only)
Disclosure of the Remediation Plan and Status of a Material Weakness
As discussed in Section 3b of this
Guide, management is not required to disclose their remediation plan for
an identified material weakness. However, the SEC encourages management
to disclose their current plans or actions already undertaken, if any,
for remediating the material weakness. Thus, companies typically
disclose their remediation plan and the remediation status of the
material weakness in the periods before the material weakness is
concluded to be remediated.
In certain instances,
the SEC staff has observed that questions about the validity and
completeness of management’s disclosures regarding material weaknesses
have arisen as a result of management’s discussion of their remediation
plans. Sometimes the remediation plans are broader than the material
weakness identified, potentially indicating that the actual material
weakness is more pervasive than the material weakness disclosed or that
there may be another material weakness that was not identified and
disclosed.30 Refer to Deloitte Roadmap — SEC Comment Letter
Considerations, Including Industry Insights for
further discussion on disclosures related to material weaknesses.
This is a common pitfall
that can be avoided by appropriately developing and documenting a
remediation plan in a timely manner and with the involvement of the
appropriate personnel. Determining that the planned remediation
procedures are tailored to the nature and root cause of the material
weakness early in the remediation process will enable management to
provide sufficiently detailed and informative disclosures related to the
remediation plan. However, if a material weakness is identified late in
the year or within days of the registrant’s issuance date, management
might not have sufficient time to perform a proper root cause analysis
and develop or disclose a sufficient remediation plan in response to the
identified material weakness. Accordingly, management is expected to
initiate the remediation process as soon as possible and develop a
corresponding remediation plan, which can be disclosed within the
company’s succeeding quarterly report (for domestic registrants) or
subsequent annual report (for foreign private issuers) as a separate
section from management’s required disclosure of material changes in the
entity’s ICFR.
A leading practice is to involve legal or SEC counsel in
reviewing disclosures prepared in relation to material weakness and
remediation plan disclosures.
Disclosure of the Remediation of a Material Weakness
Once management has completed their remediation testing
procedures and they, along with their external auditors, have determined
that the material weakness has been remediated, management can disclose
the remediation of the previously reported material weakness. Companies
are expected to disclose the remediation of a material weakness, as it
is considered to be a change that has materially affected the company’s
ICFR. This disclosure is typically included as a section within the Item
9a or Item 15 disclosure within Form 10-K or Form 20-F, respectively,
and is separate from management’s report on ICFR.
Disclosure Considerations for Interim Reporting
Material weakness disclosures are often associated with
a company’s annual report because of (1) the requirement to include
management’s annual ICFR report therein (SEC Reg. S-K Item 308(a)) and
(2) how management’s annual assessment of the effectiveness of its ICFR
primarily depends on whether or not a material weakness was identified.
However, companies may be required to disclose a material weakness
within an interim report (for U.S. domestic registrants) depending on
timing and the identification of the material weakness. Below are three
phases of a material weakness:
- Initial identification of a material weakness.
- Development of a remediation plan and team, including the implementation of remedial actions responsive to the nature and root cause of the material weakness.
- Successful remediation of the material weakness, with the new or modified controls implemented and operating effectively for a sufficient period of time.
Initial Identification of a Material Weakness
The timing of the
identification of a material weakness will determine whether interim
disclosures are necessary. If a material weakness is identified within
the first nine months of the current period, management would be
expected to disclose the following within Item 4 of its upcoming
quarterly report for the period during which the material weakness was
identified:
- Ineffective conclusion regarding DCP as of the end of the period covered by the report based on an evaluation performed by their principal executive and principal financial officers, or persons performing similar functions (usually disclosed as a result of a material weakness in ICFR).
- The definition of a material weakness.
- A description of the material weakness as a change in ICFR in accordance with SEC Reg. S-K Item 308(c).
- A remediation plan, including current plans or actions already undertaken (if available).
Refer to Section 3 of this Guide for key questions to consider
related to the description of the material weakness and the applicable
disclosures.
Development of the Remediation Plan and Team, Including the Implementation of Remedial Actions Responsive to the Nature and Root Cause of the Material Weakness
After initially disclosing the material weakness,
management would continue to disclose (1) the DCP evaluation and the
related ineffective conclusion and (2) the previously identified
material weakness in its quarterly reports until the material weakness
has been remediated. Management may exercise professional judgment in
determining the level of detail of the description of the material
weakness. Management may also consider disclosing in its quarterly
reports the remediation status of the material weakness. This could
include the planned remediation procedures as well as any remediation
procedures performed to date. Although there is no requirement to
disclose the remediation plan or status, sufficient disclosures within
quarterly reports provide readers with an illustration of the “life
cycle” of the material weakness from its identification to the current
stage, allowing them to make more informed decisions based on the
current state of management’s ICFR.
Successful Remediation of the Material Weakness With the New or Modified Controls Implemented and Operating Effectively for a Sufficient Period of Time
If management remediates
a material weakness within the first nine months of the current period,
it is expected that management will disclose the remediation of the
material weakness as a change in the company’s ICFR within its next
quarterly report for the period during which the material weakness was
remediated.
Although there are no
requirements for management to discuss the remedial actions taken, it is
a best practice that the disclosure provide a detailed understanding of
how the remediation procedures directly responded to the nature and root
cause of the previously reported material weakness; there is a
requirement to disclose the remediation of a material weakness because
it represents a change that has materially affected management’s
ICFR.
|
Key Activities
|
Management
|
Internal
Audit Function (or Equivalent Monitoring
Function)
|
External Auditor
|
|---|---|---|---|
|
Detailed understanding of
relevant facts and circumstances, including nature
and root cause.
|
X
|
X
|
X
|
|
Identify the remediation
team.
|
X
| ||
|
Develop a
remediation plan to address the nature and
root cause of the deficiency, including the
necessary remediation procedures and a sufficient
period of time to determine that the remediated
controls are operating effectively.
A remediation plan that follows
leading practices will:
|
X
| ||
|
Perform an
independent assessment to evaluate that the
planned procedures as described in the remediation
plan address the root cause.
|
X
|
X
| |
|
Execute
remediation procedures.
|
X
| ||
|
Perform and
document remediation testing procedures.
|
X
| ||
|
Evaluate
management’s remediation.
|
X
|
X
| |
|
All parties
agree that the remediated controls address the
root cause of the deficiency and have been
operating for a sufficient period of time and have
concluded that the material weakness has been
remediated.
|
X
|
X
|
X
|
|
Disclose the
remediation plan and status of a material weakness
(SEC registrants only).
|
X
|
X
|
Section 5. Unique Scenarios That Relate to a Material Weakness or Significant Deficiency
Companies may occasionally face
unique scenarios involving facts and circumstances they have not previously
encountered related to identifying, evaluating, communicating, and disclosing
(as applicable) deficiencies. This section highlights examples and key
considerations in identifying, evaluating, communicating, and disclosing (as
applicable) the related deficiencies.
When facing unique scenarios,
keep in mind the importance of:
- Ongoing and transparent communication between management, the internal audit function, and the external auditor.
- Coming to an agreement between the relevant parties related to the facts associated with the unique scenario.
- Establishing a robust remediation plan, as applicable.
Refer to Section 2, “Communication of a Material
Weakness or Significant Deficiency,” for resources and detailed considerations
of the items above.
While not intended to be all-inclusive, the unique scenarios
listed below relate to a material weakness or significant deficiency.31
- Scenario 1a — An existing material weakness or significant deficiency32 at an acquired entity may be concluded to be a material weakness or significant deficiency32 at the consolidated entity.33
- Scenario 1b — An existing material weakness or significant deficiency32 at an acquired entity may not be concluded to be a material weakness or significant deficiency32 at the consolidated entity.
- Scenario 234 — A material weakness or significant deficiency32 is identified in a recently acquired entity during the year of acquisition and the company has excluded the controls of the acquired entity from its assessment of ICFR per the SEC’s guidance in Management’s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports — Frequently Asked Questions No. 3 (SEC FAQ No. 3).
- Scenario 3 — A material weakness or significant deficiency35 is identified by facts and circumstances other than a material misstatement.
- Scenario 4 — A material weakness or significant deficiency35 that existed in a prior period is identified in the current period and may require restatement of prior-period disclosures and/or management’s assessment of ICFR.36
- Scenario 5 — Remediation of material weaknesses or significant deficiencies35 may be codependent, thereby necessitating a particular order of remediation.
- Scenario 6 — Remediation of a material weakness or significant deficiency35 related to a control that does not operate with a recurring frequency.
5a. Scenario 1a
An existing material
weakness or significant deficiency35 at an acquired entity may be concluded to be a
material weakness or significant deficiency37 at the consolidated entity.
For example, a material
weakness or significant deficiency35 was previously identified related to the
acquired entity’s revenue balance, and the revenue stream will
continue to be material for financial reporting purposes at the
consolidated entity.
For example, a material
weakness or significant deficiency35 was previously identified related to
GITCs for an IT system at the acquired entity on which the
consolidated entity will continue to rely for processing and
maintaining data used in the financial reporting process.
Key Considerations
- Evaluate the facts and circumstances associated with the existing material weakness or significant deficiency35 at the acquired entity, and analyze its root cause, to determine its potential impact on ICFR at the consolidated entity.
- Determine if the existing material weakness or significant deficiency35 at the acquired entity directly affects accounts and assertions that are material for financial reporting purposes at the consolidated entity.
- Consider that there may be a need to aggregate the existing material weakness or significant deficiency35 with newly identified deficiencies (i.e., the existing deficiency may not constitute a material weakness or significant deficiency37 at the consolidated entity on a standalone basis, but would be considered a material weakness or significant deficiency in the aggregate when considered in combination with other applicable deficiencies identified at the consolidated entity).
- Consider the materiality of the existing material weakness or significant deficiency37 in the context of the potential magnitude of errors resulting from the deficiency at the consolidated entity.
- If determined to be a deficiency at the consolidated entity, the deficient control(s) are to be evaluated and documented in the same manner as any deficiency originally identified at the consolidated entity.
5b. Scenario 1b
An existing material
weakness or significant deficiency37 at an acquired entity may not be concluded to be
a material weakness or significant deficiency37 at the consolidated entity.
For example, a material
weakness or significant deficiency37 was previously identified related to the
acquired entity’s preferred stock, but the entirety of the preferred
stock was converted to common stock upon the transaction taking
place.
For example, a material
weakness or significant deficiency37 was previously identified related to
GITCs at the acquired entity, but the related IT system is not being
relied on for financial reporting purposes at the consolidated
entity.
Key Considerations
- Evaluate the facts and circumstances associated with the existing material weakness or significant deficiency37 at the acquired entity, and analyze its root cause, to determine its potential impact on ICFR at the consolidated entity.
- Determine if the existing material weakness or significant deficiency37 directly affects accounts and assertions that are material for financial reporting purposes at the consolidated entity. When the affected accounts and assertions are not material for financial reporting purposes at the consolidated entity, consider if the existing material weakness or significant deficiency37 continues to be applicable.
- Consider the materiality of the existing material weakness or significant deficiency37 in the context of the potential magnitude of errors resulting from the deficiency related to the financial statements of the consolidated entity.
- It is a leading practice for management of the consolidated entity to reevaluate the deficiency in the context of its risk assessment and ICFR (e.g., new facts were identified, consideration of the nature of the deficiency in the context of the consolidated entity).
5c. Scenario 238
A material weakness is
identified in a recently acquired entity during the year of acquisition and
management has excluded the controls of the acquired entity from its
assessment of ICFR per the SEC’s guidance in Management’s Report on Internal Control over
Financial Reporting and Certification of Disclosure in Exchange Act
Periodic Reports Frequently Asked Questions No.
3 (SEC FAQ No. 3).
For example, misstatements at the acquired
entity identified by the internal audit function lead to the
identification of a material weakness related to a revenue stream
that will be material at the consolidated entity.
Key Considerations
- Evaluate whether the transaction to purchase the acquired entity constitutes a material purchase business combination, as outlined in Article 11-01(d) of Regulation S-X.
- If a material weakness is identified in the acquired entity that is relevant to the consolidated entity, it is to be communicated and disclosed like any other material weakness. Refer to Section 2 for leading practices in the communication of a material weakness and Section 3 for disclosure.
5d. Scenario 3
A material weakness or
significant deficiency39 is identified by facts and circumstances other than a material
misstatement.
For example, the company
lacks competent staff for areas of complex accounting, resulting in
a material weakness or significant deficiency.39
For example, multiple
deficiencies are aggregated, resulting in a material weakness or
significant deficiency.39
For example, the company
does not have appropriate access security or change management
controls over its IT systems.
For example, the company
does not have the appropriate control(s) in place over the
safeguarding of assets (i.e., the company does not have controls in
place that prevent or timely detect the unauthorized acquisition,
use, or disposition of the company’s assets that could have a
material effect on the financial statements).40
For example, the company
is not compliant with certain laws and regulations.
For example, the
companydoes not have appropriate segregation of duties in
place.
Key Considerations
- Analyze the root cause of deficiencies identified and determine whether it implies that there is a broader issue associated with the company’s inability to attract, develop, or retain competent individuals in alignment with its objectives, which can have a pervasive impact on the company’s ability to effectively execute its controls.
- The following items describe situations in
which the aggregation of multiple deficiencies that have the
same root cause may result in a material weakness or significant
deficiency41 (applicable to the second example listed above):
- Deficiencies in direct controls that relate to the same significant account, relevant assertion, or disclosure.
- Deficiencies in indirect controls that relate to the same internal control component or COSO principle (if applicable).
- Deficiencies in direct and indirect controls that affect the same account or disclosure.
- GITC deficiencies that are related to the same theme, represent pervasive issues, or affect the same account or disclosure and relevant assertion as deficiencies in direct controls.
- Even if the likelihood of a material misstatement occurring as a result of the deficiency is low, the potential magnitude of a material misstatement could be high (e.g., a high volume of transactions are impacted by the deficiency) and result in a material weakness or significant deficiency.41
- Consider qualitative factors that affect the severity of a deficiency (e.g., susceptibility to fraud, pervasiveness of the deficiency across the company).
Refer to Section 1, “Identification of a Deficiency and Evaluation of
the Severity of a Deficiency,” for a more detailed discussion of the
considerations above.
5e. Scenario 442
A material weakness or
significant deficiency41 that
existed in a prior period is identified in the current period and may
require restatement of prior-period disclosures and/or management’s
assessment of ICFR.
For example, in the
current year, a material misstatement is identified in the company’s
prior-period financial statements. The prior-period misstatement
results in the identification of a material weakness or significant
deficiency that existed in the prior year.
For example, in the
current year, a material weakness or significant deficiency43 in GITC(s) over user access is identified and the same
inappropriate privileged access level existed in the prior
year.
For example, in the
current period, a material weakness or significant
deficiency43
is identified associated with the company’s revenue recognition
policies. The company has inappropriately recognized revenue by a
material amount in the current and prior periods. Management is
required by local laws and regulations to report on the
effectiveness of ICFR, and the prior-year report concluded that ICFR
was effective.
For example, in the
current year, it is determined that there was a reasonable
possibility that the controls in place in the prior year would not
prevent or detect a material misstatement on a timely basis,
resulting in a design deficiency (i.e., a control gap) that is
determined to be a material weakness or significant
deficiency.43
The design deficiency existed in the prior year when management’s
prior-year report concluded that ICFR was effective.
Key Considerations
- Follow the framework in Section 1 to gather all facts associated with the material weakness or significant deficiency43 that existed in the prior period (e.g., timing of when the deficiency existed, when the deficiency was identified).
- Consider if the facts and circumstances warrant a formal written assessment of the effects of the prior-year deficiency and the related misstatement, if applicable (e.g., SAB 108 analysis for SEC filers).
- Communicate in a timely manner with the internal audit function (if applicable) and the external auditor to reach alignment on the conclusion of the deficiency severity. Refer to Section 2 for further considerations regarding communication of a material weakness or significant deficiency.43
- Consider when the material weakness or significant deficiency43 was identified in the current year and any impact on the restatement of prior-period disclosures and/or management’s assessment of ICFR (if required by local laws and regulations) (e.g., a material weakness or significant deficiency43 identified in Q1 of 20X2 that affects 20X1 is more likely to prompt restatement of the 20X1 disclosures and/or management’s assessment of ICFR).
- Consult with legal counsel and SEC counsel (if applicable) about the restatement of prior-period disclosures and/or management’s assessment of ICFR (if required by local laws and regulations).
- Communicate in a timely manner to those charged with governance — refer to subsection 2b for further considerations.
5f. Scenario 5
Remediation of material
weaknesses or significant deficiencies44 may be codependent, thereby necessitating a particular order of
remediation.
For example, material
weaknesses or significant deficiencies44 were identified related to the company’s
lack of competent staff for areas of complex accounting and controls
over the company’s revenue recognition policies. The material
weakness or significant deficiency44 identified related to the company’s lack
of competent staff for areas of complex accounting may need to be
remediated before the company can effectively execute the controls
over its revenue recognition policies.
For example, a material
weakness or significant deficiency44 was identified related to the control
environment component of internal control, which also contributed to
an additional material weakness or significant
deficiency44
being identified in certain of the company’s business process
controls. The weakness or deficiency identified related to the
control environment component of internal control may need to be
remediated before the company can effectively execute the associated
deficient business process controls.
For example, a material
weakness or significant deficiency44 was identified within the company’s
GITCs, which subsequently resulted in the identification of a
material weakness or significant deficiency44 associated with the
company’s controls over the accuracy and completeness of information
used in its controls. The resulting material weakness or significant
deficiency44
within the company’s GITCs may need to be remediated before the
entity can effectively execute controls over the accuracy and
completeness of information used in its controls.
Key Considerations
- Develop a remediation plan that allows for the staggering of remediating deficiencies, as needed.
- Analyze the root cause of all material weaknesses or significant deficiencies44 identified, as it is important to determine if the remediation of the deficiencies requires a particular order.
- Remediation of deficiencies in indirect controls may need to occur before deficiencies in direct controls can be remediated (see the third example above).
5g. Scenario 6
Remediation of a material
weakness or significant deficiency44 related to a control that does not operate with
a recurring frequency.
For example, a material
weakness or significant deficiency44 was identified related to controls over
recording a business acquisition, and the company does not
frequently engage in acquisitions.
For example, a material
weakness or significant deficiency45 was identified in a control related to the implementation of a
new accounting standard, and there is currently no planned release
of new accounting standards that would be required to be implemented
by the company.
Key Considerations
- Consider if there are plans to engage in the infrequent activity soon, such that the deficient control would operate again.
- Analyze the root cause of the deficiency:
of the deficiency:
- Does the company have other controls that address the root cause?
- Does the control performer of the
deficient control perform other control(s) that address
the same root cause?
- If so, evaluate those other
control(s) that address the same root cause to
determine whether the root cause of the deficiency
has been remediated.For example, if a material weakness or significant deficiency45 was previously identified in a control related to the implementation of a new accounting standard, but there is currently no planned release of new accounting standards that would be required to be implemented by the company, it is possible to conclude that the material weakness or significant deficiency45 has been remediated through other means. This may be the case if the applicable control performer also performs the company’s control over complex accounting matters and has performed the control effectively for a sufficient period of time, given the control over complex accounting matters addresses similar risks and requires a similar level of competence and skill set as the control related to the implementation of a new accounting standard.The company needs to demonstrate that the root cause of the deficiency has been addressed for a sufficient period of time and that is supported by the results of management’s testing.
- If so, evaluate those other
control(s) that address the same root cause to
determine whether the root cause of the deficiency
has been remediated.
Contacts
|
North America
| |
|
Michelle Donahue (U.S.)
Audit &
Assurance
Managing Director
Deloitte & Touche
LLP
+1 203 563 2556
|
Lia Gribilas (Canada)
Audit &
Assurance
Partner
Deloitte LLP
+1 514 393 5499
|
|
Shad Higdon (U.S.)
Risk and Financial
Advisory
Advisory Principal
Deloitte & Touche
LLP
+1 713 982 2603
| |
|
Europe
| |
|
Mark Redfern (North and South Europe)
Audit &
Assurance
Director
Deloitte LLP
+44 20 7007 7022
|
Francesco Pitotto (Central Europe)
Audit &
Assurance
Director
Deloitte Audit
+352 45145 3945
|
|
Asia Pacific
| |
|
Delphine Troch (China)
Audit &
Assurance
Partner
Deloitte Touche
Tohmatsu Certified Public Accountants LLP (Beijing
Branch)
+86 10 85207759
| |
|
Latin America
| |
|
Roberto Vergara (Mexico)
Audit &
Assurance
Partner
Deloitte Mexico
+52 55 50806493 ext.
6493
| |
|
Africa
| |
|
Carin Langner (South Africa)
Audit &
Assurance
Senior Associate
Director
D&T
Partnership
+27112027312
| |
Footnotes
1
For purposes of this Guide, the terms “material
weakness” and “significant deficiency” refer to a deficiency, or a
combination of deficiencies, in internal control that represent the most
significant level of severity in accordance with applicable laws and
regulations in your particular geography.
2
See footnote 1.
3
See footnote 1.
4
Consider guidance in the SEC speech
Remarks before the 2018 AICPA
Conference on Current SEC and PCAOB
Developments.
5
See footnote 1.
6
See footnote 1.
7
See footnote 1.
8
Internal control components and principles used
in the context of this Guide are as defined in Internal
Control — Integrated Framework (2013) issued by the
Committee of Sponsoring Organizations of the Treadway Commission
(COSO).
9
See footnote 1.
10
See footnote 1.
11
See footnote 1.
12
See footnote 1.
13
See footnote 1.
14
See footnote 1.
15
See footnote 1.
16
See footnote 1.
17
See footnote 1.
18
This paragraph constitutes a
required disclosure in accordance with SEC
Regulation S-K 229.307.
19
This paragraph regarding the
fair presentation of the financial statements in
conformity with U.S. GAAP is often included as
part of the DCP disclosure at the request of the
company’s legal department. It is not a required
disclosure in accordance with SEC Regulation S-K
229.307.
20
SEC Regulation S-K Item 308
Requirement: Statement of management’s
responsibility for establishing and maintaining
adequate internal control over financial reporting
for the registrant.
21
SEC Regulation S-K Item 308
Requirement: Statement identifying the framework
used by management to evaluate the effectiveness
of the registrant’s internal control over
financial reporting.
22
SEC Regulation S-K Item 308
Requirement: Management’s assessment of the
effectiveness of the registrant’s internal control
over financial reporting as of the end of the
registrant’s most recent fiscal year, including a
statement as to whether or not internal control
over financial reporting is effective.
23
SEC Regulation S-K Item 308
Requirement: The definition of a material weakness
is required when a material weakness has been
identified.
24
SEC Regulation S-K Item 308
Requirement: Statement that the registered public
accounting firm has issued an attestation report
on the registrant’s ICFR (if applicable).
25
See footnote 1.
26
See footnote 1.
27
See footnote 1.
28
See footnote 1.
29
See footnote 1.
30
Deloitte Roadmap — SEC Comment Letter
Considerations, Including Industry
Insights, 2023.
31
While the scenarios listed herein are intended to focus
on implications related to a material weakness or significant
deficiency, the concepts addressed may also be applicable to less severe
deficiencies.
32
See footnote 1.
33
For the purpose of this Guide, “at the
consolidated entity” or “on a consolidated basis” refers to the
level at which the financial statements are prepared for
external financial reporting purposes that encompass both the
acquirer and the acquiree, whether it is on a consolidated or
combined basis.
34
This scenario is only applicable to entities
that are SEC filers.
35
See footnote 1.
36
This scenario may not be applicable based on
local regulatory requirements associated with the disclosure of
significant deficiencies.
37
See footnote 1.
38
This scenario is only applicable to entities that are SEC filers.
39
See footnote 1.
40
The COSO Framework explains that decisions,
policies, and procedures related to the safeguarding of
assets typically fall within the operations category of
internal control. The SEC’s definition of ICFR, however,
specifically includes those policies and procedures that
“provide reasonable assurance regarding prevention or timely
detection of unauthorized acquisition, use, or disposition
of the company’s assets that could have a material effect on
the financial statements,” and therefore consideration of
safeguarding of assets is relevant when reporting on ICFR
for Sarbanes Oxley 404 purposes.
41
See footnote 1.
42
This scenario may not be applicable based on local regulatory
requirements associated with the disclosure of significant
deficiencies.
43
See footnote 1.
44
See footnote 1.
45
See footnote 1.