What are Internal Control Weaknesses?
Organizations use internal controls to protect themselves and comply with industry standards and regulations governing financial risks. Effective controls help ensure that financial reporting is accurate and adequately addresses investment, capital and credit requirements.
Internal controls are required by many of the most common financial regulations. For instance, the 2002 Sarbanes-Oxley Act (SOX) requires companies to prove that their financial statements are accurately reported, and that they maintain effective policies to prevent fraud. Specifically, they require companies to perform a 404 audit providing evidence of control testing and enforcement. Companies must also demonstrate that they account for uncertainty, such as stock market fluctuations. Learn more in our guide to SOX internal controls (coming soon).
Internal control weaknesses are failures in the implementation or performance of internal controls. Even the strongest security measures can be circumvented, if a malicious actor identifies an internal control weakness. In fact, more than 5% of companies end up reporting material weaknesses in each audit. The cost of these material weaknesses can be huge: a loss of up to 19% in stock price over the next 12 months, and over a 60% increase in audit costs.
Due to rapid technological development, and the ever-growing number of internal controls, organizations must continuously monitor security controls to ensure they are adequately protected. Regular monitoring is essential for verifying the effectiveness of controls and exposing weaknesses that a malicious actor could exploit.
In this article, you will learn:
- 4 Types of Internal Control Weaknesses
- Technical Internal Control Weakness
- Operational Internal Control Weakness
- Administrative Control Weaknesses
- Architectural Internal Control Weakness
- 5 Ways to Identify and Fix Internal Control Weaknesses
- Catalog Internal Control Procedures
- Conduct a Risk Assessment
- Conduct an Internal Audit
- Train and Educate Staff
- Examine Departmental Reports
- Automating Internal Controls Audits with Pathlock
The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information.
The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.
You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.
This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.
4 Types of Internal Control Weaknesses
Technical Internal Control Weakness
Technical security controls encompass both hardware and software. Weaknesses in a technical control are due to technological and maintenance changes or configuration failures.
If the hardware or software of a corporate information system is breached, this is called a technical weakness. A good example is the EternalBlue vulnerability discovered in the Windows SMB protocol in 2017, which exposed existing Windows systems to attack.
Operational Internal Control Weakness
Operational security (OpSec) focuses on operational monitoring and implementation of risk management in day to day business operations. Weaknesses in operational controls are due to human factors. Operational controls become less effective if the employees responsible for operations do not follow established standards and policies.
Incident response is an example of a time-sensitive operational control. Timely intervention is the most effective to prevent or mitigate a breach. The longer the interval between the onset of a security event and the intervention, the less effective the incident response.
Administrative Control Weaknesses
Weaknesses in administrative security controls, also called procedural controls, result from a failure to consistently comply with established standards and regulations.
For example, an administrative control is regular backups of critical systems. If a breach occurs, you will only be able to retrieve the data from the time of the last backup. A data backup control is useless if the organization does not back data regularly, or does not verify that backups can be successfully recovered.
Architectural Internal Control Weakness
The focus of security architecture is to create a unified system for documenting and addressing the risks of the information technology environment.
Architectural control weaknesses usually involve changes to hardware or software configuration. When a change is made, and is not appropriately monitored or approved, it can break parts of the security architecture. Any change that affects an element of the organization’s security architecture is a potential architectural control weakness.
What is a Material Weakness?
A material weakness occurs when one or more internal controls is ineffective, in a way that can lead to a material misstatement of financial activity. This includes all rules, processes, and activities designed to improve operational efficiency and prevent financial statement irregularities.
Material weaknesses can render the financial data of a company unreliable and ineffective. They prevent auditors and stakeholders from reliably assessing the financial health of the company and determining its stock price.
Publicly-traded companies in the US are required to have an audit committee. Once a material weakness is discovered, auditors must report it to the audit committee of the company. The committee, which is typically composed of board members, is responsible for ensuring that the company implements measures that fix the internal controls and rectify the material weakness.
In addition to reporting to the committee, companies are required to report a material weakness to the Securities Exchange Committee (SEC). When this information is made known, companies may face increased costs due to legal fees and reputational risks, as investors might lose confidence in the company and its stocks.
Common causes of material weaknesses are inadequate segregation of duties, failure to assess risks on an ongoing basis, lacking management review, and excessive reliance on accounting applications or other third party tools that do not meet compliance standards.
5 Ways to Identify and Fix Internal Control Weaknesses
Here are a few ways you can discover internal control weaknesses, and take action to remediate them.
Catalog Internal Control Procedures
This includes financial transaction documentation, procurement processes, product design projects, product testing, and internal audits. Before you can inspect procedures to discover weaknesses, you need a full inventory of the processes currently in place.
Determine which parts of the company are at a higher risk than others. Evaluate your control designs including documentation, training, segregation of duties, and feedback loops.
Conduct a Risk Assessment
All internal control procedures must undergo a risk assessment. Identify which failures are most likely to affect your company. Risk assessment is usually done in tabular form with risks arranged in rows and columns representing a log of the problem and solution.
As you investigate each risk, add columns that show where the problem is, why controls are inadequate, who is responsible for a particular process, who identified the issue, what the solution is, and when the person responsible took action.
Conduct an Internal Audit
An internal audit includes a review of accounts payable data, including stocks, assets, and cash reconciliation. Cash reconciliation involves making sure that your organization’s cash can be fully accounted for, considering your income and expenses.
When reviewing accounts payable, you must verify that all payments are being sent to the right person or company. You must then cross-reference these payments with all financial statements, both internal (accounting department) and external (bank).
Train and Educate Staff
As internal controls continue to evolve, it is important to educate employees on the latest internal control procedures and methods. Notify employees of any changes and their impact on their daily routines. Lack of employee knowledge and training is one of the leading causes of internal control failure. By training employees, and involving them in the process, they can help you identify and rectify control weaknesses.
Examine Departmental Reports
Make sure key business metrics are following the expected trends. Undesirable trends in metrics like revenue, profitability, or customer attrition, may be related to a failure of internal controls. Tie together reports from all departments to get a picture of the entire organization.
In addition, encourage departments or business units to report about controls and control weaknesses independently. Don’t take these reports at face value—evaluate each department’s ability to accurately evaluate the current status of their controls, and verify their findings.
Automating Internal Controls Audits with Pathlock
Material weaknesses can be a huge, ongoing cost to an organization. Luckily, material weaknesses can be avoided with a comprehensive control framework based around continuous controls monitoring. No Pathlock customer has ever filed for a material weakness related to weak or ineffective internal controls.
Pathlock is the leader in continuous controls monitoring, with coverage for all of the IT General Controls, Internal Controls over Financial Reporting, and other required controls for SOX Compliance. With connections to 140+ enterprise systems, Pathlock can connect directly to SAP, Oracle, Workday Financials, and NetSuite to monitor your financial controls directly, in real time.
With Pathlock, customers can monitor compliance continuously, highlighting any potential risks early on, so they can be remediated in time for an audit. Additionally, they can enforce compliance with preventive controls that keep behavior in line with what is required. When audit season rolls around, a report can automatically be generated by Pathlock which outlines all of the controls, the compliance with those requirements, and any potential violations which have been remediated.