Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].
Context: In the world of accounting standards, a material weakness is “a deficiency, or a combination of deficiencies, in internal control over financial reporting (ICFR), such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”
- The Sarbanes-Oxley Act (SOX) required companies to start testing for material weaknesses and have outside auditors review their controls. Corporates are required to publicly disclose any material weaknesses in ICFR.
- The phrase has appeared recently in articles about: New York Community Bancorp uncovering material weaknesses tied to internal controls related to a loan review; and chemical maker Chemours evaluating one or more potential material weaknesses in its financial reporting.
Member question: “Does your audit committee (AC) expect your internal audit team (not SOX) to have strong GAAP expertise to be able to identify non-compliance in technical areas? Do you have auditors who are basically black belts in technical accounting skills?
- “We have a material weakness in revenue for GAAP non-compliance that was missed for several years by our external auditors, by management, by SOX, and by internal audit. There was a calculation of revenue recognition that was not in strict compliance with GAAP. It was not material enough to require restatements of prior years or quarters, thank goodness.
- “So we are grappling with how responsible IA was in not catching this. We do operational audits (but basically never a pure financial audit for GAAP compliance) and our team members generally have Big Four (or public accounting) backgrounds, with an average of about 7 years of experience, many in low-cost locations).
- “My AC chair asked what level of GAAP knowledge did my team have; I said I have no black belts or even auditors who are super technical in any particular accounting processes. Does your team have these skill sets? Open to your opinions as well.”
Peer answer 1: “Our team makeup is very similar to yours, but I also own SOX. My AC has never expressed expectations that we be experts on GAAP, nor do I think it is reasonable for them to do so given the breadth of our responsibilities.
- “It seems to me that the question, rather than each group’s capabilities, is why existing key controls were insufficient or ineffective to catch it and why the external auditors, between their independent controls testing and substantive testing, also did not catch it.”
Peer answer 2: “I can almost exactly replicate the first response. I’ll add that my team has no black belts and two-thirds of them are offshore.”
Peer answer 3: “I have not had super-technical accountants in IA teams in my current or prior roles. I think it’s beyond the expectations in the IIA standards for IA to be equipped to substantively validate complex accounting positions. I would expect IA to have enough financial literacy to test management’s own controls over risky areas, i.e., whether they had the relevant expertise on their team and had done the necessary white papers/reviews on a complex topic.”
Peer answer 4: “My AC has not asked this question. However, I would expect the AC and our external auditors to assume that internal audit has the responsibility to assess the design of ICFR, unless there’s another third line function that has this responsibility within the org. In the context of the third line responsibility, I see two frameworks relevant to an expectation over the use of knowledgeable personnel:
- “The IIA Global Internal Audit standards (2024), Principle 3, ‘Demonstrate Competency’ (specifically, standard 3.1 “Competency”)
- “COSO Principle 16, specifically ‘Points of Focus, Uses Knowledgeable Personnel.’ Evaluators who perform ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.”
NeuGroup Insights reached out to the questioner, who provided these additional comments and insights:
- “I have never viewed IA as being responsible for GAAP compliance in general, unless an audit objective/scope was specifically defined as such. From a third line of defense standpoint, I leave GAAP compliance governance with the SOX group.
- “By design, internal auditors would not possess this specific set of skills as we need to cover very broad areas. For SOX, this is a different conversation, and should be designed to catch material weaknesses before they happen.
- “The IA function does independent testing of management SOX controls (utilizing a third-party public accounting firm), and I feel some ownership for not catching it. However, management owns the control environment with the technical accounting positions, and the IA SOX testing function is more about confirming the execution and documentation (IPE) of the control.”
