Material weakness vs. significant deficiency: what actually triggers disclosure

Internal control over financial reporting (ICFR) deficiencies sit on a severity ladder defined by the likelihood and magnitude of a potential misstatement. Getting the classification right is what determines your Item 9A conclusion and whether the auditor can issue a clean ICFR opinion.

The three rungs

A control deficiency exists when a control is missing or does not operate as designed. A significant deficiency is less severe than a material weakness but important enough to merit attention by those responsible for oversight — your audit committee. A material weakness is a deficiency, or combination of deficiencies, such that there is a reasonable possibility a material misstatement of the financials will not be prevented or detected on a timely basis.

"Reasonable possibility" is the hinge

The test is not whether a misstatement actually occurred. It is whether one could occur and go uncaught, at a magnitude that matters. A control can have produced perfectly accurate numbers all year and still represent a material weakness if the control itself could not be relied on to catch a material error.

What disclosure each triggers

A material weakness means management cannot conclude that ICFR is effective — that conclusion goes in Item 9A, and for accelerated filers the auditor's ICFR opinion will be adverse. Significant deficiencies are communicated to the audit committee and the auditor but are not, by themselves, disclosed to investors. Ordinary control deficiencies are tracked and remediated internally.

Remediation is a process, not a sentence

Disclosing a material weakness is not fatal — failing to have a credible remediation plan is what damages credibility. A defensible plan identifies the specific control gap, the new or redesigned control, who owns it, and the period over which it must operate effectively before you can conclude the weakness is remediated.