A material weakness is a flaw in a company’s internal controls over financial reporting that creates a reasonable possibility of a significant error in the company’s financial statements going undetected or uncorrected. In practical terms, it means the systems a company uses to track and report its money aren’t reliable enough to catch mistakes that could mislead investors. When a public company discloses a material weakness, it’s telling shareholders and regulators that something in its financial reporting process is broken in a way that matters.
How It’s Defined
The formal definition comes from the Public Company Accounting Oversight Board (PCAOB): “A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”
Two factors determine whether a control problem rises to this level. First, how likely it is that the company’s controls will fail to catch or prevent an error. Second, how large that error could be. A weakness only qualifies as “material” when both the probability and the potential dollar amount are significant enough that a reasonable investor would care. A small bookkeeping gap that could only produce a trivial rounding error doesn’t qualify. A breakdown in how the company accounts for revenue that could swing earnings by tens of millions does.
Three Levels of Control Problems
Not every internal control problem is a material weakness. Regulators recognize three tiers of severity:
- Control deficiency: A gap where a control is missing or isn’t designed well enough to do its job. An example would be a department that doesn’t review or reconcile its own expenditures. This is the least severe level and doesn’t require public disclosure on its own.
- Significant deficiency: A control deficiency, or a combination of them, that’s serious enough to deserve attention from the people overseeing the company’s financial reporting, but not severe enough to be called a material weakness. The potential errors here would be more than trivial but less than material.
- Material weakness: The most severe classification. The likelihood and size of a potential misstatement are both high enough that financial statements could be materially wrong. If even one material weakness exists, management cannot declare that the company’s internal controls are effective.
Multiple smaller deficiencies can combine to create a material weakness. A company might have several individually moderate problems that, taken together, create a realistic path for a significant financial error to slip through.
Why It Matters for Public Companies
The Sarbanes-Oxley Act of 2002 is what makes material weaknesses a public issue rather than a private one. Section 404 of the law created two distinct requirements. Under Section 404(a), management must include an internal control report in the company’s annual filing that states management’s responsibility for maintaining adequate controls, identifies the framework used to evaluate those controls, and provides management’s own assessment of whether the controls are effective as of the end of the fiscal year. If any material weakness exists, management must disclose it and cannot conclude that internal controls are effective.
Section 404(b) adds another layer: an independent external auditor must separately evaluate the company’s internal controls and issue its own opinion. That auditor’s report gets filed alongside management’s assessment in the annual report. So investors get two perspectives on the same question, one from the company itself and one from its auditor.
Federal regulations spell out exactly what the annual report must contain: a statement of management’s responsibility, the evaluation framework used, and a clear conclusion about whether controls are effective, including disclosure of any material weakness management identified. There’s no option to hedge or downplay it. If a material weakness exists, the company must say so plainly.
How Common They Are
Material weakness disclosures aren’t rare. A KPMG study analyzing annual filings from SEC-registered public companies for fiscal year 2024 found that 279 out of 3,502 companies, roughly 8%, disclosed at least one material weakness. That rate increased compared to the prior year. While 8% might sound small, these disclosures can trigger significant consequences: stock price drops, increased regulatory scrutiny, higher audit fees, and damaged credibility with investors.
What Material Weaknesses Look Like in Practice
Material weaknesses tend to fall into recognizable categories. Some of the most common involve a lack of segregation of duties, where the same person can both authorize transactions and record them, creating opportunities for errors or fraud to go unnoticed. Others involve failures in IT controls, such as inadequate access restrictions to financial systems or gaps in how data gets backed up and validated.
Complex accounting areas are another frequent source. Companies that handle unusual transactions, like business acquisitions, revenue from long-term contracts, or financial instruments with fluctuating values, sometimes lack the internal expertise or processes to account for them correctly. When a company’s accounting team doesn’t have the right skills or enough people to handle the complexity of its own finances, that’s a structural problem auditors take seriously.
Sometimes a single deficiency is severe enough to qualify on its own. Other times, an auditor identifies several significant deficiencies that individually fall short of the threshold but collectively create a realistic path for material misstatement. The SEC has published illustrative examples where two or three moderate control gaps, each capable of producing errors that were “more than inconsequential but less than material,” combined to meet the definition of a material weakness because together they made a material-level error reasonably possible.
How Companies Fix Them
Once a material weakness is identified, the company is expected to remediate it, meaning redesign and implement controls that specifically address the root cause. This isn’t a quick process. Remediation typically involves identifying exactly which control objective failed, designing new controls or strengthening existing ones, running those new controls long enough to demonstrate they actually work, and then having the changes evaluated by the external auditor.
Management must support any claim that a weakness has been fixed with sufficient evidence, including documentation that the new controls are designed correctly and have been operating effectively. The auditor then independently tests whether those controls satisfy the stated objective. Only after this testing can the company report that the weakness no longer exists.
The timeline varies widely depending on the nature of the problem. A weakness caused by a staffing gap might be resolved in a few months by hiring qualified personnel and implementing review procedures. A weakness rooted in outdated IT systems or a fundamental process breakdown could take a year or more. Companies often disclose remediation plans and progress in their quarterly filings, giving investors visibility into the timeline. Until the weakness is fully remediated and tested, it continues to appear in the company’s annual report, and management continues to be unable to certify that internal controls are effective.
Who’s Responsible: Management vs. Auditor
Both management and the external auditor play roles, but their responsibilities are distinct. Management owns the internal controls. It’s their job to design, implement, and maintain controls that produce reliable financial statements. They’re also the ones who must assess those controls annually and report on their effectiveness.
The external auditor’s role is to independently verify management’s assessment. The auditor conducts its own testing and forms its own opinion about whether internal controls are effective. In some cases, the auditor identifies a material weakness that management missed, which can create additional complications for the company. The auditor’s report carries significant weight because it provides an outside, independent perspective that investors and regulators rely on. Both reports appear in the company’s annual filing, so any disagreement between management and the auditor about the state of internal controls becomes immediately visible to the public.