AQRM Red Flags: Controls

The Audit Analytics Accounting Quality + Risk Matrix (AQRM) makes it easy to identify accounting, audit, and governance red flags for public companies. This blog series breaks down the risks associated with specific firm-level events included in the AQRM.

AQRM Red Flags: Controls

Red flag events concerning a company’s control environment are critical issues for investors and stakeholders to monitor.

A company’s control environment, as established by company management, determines the standards, processes, and structures that dictate operations, financial reporting, and compliance. In general, issues in a company’s control environment, including control weaknesses, late filings, and cybersecurity incidents, carry substantial risk for material impacts. Due to the pervasive nature of the control environment on financial reporting and disclosures, these issues are significant red flags for investors and stakeholders.  

Internal Controls over Financial Reporting (SOX 404)

Internal controls over financial reporting (ICFR), as required under Sarbanes-Oxley Section 404 (SOX 404), are intended to ensure a company’s financial statements are accurate and complete. Any ICFR deficiencies identified by management, or the auditor, fundamentally heightens the risk for fraud and materially misstated financial statements.

In general, a material weakness in a company’s controls is associated with riskier operations, poorer performance, weaker management, and lower earnings quality compared to firms with effectively functioning controls. Research also suggests deficient controls result in a higher cost of capital and may contribute to more inefficient investment decisions.

Understandably, the market does not react favorably to material weaknesses in controls, particularly after a first-time disclosure of a newly discovered deficiency.  

Disclosure Controls and Procedures (SOX 302)

Disclosure controls, as required under Sarbanes-Oxley Section 302 (SOX 302), are established controls and procedures that facilitate the timely communication of necessary information to management, allowing management to assess the need for disclosure under various reporting requirements.

Properly functioning disclosure controls ensure that stakeholders and investors receive relevant and material company information in a timely manner. Ineffective or poorly designed disclosure controls heightens the risk for lower quality disclosures and could result in a failure to disclose material information to stakeholders.

Overall, weak disclosure controls lower the credibility of a company’s financial reporting. Prior research suggests that markets do take note of this red flag, with negative abnormal returns associated with ineffective disclosure controls.

Late Filings

A late or non-timely (NT) filing is a key indicator of the health of a company’s financial reporting and internal control environment. SEC filings, such as annual and quarterly reports, are required to be filed within a certain timeframe. As this is a continuous, recurring requirement, the inability for a company to file one of these periodic reports on time is a significant red flag.

Aside from a negative stock market reaction, late filings can impose other costs on shareholders. Timely filing of reports is a critical requirement, and a delinquent report can trigger debt covenant violations or regulatory penalties, including de-registration with the SEC. In the event of a prolonged failure to file, a company can eventually be delisted from its stock exchange.

While there is a litany of reasons a company may be unable to timely file a report – a recent auditor change, the new discovery of a material weakness in controls, the need to restate financial statements, etc. – it generally indicates other issues with financial reporting and the control environment and heightens the risk for adverse events in the future.


A cybersecurity breach or incident at a public company – such as a ransomware or malware attack, an email phishing scheme, or other exploitation of an IT security vulnerability – is a notable event that shareholders and investors need to monitor.

In general, cybersecurity incidents are informative of potential financial reporting deficiencies; research has found positive relationships between data breaches  and restatements, SEC comment letters, and higher audit fees.

Data breaches are also indicative of an overall weak control environment. A positive correlation has been identified between cyber incidents and future control weaknesses. As internal controls encompass information technology systems, a material weakness in ICFR can contribute to cybersecurity issues. Furthermore, ineffective disclosure controls may prevent or hinder the timely escalation of the issue and delay disclosure to stakeholders.

Additionally, cybersecurity breaches can be costly and have the potential to have long-lasting impacts on financial performance.

However, without a standard practice or universally implemented regulation, what, when, and how companies disclose information about cyber events can make it a difficult red flag to track.

A properly functioning control environment mitigates risk for issues in financial reporting and disclosures. While a material weakness in ICFR, a disclosure control deficiency, a late filing or cybersecurity event are individually red flags, each of these red flags heighten the risk for additional issues due to the pervasive nature of the control environment.

When SANUWAVE Health [OTC: SNWV] was targeted by a cybersecurity attack, the company disclosed that it identified a material weakness in internal controls that failed to properly prevent the incident. In turn, the material weakness in internal controls rendered the company’s disclosure controls ineffective.

As another example, Circor International [NYSE: CIR] partially blamed a cybersecurity incident for the inability to file a timely annual report for 2019. In its late filing statement, Circor disclosed needing more time to assess, among other events, the materiality of a cyber incident that impacted several of the company’s manufacturing facilities.

Other consequences can be incurred if a company fails to maintain a proper control environment, including regulatory enforcement. In June 2021, the SEC charged First American Financial Corp [NYSE: FAF] with disclosure control and procedure violations specifically related to a cybersecurity vulnerability at the company. The SEC order alleged that, due to their deficient disclosure controls, senior management was completely unaware of the cybersecurity issue, as well as the company’s inability to remediate it. As senior management was unaware of the issue, the company failed to properly inform investors about a material piece of information.

Interested in our content? Be sure to subscribe to receive our email notifications.