Skip to main content

Why does your auditor's opinion on internal controls matter more than you think?

Every December, thousands of public companies file a 10-K with two audit opinions inside: one on the financial statements themselves, and a second on something often overlooked—whether the company maintained effective internal control over financial reporting (ICFR). That second opinion is quieter than the first, easier to skim past, and yet it is one of the most reliable early warnings an investor can read.

Quick definition: Internal control over financial reporting (ICFR) is the system of processes, policies, and people a company uses to ensure that its financial statements are accurate, complete, and presented in accordance with accounting standards. An auditor's opinion on ICFR tells you whether that system actually works.

Key takeaways

  • The auditor's ICFR opinion is a separate judgment from the audit opinion on the statements themselves; a company can have clean statements but weak controls.
  • A "material weakness" in internal controls is the auditor's highest warning level and often precedes restatements, fraud, or deeper trouble.
  • Most large public companies receive an "unqualified" (clean) ICFR opinion, but those that don't signal real governance risk.
  • Management, not the auditor, is responsible for designing and maintaining controls; the auditor only evaluates whether they work.
  • Changes in the auditor's ICFR assessment—especially upgrades or downgrades—can move stock price more than earnings surprises.

What is internal control over financial reporting, and who is responsible?

Under the Sarbanes–Oxley Act (SOX), enacted after the Enron collapse in 2001, management is required to assess and report on the effectiveness of ICFR. The auditor then independently evaluates that assessment. This is not the auditor's job to design controls; it is to test whether they exist and work.

Internal control over financial reporting covers everything from who can approve a journal entry, to how transaction data flows from the accounting system into the general ledger, to who reconciles the bank account. A strong control environment means:

  • Only authorized people can initiate, record, and approve transactions.
  • Transactions are accurately classified into the right accounts and periods.
  • Access to financial systems and data is restricted and logged.
  • Misstatements—whether from error or fraud—are caught before statements are published.

The responsibility is management's. The auditor's job is to audit that responsibility.

The three levels of control deficiency

Not all control weaknesses are equal. The auditor rates them on a spectrum:

Deficiency

A deficiency exists when the design or operation of a control does not allow the company or its auditor to prevent or detect misstatements on a timely basis. It might be minor—say, a lack of segregation of duties in a small accounting function—but it is noted.

Significant deficiency

A significant deficiency is a combination of one or more deficiencies that is less severe than a material weakness but still warrants management and audit committee attention. It might be a control that should exist but does not, or a control that sometimes fails. The company must disclose it.

Material weakness

A material weakness is the most severe category. The auditor determines that a deficiency or combination of deficiencies is so significant that it is reasonably possible—not certain, but possible—that a material misstatement could occur and not be prevented or detected. When an auditor identifies a material weakness, they must say so in their ICFR opinion, and the company must disclose it prominently.

Understanding the auditor's ICFR opinion types

Unqualified opinion

An unqualified (or "clean") ICFR opinion states that the company maintained effective internal control over financial reporting as of the balance sheet date. Most large, stable companies receive this. It is the green light.

Adverse opinion

An adverse opinion on ICFR means the company's internal controls are not effective. The auditor has identified a material weakness that is so severe—or multiple material weaknesses—that management cannot reasonably assert that ICFR is effective. This is rare and usually a major red flag. An adverse ICFR opinion often accompanies a qualified audit opinion on the statements themselves, or precedes a restatement.

Disclaimer of opinion

Occasionally, the auditor cannot assess ICFR because management does not cooperate, or the scope of the audit is so limited that the auditor cannot form an opinion. This is uncommon but signals a governance breakdown.

Why a material weakness matters

A material weakness in ICFR is one of the most actionable warnings in financial reporting. It does not mean fraud occurred, but it means the company's system for preventing or catching errors is broken enough that errors could slip through.

In practice, companies with material weaknesses in ICFR have higher restatement rates, lower stock returns, and often experience governance changes (such as a new CFO or audit committee member). Research by the Center for Audit Quality has shown that material weaknesses predict future earnings surprises and audit costs.

When a company discloses a material weakness, it is often followed by:

  • A management remediation plan, detailing how they will fix the control.
  • Increased auditor scrutiny in the following year.
  • Sometimes, a change in auditors or in the finance leadership.

An investor who spots a material weakness should ask: What happened? Did the company catch a misstatement before it was published, or was one already buried in the statements? Does management have a credible plan to fix it? Is the auditor satisfied?

Real-world examples

Hertz Global Holdings (2020): Hertz disclosed multiple material weaknesses in ICFR, including deficiencies in the design of controls over the recording of vehicle depreciation and lease accounting. The weaknesses, combined with operational stress, preceded the company's bankruptcy filing in 2020.

Bed Bath & Beyond (2018–2022): The home goods retailer disclosed material weaknesses in the design and operation of controls over revenue recognition, expense accruals, and inventory valuation for multiple years. Each year, the company promised remediation; each year, control failures recurred. Eventually, the company filed for bankruptcy in 2023.

Tesla (2015): Tesla's auditor, PwC, noted significant deficiencies in controls over the revenue recognition process during the Model X ramp-up. While not a material weakness, it signaled that rapid growth had outpaced the company's accounting infrastructure. Tesla invested heavily in controls and later received clean ICFR opinions.

United Airlines (2020): During the pandemic, United disclosed a material weakness related to controls over the accounting for frequent-flyer mileage (the company's deferred revenue liability). The weakness did not result in a misstatement but exposed a gap in the control environment during a period of financial stress.

Management's role vs. the auditor's role

This distinction is crucial and often misunderstood.

Management is responsible for:

  • Designing ICFR.
  • Assessing whether it is effective.
  • Certifying that assessment in their SOX 302/906 certification (signed by the CEO and CFO).
  • Reporting any material weaknesses to the audit committee.

The auditor is responsible for:

  • Testing the design and operating effectiveness of management's controls.
  • Evaluating management's assessment.
  • Expressing an independent opinion on whether ICFR is effective.
  • Reporting material weaknesses and significant deficiencies to the audit committee.

The auditor does not design or maintain controls; they audit them. If an auditor issues an adverse opinion on ICFR, management cannot simply appeal; the opinion stands unless management's remediation demonstrably fixes the underlying deficiency.

How control assessments are tested

The auditor's evaluation of ICFR follows a framework, typically the Committee of Sponsoring Organizations (COSO) Internal Control–Integrated Framework. The auditor assesses five components:

  1. Control environment: The tone at the top, the company's values, and how seriously it takes financial integrity.
  2. Risk assessment: Does the company identify risks to accurate financial reporting?
  3. Control activities: Are there actual procedures to prevent or detect errors—segregation of duties, approvals, reconciliations?
  4. Information and communication: Do systems and people communicate financial data correctly?
  5. Monitoring: Does the company monitor controls, find gaps, and fix them?

The auditor examines evidence: testing a sample of transactions to see if controls were applied, interviewing staff, reviewing system access logs, and observing how cash is handled. If the sample reveals failures in the control, the auditor expands the testing and evaluates the severity.

Changes in ICFR assessment: A signal of transition

When a company's ICFR opinion changes from unqualified to qualified (or vice versa), it is a material event. A downgrade—from unqualified to adverse, or the first disclosure of a material weakness—often signals:

  • A change in finance leadership or a new CFO who uncovered inherited problems.
  • Rapid growth or acquisition integration that strained systems.
  • A change in the auditor, who applies stricter standards.
  • Real failures in the accounting function or data infrastructure.

An upgrade—when a previously disclosed material weakness is eliminated—is positive, but only if the underlying fix is credible and sustained. Companies sometimes claim remediation too early.

Common mistakes investors make

Mistake 1: Confusing an ICFR opinion with an audit opinion. A company can have a clean audit opinion on the statements but an adverse ICFR opinion. This happens when errors were caught before publication. The ICFR opinion is actually more forward-looking; it flags whether the system caught the error this time, but will it next time?

Mistake 2: Assuming a material weakness means fraud. A material weakness means the system is weak, not that fraud occurred. However, weak controls make fraud easier, so a material weakness deserves skepticism.

Mistake 3: Ignoring remediation plans. Companies often follow a material weakness disclosure with a multi-page remediation plan. Investors should evaluate whether the plan is credible: Is it detailed, or vague? Is management allocating budget and people to fix it? Will the auditor be able to test the fix next year?

Mistake 4: Overlooking a "significant deficiency" because it is not a material weakness. Significant deficiencies are disclosed but receive less investor attention than material weaknesses. They still warrant a read and a judgment on whether they are steps toward a material weakness.

Mistake 5: Not checking whether the auditor's standards changed. If a company switches auditors and the new auditor identifies a material weakness, ask whether the new auditor is simply more rigorous, or whether a real deterioration occurred. Compare to prior-year audit reports for context.

FAQ

Q: Can a company appeal an auditor's ICFR opinion? A: Not directly. If management disagrees with the auditor's assessment, they must either remediate the control and demonstrate the fix to the auditor, or change auditors. Changing auditors for an unfavorable ICFR opinion is rare and itself a red flag, as the new auditor usually reaches the same conclusion.

Q: If a company discloses a material weakness, does that mean the financial statements are wrong? A: Not necessarily. The material weakness is a forward-looking assessment of the system's strength, not a backward-looking audit of whether errors actually occurred. However, auditors do examine the statements carefully when a material weakness exists, so the published numbers are still audited. The material weakness means the risk of future misstatements is elevated.

Q: What is the difference between a material weakness and a significant deficiency? A: A material weakness is severe enough that a material misstatement is reasonably possible; a significant deficiency is less severe but still important. Material weaknesses must be disclosed prominently; significant deficiencies are disclosed but receive less investor attention. The line between them is judgment-based, which is why two auditors might disagree.

Q: Are material weaknesses in ICFR common? A: No. Among large, established public companies, material weaknesses are rare—under 5 percent. Among smaller reporting companies and newer public companies (especially those that recently IPO'd), the rate is higher, around 20 percent. A material weakness is a meaningful outlier.

Q: Does a good ICFR opinion guarantee the financial statements are correct? A: No. An unqualified ICFR opinion means the system for preventing and detecting misstatements is effective, but it does not guarantee no errors exist. It lowers the risk of material errors, but audits themselves rely on sampling, not 100 percent verification. An unqualified ICFR opinion is a strong positive signal, but not a guarantee.

Q: What should I do if a company I own discloses a material weakness in ICFR? A: Read the disclosure. Understand what the weakness is. Evaluate management's remediation plan. If the weakness relates to a critical area (revenue, expense accruals, valuation) and the plan is vague, consider selling. If it relates to a minor area and the plan is credible, monitor it in the next 10-K. A single material weakness is a warning; multiple material weaknesses or repeated failures warrant more serious skepticism.

Q: Does ICFR apply to private companies? A: No. ICFR and SOX 404 apply only to public companies (and large accelerated filers). Private companies do not report on ICFR. This is one reason why smaller, private companies have higher fraud rates—there is less external oversight.

  • SOX 404 and internal controls: The Sarbanes–Oxley Act mandates that public companies maintain ICFR and that management assess and report on it annually.
  • Material weakness vs. significant deficiency: Two tiers of control weakness, with material weakness being the more severe.
  • Audit committee oversight: The board's audit committee receives reports of material weaknesses and significant deficiencies and is responsible for ensuring remediation.
  • COSO framework: The Committee of Sponsoring Organizations (COSO) Internal Control–Integrated Framework is the standard auditors use to evaluate ICFR.
  • Restatements and ICFR: Companies that have restated financial statements often disclose material weaknesses in the subsequent year, as the restatement prompts deeper control evaluation.

Summary

The auditor's opinion on internal control over financial reporting is a separate, equally important judgment to their opinion on the financial statements themselves. A material weakness in ICFR is a serious warning that the company's system for preventing and detecting financial errors is broken. While it does not prove a misstatement occurred, it flags that the risk of future misstatements is elevated. Investors should read the ICFR opinion carefully, understand what any material weakness or significant deficiency actually means, evaluate management's remediation plan, and monitor whether the weakness persists in future years. A company with a clean ICFR opinion is a company whose finance function is under control; a company with a material weakness is one to scrutinize closely.

According to the Public Company Accounting Oversight Board (PCAOB), material weaknesses were identified in approximately 4.8 percent of large accelerated filers in 2023, and each disclosure correlates with measurable increases in audit fees and heightened investor skepticism.

Next

Read the next article: When a company changes auditors: signal vs noise