Internal Controls and Procedures Assessment Report
Management Conclusions on Control Effectiveness
Management concluded that the company's disclosure controls and procedures were not effective as of December 31, 2023. This conclusion was driven by identified material weaknesses in internal control over financial reporting (ICFR). Despite this failure in controls, management affirmed that the consolidated financial statements fairly present the company’s financial position, results of operations, and cash flows in accordance with U.S. GAAP, indicating that the underlying accounting processes were maintained despite the control deficiencies.
Material Weaknesses and Deficiencies Identified
The primary finding is the existence of material weaknesses in ICFR, which resulted in an adverse opinion from the independent registered public accounting firm (KPMG LLP).
Nature of Control Failures
- Database Integrity: The core deficiency related to unauthorized changes made to custom databases supporting key operational and accounting systems.
- Control Design Flaws: Specific failures included:
- A control designed to review and authorize direct database changes excluded certain modifications from the review process, meaning it did not operate effectively as intended.
- The system logic used for recording these direct database changes failed to capture all relevant changes within the change logs utilized for manual review.
- Root Cause: These deficiencies stemmed from personnel lacking specific training and experience regarding IT general controls over custom databases, leading to an ineffective information and communication process necessary for ensuring data reliability in financial reporting.
Remediation Efforts and Future Outlook
Management has initiated a comprehensive remediation plan under the oversight of the Audit Committee to address the material weaknesses.
Noteworthy Remedial Actions
- Personnel & Training: The company is increasing the number of qualified personnel involved in IT controls design/implementation and conducting additional training related to information technology operations.
- Process Strengthening (Noteworthy): Management is implementing enhancements designed to strengthen IT program change management processes and performing supplemental procedures for direct database changes until improvements are fully operational.
- Risk Assessment: Entity-wide risk assessments have been improved to better identify relevant process risks, IT systems, and the information used in control operations.
Status of Remediation
The material weaknesses will not be considered fully remediated until the applicable controls operate effectively for a sufficient period, which management expects will occur in 2024.
Changes and New Controls Introduced
While there were no major changes to existing internal controls during the most recent fiscal quarter (outside of ongoing remediation efforts), significant future control developments are underway.
Noteworthy System Development
- New Accounting System: The company is developing a new accounting system that will be implemented worldwide over several years. This transition represents a material change to the processes constituting ICFR and requires subsequent testing for operating effectiveness.