SEC Chief Accountant: When Assessing Risk, Look at the Big Picture
SEC Chief Accountant Paul Munter has issued a statement discussing risk assessment. In The Importance of a Comprehensive Risk Assessment by Auditors and Management, Mr. Munter warned that, in some instances, “management and auditors appear too narrowly focused on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.” He urged taking “a holistic approach” to risk assessment.
Mr. Munter expressed particular concern about the tendency to treat problems as isolated incidents, rather than considering their significance as indicators of financial reporting risk or of weaknesses in internal control over financial reporting (ICFR). As examples of the kinds of incidents that may be mistakenly viewed as one-off events, he cites “a data breach in a system not part of ICFR, a repeat non-financial reporting-related regulatory finding classified as lower risk, a misstatement to the financial statements determined to be a revision restatement (i.e., ‘little r’), or a counterparty risk limit breach.” Management and auditors should guard against evaluating these types of occurrences “individually or rationalizing away potentially disconfirming evidence” and thereby concluding that such “matters do not individually, or in the aggregate, rise to the level of management disclosure or auditor communication requirements.”
Against this background, the statement discusses three topics:
Management needs to be alert to new or changing business risks that could impact internal controls or disclosure in periodic filings. “Management’s risk assessment processes must comprehensively and continually consider * * * objectives, strategies, and related business risks; evaluate contradictory information; and deploy appropriate management resources to respond to those risks.” Similarly, in performing its risk assessment, the auditor should consider public statements regarding changes in the company’s “strategy, board composition, or other governance matters—and whether such statements contradict management’s assessment of its control environment.” If there are material inconsistencies between company disclosures and information obtained in performing the audit, the auditor should determine whether the disclosures “indicate a potential new or evolving business risk that could materially affect the financial statements or the effectiveness of ICFR.”
Management should evaluate whether the company has implemented processes and controls that can timely prevent or detect a material misstatement in financial statements. But that evaluation should not focus only on controls directly related to financial reporting. When evaluating control deficiencies that are “outside of an issuer’s financial reporting objective,” management and auditors should consider the root cause of the deficiency and whether it impacts ICFR. “For example, the root causes behind a regulator’s findings related to enterprise-wide governance and controls, while not directly related to financial reporting control activities, could have an impact on management’s ICFR conclusions due to their impact on the risk assessment and monitoring components of ICFR.”
Also, when assessing the severity of a control deficiency that is identified because of a misstatement, management and the auditor should consider, not just the identified misstatement, but also the magnitude of potential misstatement that could have resulted from the control deficiency. Mr. Munter refers to this as the “could factor” – the possibility that a control deficiency could have affected a large population of accounts or transactions. “In particular, when the root cause is an inadequate entity-level risk assessment process, the ‘could factor’ can extend to a wider population of potential misstatements beyond the identified misstatement.”
In addition to disclosures related to ICFR evaluations and control changes, SEC filings are required to discuss material factors that make an investment in the company speculative or risky. Management’s risk assessment process, which should include contradictory information, may identify factors that should be included in this disclosure. Moreover, some business risks may also impact financial statement disclosures.
Auditors also have a role in communicating with investors regarding risk. This takes two forms – disclosure in the auditor’s report of critical audit matters (CAMs) and the possible inclusion in the report of an emphasis-of-matter paragraph. If the auditor determines that a business risk represents a risk of material misstatement to the financial statements and discusses the risk with the audit committee, the business risk may be a CAM that must be described in the auditor’s report. Auditors may also use an emphasis-of-matter paragraph “to highlight any matter relating to the financial statements and disclosures, which could include matters related to an issuer’s objectives, strategies, and related business risks * * * .”
Comment: While Mr. Munter’s statement is aimed primarily at management and auditors, audit committees should also review the concepts he discusses. The statement signals that the SEC expects companies and auditors to take a broad approach to risk assessment. Audit committees may want to discuss with both management and the auditor their reactions to the statement and how it relates to their respective risk assessment procedures.