In this Statement, The Importance of a Comprehensive Risk Assessment by Auditors and Management, SEC Chief Accountant Paul Munter cautions auditors and company managements against conducting risk assessments that focus too narrowly “on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.” Similarly, auditors and managements may sometimes dismiss isolated incidents, perhaps as a result of confirmation bias, without adequately analyzing whether these issues might be indicative of larger issues that require responsive action and disclosure. Munter warns that “[s]uch a narrow focus is detrimental to investors as it can result in material risks to the business going unaddressed and undisclosed, thereby diminishing the quality of financial information.” Management, Munter warns, must “take a holistic approach when assessing information about the business and avoid the potential bias toward evaluating problems as isolated incidents, in order to timely identify risks, including entity-level risks.” Managements and audit committees may want to take note.
In particular, Munter appears troubled by a failure to think more expansively about isolated incidents—events such as “a data breach in a system not part of ICFR, a repeat non-financial reporting-related regulatory finding classified as lower risk, a misstatement to the financial statements determined to be a revision restatement (i.e., ‘little r’), or a counterparty risk limit breach.” It could be, he suggests, that management or auditors “may be inadvertently biased toward evaluating each such incident individually or rationalizing away potentially disconfirming evidence.” As a result, management or auditors might fail to appreciate when these matters might “individually, or in the aggregate, rise to the level of management disclosure or auditor communication requirements.”
Management considerations in risk assessment. Changing economic conditions, Munter observes, can alter existing risks or trigger new risks. As a result, “to be effective,” Munter suggests, management’s “risk assessment processes must comprehensively and continually consider issuers’ objectives, strategies, and related business risks; evaluate contradictory information; and deploy appropriate management resources to respond to those risks. For example, management’s risk assessment process may consider observations from regulators, analyst reports, and short-seller reports.” New or modified business risks could also necessitate changes to the company’s system of internal control, requiring management to “design and implement responses that support issuers’ ability to appropriately disclose information in its periodic filings. Business risks, such as a company’s loss of financing, customer concentrations, or declining conditions affecting the company’s industry, could affect issuers’ ability to settle their obligations when due, and affect the risks of material misstatements in financial statements not being identified on a timely basis. Likewise, risks related to changes in technology could impact the effectiveness of controls around processing of transactions.”
Auditor considerations in risk assessment. Likewise, Munter advocates that, in conducting risk assessments, auditors must employ “professional skepticism, including objective consideration of contradictory information.” In addition, auditors should “remain alert to potential changes in issuers’ objectives, strategies, and business risks,” including issuers’ “public statements regarding changes in their strategy, board composition, or other governance matters—and whether such statements contradict management’s assessment of its control environment.” Auditors also need to be on the lookout for inconsistencies between information disclosed by companies in periodic filings and the “judgments made by management throughout the financial reporting process compared with the information obtained throughout the performance of the audit. If material inconsistencies exist, auditors should determine whether those disclosures indicate a potential new or evolving business risk that could materially affect the financial statements or the effectiveness of ICFR.”
Internal controls. While, under Exchange Act Rules 13a-15 and 15d-15, companies need to evaluate annually the effectiveness of ICFR in timely detecting material misstatements in the financial statements, Munter advocates that a company’s system of internal controls be “dynamic” and look beyond ICFR. When control deficiencies are detected outside of financial reporting, Munter urges that management and auditors look for the “root cause of the deficiency and whether it impacts the issuer’s ICFR conclusions.” Importantly, in this context, Munter again implores companies and auditors not to miss the potential big picture: “Rather than a biased defaulting to an assessment of narrowly-defined, process-level deficiencies, management and auditors’ aggregation analysis should consider the root cause of individual control deficiencies, to determine whether such deficiencies indicate a broader, more pervasive deficiency at the entity-level. We encourage auditors to avoid potential bias toward rationalizing away disconfirming evidence and instead to apply objective judgment when evaluating whether insufficient deficiency evaluations by management constitute evidence of ineffective monitoring activities.”
In addition, Munter advises, when assessing the severity of control deficiencies identified as a result of a misstatement, management and auditors should consider the “could factor”—the magnitude of potential misstatement—by “assessing the total population of transactions or amounts exposed to the deficiency in the impacted accounts or classes of transactions.” To illustrate, Munter points to deficiencies where the “root cause is an inadequate entity-level risk assessment process”; in those instances, Munter suggests, the “could factor” can “extend to a wider population of potential misstatements beyond the identified misstatement.”
Disclosure. Munter reminds us that companies are required to make disclosure about annual ICFR evaluations, identified material weaknesses, changes to ICFR and risk factors. In particular, risk assessment procedures, which “include an evaluation of all information available, including contradictory information,” may be helpful in identifying Risk Factors, including business risks that may also impact financial statement disclosures. Similarly, audit reports may be used to communicate with investors. For example, business risks identified through the auditor’s risk assessment process that represent a risk of material misstatement to the financial statements discussed with the audit committee may rise to the level of critical audit matters that are disclosed in the audit report.
Conclusion. “When business risks change,” Munter concludes, “a robust, iterative risk assessment process and strong entity and process-level controls are essential to transparent and high-quality financial reporting. Auditors in their public gatekeeper role serve as an independent check on management’s performance of these critical functions and should transparently communicate with investors in accordance with PCAOB standards.”