The Importance of a Comprehensive Risk Assessment by Auditors and Management
Paul Munter
Chief Accountant
Aug. 25, 2023
Introduction[1]
Management’s and auditors’ risk assessment processes are critical to the decisions regarding financial reporting and the effectiveness of internal control over financial reporting (ICFR). Accordingly, we are troubled by instances in which management and auditors appear too narrowly focused on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.[2] Such a narrow focus is detrimental to investors as it can result in material risks to the business going unaddressed and undisclosed, thereby diminishing the quality of financial information.
Issues that may also impact financial reporting and internal controls often present themselves as isolated incidents across an issuer—for example, a data breach in a system not part of ICFR, a repeat non-financial reporting-related regulatory finding classified as lower risk, a misstatement to the financial statements determined to be a revision restatement (i.e., “little r”), or a counterparty risk limit breach. Some management and certain auditors may be inadvertently biased toward evaluating each such incident individually or rationalizing away potentially disconfirming evidence, and conclude that these matters do not individually, or in the aggregate, rise to the level of management disclosure or auditor communication requirements.[3]
This statement discusses management’s obligation to (1) take a holistic approach when assessing information about the business and avoid the potential bias toward evaluating problems as isolated incidents, in order to timely identify risks, including entity-level risks; (2) design processes and controls that are responsive to identified risks; and (3) effectively identify information that issuers are required to communicate to investors. We also discuss auditors’ responsibilities as gatekeepers to hold management accountable in the public interest.
Risk Assessment
Management Considerations
Changing economic conditions may have a significant and sudden impact on an issuer’s business, which could change risks or create new ones. Therefore, to be effective, risk assessment processes must comprehensively and continually consider issuers’ objectives, strategies, and related business risks; evaluate contradictory information; and deploy appropriate management resources to respond to those risks.[4] For example, management’s risk assessment process may consider observations from regulators, analyst reports, and short-seller reports. Management is also required to provide auditors complete information related to certain communications from regulatory agencies.[5]
Management needs to be alert to new or changing business risks to identify changes that could significantly impact its system of internal control,[6] and design and implement responses that support issuers’ ability to appropriately disclose information in its periodic filings.[7] Business risks, such as a company’s loss of financing, customer concentrations, or declining conditions affecting the company’s industry, could affect issuers’ ability to settle their obligations when due, and affect the risks of material misstatements in financial statements not being identified on a timely basis.[8] Likewise, risks related to changes in technology could impact the effectiveness of controls around processing of transactions.
Auditor Considerations
Risk assessment forms the basis of the audit process.[9] A lack of professional skepticism, including objective consideration of contradictory information, in this critical process could result in an auditor not identifying or assessing risks appropriately, which could impact the effectiveness of the audit.[10] When identifying risks of material misstatement and designing appropriate audit responses, auditors should remain alert to potential changes in issuers’ objectives, strategies, and business risks.[11] Auditors should consider the possible impact of an issuer’s public statements regarding changes in their strategy, board composition, or other governance matters—and whether such statements contradict management’s assessment of its control environment.
Auditors also should assess the consistency of information disclosed by issuers in periodic filings and the judgments made by management throughout the financial reporting process compared with the information obtained throughout the performance of the audit. If material inconsistencies exist, auditors should determine whether those disclosures indicate a potential new or evolving business risk that could materially affect the financial statements or the effectiveness of ICFR.[12]
Entity-Level Controls
Management should evaluate whether issuers have implemented processes and controls that can timely prevent or detect a material misstatement in financial statements. While an issuer’s financial reporting objective may be separate from its operational or compliance objectives, an issuer’s internal control system should be dynamic and expand beyond a singular focus on ICFR.[13]
When evaluating control deficiencies identified outside of an issuer’s financial reporting objective, management and auditors should consider the root cause of the deficiency and whether it impacts the issuer’s ICFR conclusions.[14] For example, the root causes behind a regulator’s findings related to enterprise-wide governance and controls, while not directly related to financial reporting control activities, could have an impact on management’s ICFR conclusions due to their impact on the risk assessment and monitoring components of ICFR. Rather than a biased defaulting to an assessment of narrowly-defined, process-level deficiencies, management and auditors’ aggregation analysis should consider the root cause of individual control deficiencies, to determine whether such deficiencies indicate a broader, more pervasive deficiency at the entity-level. We encourage auditors to avoid potential bias toward rationalizing away disconfirming evidence and instead to apply objective judgment when evaluating whether insufficient deficiency evaluations by management constitute evidence of ineffective monitoring activities.
Further, when assessing the severity of control deficiencies identified as a result of a misstatement, management and auditors should consider not only the actual misstatement, but also the magnitude of potential misstatement (i.e., the so-called “could factor”).[15] The “could factor” evaluation includes assessing the total population of transactions or amounts exposed to the deficiency in the impacted accounts or classes of transactions.[16] In particular, when the root cause is an inadequate entity-level risk assessment process, the “could factor” can extend to a wider population of potential misstatements beyond the identified misstatement.
Reporting Obligations
Clear and transparent communication for the benefit of investors is critical. Management’s financial reporting obligations include disclosures around its annual ICFR evaluations, descriptions of identified material weaknesses, and, on a quarterly basis, changes that have materially affected, or are reasonably likely to materially affect, an issuers’ ICFR.[17] Additionally, management is required to provide a discussion in its filings of material factors that make an investment in the registrant speculative or risky.[18] Management may identify these factors for disclosure as part of their risk assessment procedures, which includes an evaluation of all information available, including contradictory information. In some instances, business risks may also impact financial statement disclosures when the risks and uncertainties could significantly affect the amounts reported in the financial statements in the near term.[19]
Auditors protect investors and further the public interest through the preparation of informative, accurate, and independent audit reports. Therefore, the auditor’s report is a critical means of communication with investors, and auditors should consider the different mechanisms within the auditor’s report to communicate with investors. In an integrated audit,[20] an auditor’s reporting obligation includes expressing an adverse opinion on the issuer’s ICFR if there are deficiencies that, individually or in combination, result in one or more material weaknesses, including those resulting from entity-level control deficiencies.[21] If, through the auditor’s risk assessment process, a business risk is determined to represent a risk of material misstatement to the financial statements that is discussed with the audit committee, these matters may meet the definition of a critical audit matter[22] and require communication to investors within the auditor’s report. Although not required, we remind auditors that they may use an “emphasis paragraph” to highlight any matter relating to the financial statements and disclosures, which could include matters related to an issuer’s objectives, strategies, and related business risks, as discussed above.[23]
Conclusion
As Chair Gary Gensler has noted, “there’s a basic bargain in our capital markets: investors get to decide what risks they wish to take” while “[c]ompanies that are raising money from the public have an obligation to share information with investors on a regular basis.”[24] Timely and transparent reporting by management, and informative, accurate, and independent reports by auditors, are critical components of the system that help companies maintain their end of the bargain—their commitment to provide high quality financial information and information about the effectiveness of their ICFR to investors. When business risks change, a robust, iterative risk assessment process and strong entity and process-level controls are essential to transparent and high-quality financial reporting. Auditors in their public gatekeeper role serve as an independent check on management’s performance of these critical functions and should transparently communicate with investors in accordance with PCAOB standards.
[1] This statement is provided in the author’s official capacity as the Commission’s Chief Accountant but does not necessarily reflect the views of the Commission, Commissioners, or other members of the staff. This statement is not a rule, regulation, or statement of the Commission. The Commission has neither approved nor disapproved its content. This statement, like all staff statements, has no legal force or effect: it does not alter or amend applicable law, and it creates no new or additional obligations for any person. “Our” and “we” are used throughout this statement to refer to the staff of the Office of the Chief Accountant (“OCA”).
[2] The term “entity-level” controls or components is used in this statement to describe aspects of a system of internal control that have a pervasive effect on the entity’s system of internal control such as controls related to the control environment, the issuer’s risk assessment process, monitoring activities, and information and communication.
[3] See, e.g., Raymond S. Nickerson, Confirmation Bias: A Ubiquitous Phenomenon in Many Guises, 2 Review of General Psychology 175-220 (1998).
[4] See, e.g., the Committee of Sponsoring Organizations of the Treadway Commission Internal Control – Integrated Framework (the COSO Framework), for a discussion of the risk assessment principles that management may apply, available at https://www.coso.org/internal-control.
[5] Public Company Accounting Oversight Board (PCAOB) AS 2805, Management Representations, paragraphs .06(e) and .06(o).
[6] See, e.g., COSO Framework’s principle #9 (“The organization identifies and assesses changes that could significantly impact the system of internal control.”), available at https://www.coso.org/_files/ugd/3059fc_1df7d5dd38074006bce8fdf621a942cf.pdf.
[7] See, e.g., Exchange Act Rules 13a-15(d) [17 C.F.R. § 240.13a-15(d)] and 15d-15(d) [17 C.F.R. § 240.13a-15(d)] (requiring issuers to evaluate any change in the issuer’s ICFR that occurred during each of the issuer’s fiscal quarters that has materially affected, or is reasonably likely to materially affect, the issuer’s ICFR).
[8] See PCAOB AS 2110, Identifying and Assessing Risks of Material Misstatement, paragraph 15, for examples of when business risks might result in material misstatement of the financial statements.
[9] See PCAOB AS 2110.
[10] See PCAOB AS 2110.74 and PCAOB AS 2301, The Auditor’s Responses to the Risks of Material Misstatement, paragraph .46 (explaining that auditors are responsible for considering contradictory evidence and the impact on the audit, including revisions to risk assessment and modifications of planned audit procedures).
[11] See PCAOB AS 2110.05 (explaining that auditors are required to consider both external and issuer-specific factors in obtaining an understanding of the issuer and its environment).
[12] When reviewing other information in a periodic filing that includes audited financial statements, if an auditor concludes that a material inconsistency exists, the auditor has a responsibility to determine whether the financial statements, the auditor’s report, or both, require revision. See PCAOB AS 2710, Other Information in Documents Containing Audited Financial Statements, paragraph 04.
[13] For example, Exchange Act Rules 13a-15 and 15d-15 include broad requirements for issuers to annually evaluate, including executive certification, the effectiveness of the issuer’s ICFR, among other things. As part of this evaluation, management must determine whether there is a reasonable possibility that a material misstatement in the financial statements will not be prevented or detected on a timely basis. See Item 308(a) of Regulation S-K [17 C.F.R. § 229.308(a)]; Rule 1-02(a)(4) of Regulation S-X [17 C.F.R. § 210.1-02(a)(4)]. Also, under Section 13(b)(2)(B) of the Exchange Act [15 U.S.C. § 78m(b)(2)(B)], issuers must devise and maintain a sufficient system of internal accounting controls.
[14] See, e.g., COSO Framework’s principle #17 (explaining that the organization evaluates and communicates internal control deficiencies in a timely manner for monitoring activities related to the organization evaluation), available at https://www.coso.org/SitePages/Internal-Control.aspx?web=1; see also PCAOB AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, paragraphs .65 and .71.
[15] The “could factor” represents the potential misstatement resulting from the deficiency. The absence of a material misstatement does not preclude the existence of a material weakness, and severity assessments should not be focused solely on the magnitude of any actual misstatements. See PCAOB AS 2201.62-68 (evaluating identified deficiencies, including the magnitude of the potential misstatement).
[16] PCAOB AS 2201.66.
[17] See supra note 9 and 15.
[18] Item 105 of Regulation S-K [17 C.F.R. § 229.105].
[19] See Financial Accounting Standards Board Accounting Standards Codification 275-10-50.
[20] An “integrated audit” is an audit of internal control over financial reporting that is integrated with an audit of financial statements.
[21] PCAOB AS 2201.90.
[22] PCAOB AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion, paragraph 11, states that a critical audit matter is any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee and that (1) relates to accounts or disclosures that are material to the financial statements, and (2) involved especially challenging, subjective, or complex auditor judgment.
[23] PCAOB AS 3101.19.
[24] See, e.g., SEC Chair Gary Gensler, Testimony Before the United States Senate Committee on Banking, Housing, and Urban Affairs (Sept. 14, 2021), available at https://www.sec.gov/news/testimony/gensler-2021-09-14.