On Friday, SEC Chief Accountant Paul Munter released a public statement in which he expressed concerns about the risk assessment process of both auditors and management. As a possible harbinger of things to come, the statement signals an expectation for even greater disclosure around risks to a company’s internal control over financial reporting (“ICFR”).
The statement explained that members of the Office of the Chief Accountant “are troubled by instances in which management and auditors appear too narrowly focused on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.” These concerns were discussed in the context of risk assessment considerations, the evaluation of entity-level controls, and reporting obligations. Highlights from the statement include:
- Risk Assessment. The statement outlined the hallmarks of an effective risk assessment process, which includes processes that “comprehensively and continually consider issuers’ objectives, strategies, and related business risks; evaluate contradictory information; and deploy appropriate management resources to respond to those risks.” Relevant data points to consider may include regulator observations, analyst reports and short-seller reports. The statement also emphasized the need for management to monitor for new or changing business risks, including loss of financing, customer concentrations, declining conditions affecting the company’s industry, and changes in technology.
Turning to auditors, the statement underscored the need for “professional skepticism” and the need for auditors to stay alert to “potential changes in issuers’ objectives, strategies, and business risks.” To that end, the statement suggested that auditors should consider issuers’ public statements on these topics and evaluate the consistency of those statements with the information disclosed by issuers in periodic filings, with a call to identify any inconsistencies and whether such statements reflect “a potential new or evolving business risk that could materially affect the financial statements or the effectiveness of ICFR.”
- Entity-Level Controls. In keeping with the SEC’s recent focus on internal controls, the statement asserted that “an issuer’s internal control system should be dynamic and expand beyond a singular focus on ICFR.” The statement implores management and auditors to take a broad view of ICFR control deficiencies. Using the example of a regulator’s findings related to enterprise-wide governance and controls, management and auditors were encouraged to consider the root cause of such deficiency, looking to whether there is “a broader, more pervasive deficiency at the entity-level” to determine whether such deficiency could impact the issuer’s ICFR conclusions. Moreover, the statement reminded that “management and auditors should consider not only the actual misstatement, but also the magnitude of potential misstatement (i.e., the so-called ‘could factor’),” which can extend to a wider population of potential misstatements beyond the identified misstatement.
- Reporting Obligations. The statement emphasized the benefit of clear and transparent disclosures for investors and noted the traditional management disclosures around ICFR, including management’s annual ICFR evaluations, descriptions of identified material weaknesses, and quarterly statement about changes that have materially affected, or are reasonably likely to materially affect, an issuer’s ICFR. The statement also noted that “management is required to provide a discussion in its filings of material factors that make an investment in the registrant speculative or risky,” suggesting that the SEC may begin focusing more heavily on risk factor disclosure around internal controls that may not otherwise trigger the other ICFR-related disclosures.
From an audit perspective, the statement reminded auditors about the communication of critical audit matters (CAMs) and stated that if “a business risk is determined to represent a risk of material misstatement to the financial statements that is discussed with the audit committee,” CAMs disclosure may be required. The statement went further to say that although “emphasis paragraphs” are not required, auditors may want to consider including them in the audit report “to highlight any matter relating to the financial statements and disclosures, which could include matters related to an issuer’s objectives, strategies, and related business risks.”