SEC Chief Accountant Warns About Need for Comprehensive Risk Assessments

Patrick Campbell, John Carney, Christina Gotsis, Carole Rendon, Lauren Resnick, George Stamboulidis
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

BakerHostetler

Key Takeaways

  • In an August 25 statement, SEC Chief Accountant Paul Munter reminded issuers of the importance of comprehensive risk assessments to decisions regarding financial reporting and the effectiveness of internal controls.
  • Munter had observed instances of management and auditors focusing too narrowly on information and risks directly impacting financial reporting, while disregarding broader, entity-level issues.
  • Issuers and private companies alike should heed Munter’s observations and implement robust enterprise wide risk assessment plans and design controls to mitigate those key risks.

For years, regulators have emphasized that the starting point for maintaining an effective compliance program is understanding the particular risks the company faces. According to Munter, this same concept applies to financial reporting and determining the effectiveness of internal controls over financial reporting, as not maintaining comprehensive risk assessment processes could lead to material risks going unaddressed and undisclosed – diminishing the quality of financial information and harming investors. In his statement, Munter advised management to “(1) take a holistic approach when assessing information about the business and avoid the potential bias toward evaluating problems as isolated incidents in order to timely identify risks, including entity-level risks; (2) design processes and controls that are responsive to identified risks; and (3) effectively identify information that issuers are required to communicate to investors.”

Comprehensive Risk Assessments

A dynamic and iterative risk assessment process enables an entity to adapt to changing risks in its industry and consider how its third-party relationships may affect complete and accurate financial reporting. In his statement, Munter emphasized that much of that burden falls on management which must design and implement effective risk-assessment processes that include comprehensively and continuously considering and evaluating issuers’ objectives, strategies and related business risks; evaluating contradictory information from internal and external sources; and employing the appropriate resources to address those risks. In particular, management needs to be alert to new or changing business risks to identify changes that could significantly impact the company’s internal controls, and they should design and implement processes that support the company’s ability to appropriately disclose information in its periodic filings.

Entity-Level Controls

Munter noted that management should evaluate whether issuers have implemented processes and controls that can timely prevent or detect a material misstatement in financial statements. While an issuer’s financial reporting objectives may be separate from its operational or compliance objectives, its internal controls should be dynamic and expand beyond a singular focus on financial reporting.

When evaluating control deficiencies apart from an issuer’s financial reporting objective, management and auditors should perform a root cause analysis of identified control deficiencies that can help determine whether they impact the entity’s financial reporting and perhaps indicate a broader, entity-level deficiency. For example, the root causes behind a regulator’s findings related to enterprise wide governance and controls, while not directly related to financial reporting, could have an impact on conclusions about management’s internal controls over financial reporting due to their impact on the risk assessment and monitoring components. Rather than defaulting to an assessment of narrowly defined, process-level deficiencies, management’s and auditors’ aggregation analysis should consider the root cause of individual control deficiencies to determine whether such deficiencies indicate a broader, more pervasive deficiency at the entity level.

Reporting Obligations

According to Munter, management’s risk assessments have a direct impact on the disclosures that are intended to meet reporting obligations and inform the public as to whether investment in the issuer is risky. Management may consider annual internal control evaluations, descriptions of identified material weaknesses and, on a quarterly basis, changes that have materially affected, or are reasonably likely to materially affect, an issuer’s internal controls over financial reporting and general business risks. Munter advised that auditors should maintain professional skepticism to objectively consider contradictory information and assess whether management’s insufficient evaluation of internal controls is evidence of ineffective monitoring activities, which are a part of internal control systems in and of themselves.

Practical Considerations

Munter concluded by stating, “When business risks change, a robust, iterative risk assessment process and strong entity and process-level controls are essential to transparent and high-quality financial reporting.” This guidance should come as a reminder to issuers that regularly conducting comprehensive, enterprise wide risk assessments is not only foundational to effective compliance programs but is also essential to accurate financial reporting and evaluating internal controls. But this is not just a concern for issuers. Under the DOJ’s Evaluation of Corporate Compliance Programs, which the Criminal Division uses to make corporate charging decisions concerning all companies, prosecutors consider the effectiveness of a company’s risk assessment processes and the manner in which the company’s compliance program has been tailored based on the results of the risk assessments.

Enterprise risk assessments should be designed to consider information gathered at all levels of the organization, process it in a systematic fashion, implement mitigation strategies and communicate findings to key stakeholders. Prioritization is key to developing a successful risk assessment strategy. Higher-impact risks, or risks that have a higher likelihood of occurring and a larger impact if they occur, should be considered and addressed first. To maximize effectiveness, enterprise risk assessments should include:

  • Employee interviews, including of those on the front lines to achieve a ground-up view of the risks.
  • Analyzing the company’s prior litigation, regulatory enforcement and internal investigations/hotline history.
  • Developing a list of enterprise risks, and then prioritizing those risks in management workshops.
  • Presenting prioritized enterprise risks and mitigation plans to senior management and the board.
  • Ensuring that the mitigation plans are executed.

Companies should also consider moving from periodic risk assessments to a dynamic risk assessment model. Companies can establish risk management committees formed with key stakeholders from disciplines in which corporate risk resides. With the assistance of these risk management committees and by utilizing technology and data analytics, companies can engage in real-time identification and mitigation of key corporate risks.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide