SEC Warns on Risk Assessments
The top accountant at the Securities and Exchange Commission is warning auditors and corporations alike to do better at risk assessments, and in particular to pay more attention to small control failures that might be suggestive of larger issues in a company’s control environment.
Chief accountant Paul Munter released his statement Friday afternoon, a maneuver that usually means the official in question wants to say something without anyone noticing. Nothing escapes the notice of Radical Compliance, of course, although it’s equally possible that Munter just had other stuff to do earlier in the week.
Anyway, his big point was that corporations and auditors are focusing their risk assessments too much on information and risks directly related to financial reporting, “while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.”
Munter
“Issues that may also impact financial reporting and internal controls often present themselves as isolated incidents across an issuer — for example, a data breach in a system not part of ICFR, a repeat non-financial reporting-related regulatory finding classified as lower risk, a misstatement to the financial statements determined to be a revision restatement, or a counterparty risk limit breach,” Munter wrote. “Some management and certain auditors may be inadvertently biased toward evaluating each such incident individually or rationalizing away potentially disconfirming evidence, and conclude that these matters do not individually, or in the aggregate, rise to the level of management disclosure or auditor communication requirements.”
Hooo boy, we have a lot to unpack here. Let’s get into it.
The Fine Art of Risk Assessment
Munter first talked about how management and auditors should approach risk assessments. He encouraged management teams to think expansively, and try to see the larger picture affecting their business. A good risk assessment process, he said, “must comprehensively and continually consider issuers’ objectives, strategies, and related business risks.”
What would that entail in practice? Munter offered a few ideas:
- Observations from regulators;
- Analyst reports, and short-seller reports;
- A company’s loss of financing;customer concentrations;
- Declining conditions affecting the company’s industry;
- Changes in technology.
The bottom line: “Management needs to be alert to new or changing business risks to identify changes that could significantly impact its system of internal control, and design and implement responses that support issuers’ ability to appropriately disclose information in its periodic filings,” Munter said.
Auditors, meanwhile, need to exercise more skepticism when reviewing information provided by their clients, and should “remain alert to potential changes in issuers’ objectives, strategies, and business risks,” Munter said.
In particular, Munter continued, “Auditors should consider the possible impact of an issuer’s public statements regarding changes in their strategy, board composition, or other governance matters — and whether such statements contradict management’s assessment of its control environment.”
What’s striking here is Munter’s focus on non-financial issues as the superstructure to guide your risk assessment. That is, he wants management and auditors alike to study the big, sweeping trends in a client’s industry, or in the client’s own corporate behavior. Only when you have that deep understanding of the big picture should one proceed to the question of whether a certain issue is material to the financial statements.
Too often, we’re getting that analysis backwards: companies and auditors first decide whether something is material to the financial statements, and then assess the risks to that item. That is the bad habit Munter wants registrants to break.
From Risk Assessments to Entity-Level Controls
Munter also told companies and auditors to do better at examining control failures, and especially at deciphering whether operational or compliance control failures might have root causes that affect financial reporting controls as well.
Moreover, if your root-cause analysis does reveal such an overlap, Munter said, then you should consider whether the true problem is insufficient entity-level controls to enforce a strong control environment. Directly from Munter’s statement:
For example, the root causes behind a regulator’s findings related to enterprise-wide governance and controls, while not directly related to financial reporting control activities, could have an impact on management’s ICFR conclusions due to their impact on the risk assessment and monitoring components of ICFR. Rather than a biased defaulting to an assessment of narrowly defined, process-level deficiencies, management and auditors’ aggregation analysis should consider the root cause of individual control deficiencies, to determine whether such deficiencies indicate a broader, more pervasive deficiency at the entity-level.
This is a big deal. Munter is essentially saying that if you have a bunch of small problems all over your enterprise, those are just symptoms of a deeper dysfunction at the top of the org chart. Some practical examples that come to my mind:
- You suffer several small privacy breaches caused by employees falling for phishing attacks. Each breach might not be material, but they do suggest that your cybersecurity training stinks.
- You suffer several small FCPA violations in different markets. None are financially material, but they suggest weaknesses in hiring, documentation, and financial reporting.
- You suffer several security breaches from poorly patched ERP software. Even if the breaches are small and unrelated to your financial IT systems, it’s indicative of a loosey-goosey approach to managing your enterprise software.
In all the above cases, a series of small errors that are not quantitatively material add up to one qualitatively material weakness in the control environment. A material weakness in your control environment requires entity-level intervention: the C-suite, the board, or both.
Munter went on to say that when companies do find themselves with material weaknesses, even those beyond the realm of financial reporting, securities law does require the company to, ya know, disclose it.
“Management is required to provide a discussion in its filings of material factors that make an investment in the registrant speculative or risky… In some instances, business risks may also impact financial statement disclosures when the risks and uncertainties could significantly affect the amounts reported in the financial statements in the near term,” he wrote.
Why Issue This Statement Now?
That is an excellent question. One can assume that some of Munter’s timing here is just practical. He’s had time to review annual filings for 2022 and quarterly filings for the first half of 2023, and the last 18 months have been filled with macro-economic risks: inflation, Russia’s war against Ukraine, cryptocurrency causing a mini-banking crisis, cybersecurity attacks, and the like.
None of those issues directly threaten internal control over financial reporting; but if management doesn’t at least think about those business risks, they could blow up in your company’s face and ruin the numbers you actually report. Such willful blindness hurts investors too, and the SEC would prefer to see less of it.
Presumably Munter is also telling management teams and auditors where to focus their attention as they begin planning for year-end reporting and the subsequent auditing season.
Still, maybe something more is going on, too. Recall that last year Munter published a statement urging auditors to do better at assessing the risk of fraud. He emphasized the point that quantitatively small errors can add up to a qualitatively material weakness. Today’s statement takes that idea even further: small control failures in non-financial reporting could add up to a qualitatively material weakness in the control environment, which could then be a material weakness for ICFR.
Something to think about as you gear up for that next risk assessment.