More on Risk Assessments
Well this is convenient: just days after the chief accountant at the Securities and Exchange Commission urged companies to do better at performing risk assessments, the SEC fined an alternative energy business for accounting improprieties where poor risk assessment played a starring role.
This is useful news for internal audit and corporate accounting teams, because ever since chief accountant Paul Munter published his warning about risk assessments, I’ve been wondering just what the consequences of poor risk assessment might look like in practice. Now we have an example.
The company in question is Plug Power, a company developing hydrogen fuel cells that businesses can use for clean power consumption. Last week, Plug Power agreed to pay a $1.25 million penalty to settle civil charges that the company had failed to maintain effective internal control over financial reporting from 2018 into 2020. The company also agreed to implement a raft of internal control improvements, with the threat of an additional $5 million penalty if it fails to follow through on those reforms.
What does this have to do with Munter and his statement on risk assessments? Lots, but first we need to review what Munter said.
His chief complaint was that too often, companies and audit firms alike take a narrow view of what issues should be included in the risk assessment. They only look at internal control weaknesses directly and materially related to financial reporting, rather than taking a larger look at all internal control weaknesses to see whether the root cause is a flaw in the company’s control environment. Munter’s own words:
For example, the root causes behind a regulator’s findings related to enterprise-wide governance and controls, while not directly related to financial reporting control activities, could have an impact on management’s ICFR conclusions due to their impact on the risk assessment and monitoring components of ICFR. Rather than a biased defaulting to an assessment of narrowly defined, process-level deficiencies, management and auditors’ aggregation analysis should consider the root cause of individual control deficiencies, to determine whether such deficiencies indicate a broader, more pervasive deficiency at the entity-level.
Let’s say that again more simply and succinctly. A poor control environment is a material weakness at the entity level, and that weakness can then manifest in a host of specific problems.
Now let’s loop back to Plug Power.
Insufficient Complement of Trained Resources
Plug Power’s specific issue was that in early 2021, it had to restate its financials for 2018, 2019, and part of 2020 because the company had improperly recorded certain R&D costs and miscalculated the value of numerous leased assets on the balance sheet. As a result, Plug Power had overstated the value of its leased assets by $112.7 million, overstated gross profit by $40.7 million, and understated loss accruals by $6.9 million.
For a company with roughly $230 million in annual revenue at the time, that’s not good. But I was more interested in how Plug Power described its deficient internal control over financial reporting (ICFR). Here’s the language, taken from the company’s 2020 Form 10-K:
[T]he company did not maintain a sufficient complement of trained, knowledgeable resources to execute their responsibilities with respect to [ICFR] for certain financial statement accounts and disclosures. As a consequence, the company did not conduct an effective risk assessment process that was responsive to changes in the company’s operating environment and did not design and implement effective process-level controls activities…
A failure to maintain a sufficient number of trained, competent personnel. In other words, Plug Power failed to maintain a healthy control environment. Let’s all remember Principle 4 of the COSO internal control framework, which says:
The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
Plug Power didn’t live up to that principle, and we could describe that as an entity-level control failure. Then we just need to follow the falling dominos.
The poor entity-level control led to a weak accounting team. The weak accounting team then failed to conduct a thorough risk assessment. That inadequate risk assessment then led to flawed processes for loss accruals, identifying and evaluating impairments, and recording lease-related transactions — exactly the issues that led to Plug Power’s restatement.
That’s one example of how Munter’s statement might look in the real world. A collection of botched accounting transactions actually traced back to an accounting team whose size and skill hadn’t kept pace with the company’s growth and operating risks, so the team couldn’t perform an effective risk assessment. A strong control environment wouldn’t have let that state of affairs come to pass.
In fairness to Power Plug, the company did win plaudits from the SEC for its remedial actions after the restatement, which included hiring 60 employees for the accounting and finance teams and tapping outside resources as well. A good move that came later than it should have.
Risk Assessments in the Real World
I suspect some readers might be muttering, “Cool story bro, but what are we supposed to do with it?” I struggled with that myself.
First, it would be a mistake to assume Plug Power’s predicament is the only way Munter’s warning on risk assessments might manifest at a corporation, and therefore we only need to watch for the size and skill of the accounting department. That strikes me as wrong.
A better place to start is to ask: How could we get our risk assessment wrong? What faulty assumptions, blind spots, or other limitations would hamper our ability or constrain the assessment’s scope?
Clearly inadequate staff is one of those limitations. It’s just not the only one. Indeed, Munter even gives examples of what to look for right in his speech:
When identifying risks of material misstatement and designing appropriate audit responses, auditors should remain alert to potential changes in issuers’ objectives, strategies, and business risks. Auditors should consider the possible impact of an issuer’s public statements regarding changes in their strategy, board composition, or other governance matters — and whether such statements contradict management’s assessment of its control environment.
That advice is aimed at external auditors, but it’s equally useful for internal auditors, SOX compliance teams, or anyone else trying to think wisely about ICFR.
For example, the board might reshuffle its composition and downgrade the expertise of the audit committee. A weak or inexpert committee might then fail to drive home the urgency of strong, accurate financial reporting processes to management.
Or management might reshuffle internal operating relationships in such a way that a strong control environment and ICFR get shoved into the back seat. For example, the company hires a hard-charging IT director and an immature CFO who only gets the job because he is the founder’s brother-in-law. A combination like that might let the IT director slow-roll needed ICFR upgrades while the CFO dithers.
Or you could have an entirely innocent mess arise, such as when a company desperate for growth tries a rapid strategy shift: moving into emerging markets, selling services in addition to products, or cutting costs by embracing cloud-based services. If you’re not versed in the risks that such changes entail, and the board doesn’t know any better either, that can drive your ICFR into the ditch even with the best intentions.
Perhaps my point is simply that risk assessments need to begin with an honest assessment of your organization’s control environment. Only then can you decipher the nitty-gritty issues in control activities and financial statement line items.