Month: June 2024

The Internal Control – NOT to Command People But to Reduce Risk: Control Risk – for External Auditor to Accept vs. Inherent Risk – for Management to “Control”

First, I would like to remind ourselves that the SOX Act is to the benefit of (public company’s) auditors  .

After SOX, in case they are blamed for having been unable to detect a material misstatement in their audit of client’s financial statements (F/S), auditors effectively reserve the right to maintain that it’s management responsibility/accountability to prevent as well as detect the material misstatement (and not auditor’s).

Prior to SOX, an SEC-listed company’s auditor tended to get the blame for failing to detect a material misstatement as a result of their substantive testing (as part of audit procedures) to minimize Detective Risk as in the Combined Risk Assessment formula:

Inherent Risk x Control Risk x Detective Risk = Audit Risk;

i.e., The higher/lower the Control Risk, the higher/lower the Detective Risk (and the higher/lower the overall Audit Risk).

Note that Control Risk means the risk of controls being ineffective or the higher possibility of management failing to prevent misstatements from occurring, which is NOT a risk for the management BUT for the auditor (as part of Audit Risk) who has no option but to accept the risk as their audit assumption/reality, in response to which they have to plan the extent and timing of their substantive testing to “detect” misstatements.

In this regard, the detection through the (substantive) testing is not a CONTROL by definition, which is “to REDUCE the incidence or severity of” misstatements “especially to innocuous levels” (as in the Merriam-Webster’s definition of the transitive verb “control”), but rather a correction of (material) misstatements having already occurred.

Accordingly, when it is said, “it’s management … to prevent as well as detect … misstatement,” the detection should not be an internal control (although it tends to be considered a control in practice).

On the other hand, Inherent Risk is the misstatement risk (for internal controls over financial reporting (ICFR) to mitigate) that is “inherent” in the underlying process, which is part of a financial reporting cycle: e.g., Order to Cash (O2C), Procure to Pay (P2P), and the period-end financial reporting process of Record to Report (R2R).

To prevent material misstatements, therefore, management’s responsibility/accountability would be to:

  1. identify every critical data-path, or Likely Source of Potential Misstatement (LSPM, as in Audit Standard No. 5 (AS 5)), in the end-to-end (Transaction/)Process Narrative form for each of the cycles,
  2. define the misstatement risk inherent at every LSPM, clarifying F/S Assertions (i.e., Existence/Occurrence, Completeness, Valuation/Measurement, Presentation and Disclosure) (See para. 24 of AS 5 for Assertions.),
  3. design ICFR (at LSPM) to mitigate the misstatement risk with control Design Attributes, which, if satisfied, would validate relevant Assertion(s) and, therefore, are considered to be prerequisites for the control effectiveness,
  4. (have internal audit conduct Walkthrough to) assess whether ICFR are designed to adequately mitigate the inherent, misstatement risks so as to prevent misstatements by obtaining (from management/control owners) the evidence of the design effectiveness (and test operation effectiveness for the controls effectively designed),
  5. summarize the design-assessment/test-results in Risk Control Matrices, and
  6. remediate ineffectively designed/operated ICFR (i.e., design gap/operation deficiency) if any.

These steps are the best practice that an SEC-listed company should exercise to design effective ICFR.

Don’t Try Control Processes/Journal Entries; But, Try Control Misstatement Risks.

When talking about Internal Controls over Financial Reporting (ICFR), there are too many accounting managers and SOX professionals, whether they are the 1st, 2nd, or 3rd line of defense, who are conceptually mistaken and keep trying to “control” processes to ultimately produce journal entries (JEs), instead of trying to control and mitigate misstatement risks inherent in the processes (to produce JEs).

Generally speaking, an ICFR is not supposed to make the financial statements (F/S) be absolutely accurate but is supposed to make the F/S be free from material statements per US GAAP.

Particularly at a (financial reporting/FR) process/transaction level, the ICFR is not supposed to control/design the underlying process (let alone a thought process) or the outcome thereof (i.e., journal entries (JEs)).

It is, instead, supposed to be designed to mitigate a misstatement risk (i.e., the root cause for a potential misstatement, or Likely Source of Potential Misstatement (LSPM) as in Audit Standard No.5 (AS 5) guided by SEC) inherent in the underlying process adequately: i.e., to a material extent.

Let’s take a material “estimate” (on the balance sheet) as an example.

Nowadays, auditors almost always identify their client’s material estimate as a Critical Audit Matter, the design effectiveness of the control over which is said to be evaluated, instead of being substantively tested and concluded that the estimate is materially accurate.

That needs to be the case because the (estimated) balance, or a JE, is “estimated,” or valued/measured, by the company management using the assumptions and underlying data that inevitably require the management Valuation/Measurement (as in the financial statement Assertions under AS 5) (to say “the current economy is booming or in recession, and interest rates will rise or decline by this much,” etc.).

As auditors cannot substantively test the accuracy of the estimate, all they can do is test/assess the design effectiveness of the management’s internal controls to mitigate the risks of miss-valuation/measurement of the assumptions and underlying data so as not to misstate the estimated balance.

(Note that auditors cannot conclude whether the assumptions or underlying data are accurate, either, because those are management’s “discretion”.)

As you can see here,

the management’s coming up the JE is NOT a control

but a “process,” or processing the underlying data under the assumptions (determined by the management using their discretion).

The controls’ design effectiveness that the auditors is supposed to assess is “whether it can mitigate the risk of misstating the Valuation/Measurement (assertion) of” each data assumption (e.g., a higher/lower interest rate under inflation/deflation, etc.), supporting the outcome JE, under applicable US GAAP.

In other words, the auditors can test the estimated balance for a material reasonableness by applying US GAAP (e.g., a level 3 fair market value using the Discounted Cash Flow method) only after they concluded the assumptions and underlying data being reasonable or not materially miss-valued/measured.

For example, the (misstatement) risk and the associated control, which the management needs to design and which the auditor can assess the effectiveness of, should be like;

The Risk: The (FMV) balance is overvalued.

(Note that the relevant assertion is Valuation and not “accuracy,” which should not be considered an assertion in any case as “asserting accuracy (of the financial statements)” is the whole point of CEO/CFO certifying under SOX 404a, and in order to support the overall accuracy, the management assertion (of each caption of, or each critical data-path in a process flow to, the financial statements) should be more specific or should assert “how accurate” in such terms/assertions as Existence/Occurrence, Completeness, Valuation/Measurement.)

The Control: Authorized Manager reviews and approves the fair market value (FMV) balance prepared by personnel in charge.

The associated Control Design Attributes should be;

Control Attribute 1: The review Manager’s competence is adequate, which is authorized by the BoD (in such a written form as Roles and Responsibilities as part of the company’s Policies and Procedures).

Control Attribute 2: The assumption used to calculate the FMV is determined in accordance with the company’s Policies/Procedures.

Control Attribute 3: The discount rate used for the FMV is determined in accordance with the Policies/Procedures.

Note that the Control example above is a manual, detective one and that, if there was an error/misstatement in the (processing of) assumptions and/or underlying data, the detected error/misstatement would repeat (in the subsequent periods) unless the root-cause of the error, in the process, was rectified.

So, it may be a good idea to automate the Control to prevent the (potential) misstatement.

Pay attention to the term “automatically” below, and note that, in order to design the IT Control that allows the system to “automatically” compute the FMV (in this example), the assumptions/underlying-data must have been already “reasonably valued/measured”.

The IT Control: The system “automatically” computes the FMV, by referring to the relevant assumptions and discount rates within the system.

This Control design will be effective, assuming that all the relevant control design attributes (as listed below, similar to the Control Design Attributes 1 to 3 above) are satisfied;

The IT Control Attribute 1: The company’s ITGC is effective.

The IT Control Attribute 2: The IT Control is authorized by the BoD explicitly in the company’s Policies and Procedures.

The IT Control Attribute 3: The assumption input in the system (used for the FMV) had been approved by the authorized Manager.

The IT Control Attribute 4: The discount rate in the system had been approved by the authorized Manager.

Again, do not try “control” a process of financial reporting (that flows ultimately into a JE);

Instead, design a control to mitigate a misstatement risk (with Assertions) inherent in the underlying (financial reporting) process.