Month: September 2024

In order to assess whether a process-level (as opposed to an entity-level) internal control over financial reporting (ICFR) is “effective” (as in SOX 404), associated misstatement risk must be defined by Assertion (e.g., existence/occurrence, completeness, valuation/measurement, presentation/disclosure) and NOT by Account Balance/Amount Accuracy.

The Accuracy Assertion, if you will, is not specific enough to be a control objective, meaning that it is practically impossible to mitigate the risk of a balance/amount (or data, information, etc.) being “inaccurate” or “misstated” unless the root-cause of the inaccuracy or misstatement was identified.

In other words, in order to mitigate the “misstatement” risk, you would need to know what could possibly cause a potential inaccuracy: e.g., a fictitious sale (Accounts Receivable and Revenue that did not exist/occur), an unaccounted liability (Expense and Accounts Payable being incomplete), a fraudulent valuation (non-GAAP-compliant Valuation/Measurement), etc.

Let me demonstrate how critical it is to define a misstatement risk, clarifying relevant Assertions, below with an example.

An Illustrative Example of management’s improper Risk definition:

Upon issuing a sales invoice, management could define the Risk such an improper way that:

Risk A: The journal entry (JE) of (Dr.) AR (Cr.) Revenue could be inaccurate. Or, even worse:

Risk B: Manager’s JE review is not properly in place.

Risk A is improper as it assumes that the Sale “Occurred” and the AR “Existed” and that the sales invoice was accurate; then, management would erroneously vouch to the invoice to validate the JE accuracy.

Risk B is wrong as it is a Control Risk, not a misstatement risk inherent in the underlying invoicing process.

The Control Design Attributes are the criteria for an internal control over financial reporting (ICFR) to be “effective” (as in SOX 404).

Common Attributes are:

The authority (approved by the Board) is properly delegated to the control owner (e.g., review manager, etc.). (Note that the authority should not delegated to a non-manager staff or a personnel who is not part of management.)

The control owner manager is adequately competent to operate his/her ICFR (so that s/he can fulfill their accountability delegated).

The ICFR mitigates relevant Inherent (misstatement) Risk defined at an Assertion (e.g., existence/occurrence, completeness, valuation/measurement, presentation/disclosure) level.

Segregation of Duties (SoD) is in place.

ITGC is effective (if an IT(/IT dependent manual) control).

Each Attribute is required by relevant COSO (2013) Principles and typically satisfied if related entity-level controls (ELCs) are “present” (as in COSO) and evidenced by applicable Policies and Procedures (and Roles and Responsibilities for the Competence Attribute) unless the Attribute is concerned with a specific process and the evidence needs to back up the process specifically: e.g., each risk remediation at an Assertion level, SoD.

Note that the above discussion is applicable to preventive ICFRs and NOT to detective ones, which are not designed at a critical data-path, or Likely Source of Potential Misstatement (LSPM as in Auditing Standard No. 5), but at a point in time whenever management sees fits.