The Internal Control – NOT to Command People But to Reduce Risk: Control Risk – for External Auditor to Accept vs. Inherent Risk – for Management to “Control”

First, I would like to remind ourselves that the SOX Act is to the benefit of (public company’s) auditors  .

After SOX, in case they are blamed for having been unable to detect a material misstatement in their audit of client’s financial statements (F/S), auditors effectively reserve the right to maintain that it’s management responsibility/accountability to prevent as well as detect the material misstatement (and not auditor’s).

Prior to SOX, an SEC-listed company’s auditor tended to get the blame for failing to detect a material misstatement as a result of their substantive testing (as part of audit procedures) to minimize Detective Risk as in the Combined Risk Assessment formula:

Inherent Risk x Control Risk x Detective Risk = Audit Risk;

i.e., The higher/lower the Control Risk, the higher/lower the Detective Risk (and the higher/lower the overall Audit Risk).

Note that Control Risk means the risk of controls being ineffective or the higher possibility of management failing to prevent misstatements from occurring, which is NOT a risk for the management BUT for the auditor (as part of Audit Risk) who has no option but to accept the risk as their audit assumption/reality, in response to which they have to plan the extent and timing of their substantive testing to “detect” misstatements.

In this regard, the detection through the (substantive) testing is not a CONTROL by definition, which is “to REDUCE the incidence or severity of” misstatements “especially to innocuous levels” (as in the Merriam-Webster’s definition of the transitive verb “control”), but rather a correction of (material) misstatements having already occurred.

Accordingly, when it is said, “it’s management … to prevent as well as detect … misstatement,” the detection should not be an internal control (although it tends to be considered a control in practice).

On the other hand, Inherent Risk is the misstatement risk (for internal controls over financial reporting (ICFR) to mitigate) that is “inherent” in the underlying process, which is part of a financial reporting cycle: e.g., Order to Cash (O2C), Procure to Pay (P2P), and the period-end financial reporting process of Record to Report (R2R).

To prevent material misstatements, therefore, management’s responsibility/accountability would be to:

  1. identify every critical data-path, or Likely Source of Potential Misstatement (LSPM, as in Audit Standard No. 5 (AS 5)), in the end-to-end (Transaction/)Process Narrative form for each of the cycles,
  2. define the misstatement risk inherent at every LSPM, clarifying F/S Assertions (i.e., Existence/Occurrence, Completeness, Valuation/Measurement, Presentation and Disclosure) (See para. 24 of AS 5 for Assertions.),
  3. design ICFR (at LSPM) to mitigate the misstatement risk with control Design Attributes, which, if satisfied, would validate relevant Assertion(s) and, therefore, are considered to be prerequisites for the control effectiveness,
  4. (have internal audit conduct Walkthrough to) assess whether ICFR are designed to adequately mitigate the inherent, misstatement risks so as to prevent misstatements by obtaining (from management/control owners) the evidence of the design effectiveness (and test operation effectiveness for the controls effectively designed),
  5. summarize the design-assessment/test-results in Risk Control Matrices, and
  6. remediate ineffectively designed/operated ICFR (i.e., design gap/operation deficiency) if any.

These steps are the best practice that an SEC-listed company should exercise to design effective ICFR.