In order to assess whether a process-level (as opposed to an entity-level) internal control over financial reporting (ICFR) is “effective” (as in SOX 404), associated misstatement risk must be defined by Assertion (e.g., existence/occurrence, completeness, valuation/measurement, presentation/disclosure) and NOT by Account Balance/Amount Accuracy.
The Accuracy Assertion, if you will, is not specific enough to be a control objective, meaning that it is practically impossible to mitigate the risk of a balance/amount (or data, information, etc.) being “inaccurate” or “misstated” unless the root-cause of the inaccuracy or misstatement was identified.
In other words, in order to mitigate the “misstatement” risk, you would need to know what could possibly cause a potential inaccuracy: e.g., a fictitious sale (Accounts Receivable and Revenue that did not exist/occur), an unaccounted liability (Expense and Accounts Payable being incomplete), a fraudulent valuation (non-GAAP-compliant Valuation/Measurement), etc.
Let me demonstrate how critical it is to define a misstatement risk, clarifying relevant Assertions, below with an example.
An Illustrative Example of management’s improper Risk definition:
Upon issuing a sales invoice, management could define the Risk such an improper way that:
Risk A: The journal entry (JE) of (Dr.) AR (Cr.) Revenue could be inaccurate. Or, even worse:
Risk B: Manager’s JE review is not properly in place.
Risk A is improper as it assumes that the Sale “Occurred” and the AR “Existed” and that the sales invoice was accurate; then, management would erroneously vouch to the invoice to validate the JE accuracy.
Risk B is wrong as it is a Control Risk, not a misstatement risk inherent in the underlying invoicing process.