When talking about Internal Controls over Financial Reporting (ICFR), there are too many accounting managers and SOX professionals, whether they are the 1st, 2nd, or 3rd line of defense, who are conceptually mistaken and keep trying to “control” processes to ultimately produce journal entries (JEs), instead of trying to control and mitigate misstatement risks inherent in the processes (to produce JEs).
Generally speaking, an ICFR is not supposed to make the financial statements (F/S) be absolutely accurate but is supposed to make the F/S be free from material statements per US GAAP.
Particularly at a (financial reporting/FR) process/transaction level, the ICFR is not supposed to control/design the underlying process (let alone a thought process) or the outcome thereof (i.e., journal entries (JEs)).
It is, instead, supposed to be designed to mitigate a misstatement risk (i.e., the root cause for a potential misstatement, or Likely Source of Potential Misstatement (LSPM) as in Audit Standard No.5 (AS 5) guided by SEC) inherent in the underlying process adequately: i.e., to a material extent.
Let’s take a material “estimate” (on the balance sheet) as an example.
Nowadays, auditors almost always identify their client’s material estimate as a Critical Audit Matter, the design effectiveness of the control over which is said to be evaluated, instead of being substantively tested and concluded that the estimate is materially accurate.
That needs to be the case because the (estimated) balance, or a JE, is “estimated,” or valued/measured, by the company management using the assumptions and underlying data that inevitably require the management Valuation/Measurement (as in the financial statement Assertions under AS 5) (to say “the current economy is booming or in recession, and interest rates will rise or decline by this much,” etc.).
As auditors cannot substantively test the accuracy of the estimate, all they can do is test/assess the design effectiveness of the management’s internal controls to mitigate the risks of miss-valuation/measurement of the assumptions and underlying data so as not to misstate the estimated balance.
(Note that auditors cannot conclude whether the assumptions or underlying data are accurate, either, because those are management’s “discretion”.)
As you can see here,
the management’s coming up the JE is NOT a control
but a “process,” or processing the underlying data under the assumptions (determined by the management using their discretion).
The controls’ design effectiveness that the auditors is supposed to assess is “whether it can mitigate the risk of misstating the Valuation/Measurement (assertion) of” each data assumption (e.g., a higher/lower interest rate under inflation/deflation, etc.), supporting the outcome JE, under applicable US GAAP.
In other words, the auditors can test the estimated balance for a material reasonableness by applying US GAAP (e.g., a level 3 fair market value using the Discounted Cash Flow method) only after they concluded the assumptions and underlying data being reasonable or not materially miss-valued/measured.
For example, the (misstatement) risk and the associated control, which the management needs to design and which the auditor can assess the effectiveness of, should be like;
The Risk: The (FMV) balance is overvalued.
(Note that the relevant assertion is Valuation and not “accuracy,” which should not be considered an assertion in any case as “asserting accuracy (of the financial statements)” is the whole point of CEO/CFO certifying under SOX 404a, and in order to support the overall accuracy, the management assertion (of each caption of, or each critical data-path in a process flow to, the financial statements) should be more specific or should assert “how accurate” in such terms/assertions as Existence/Occurrence, Completeness, Valuation/Measurement.)
The Control: Authorized Manager reviews and approves the fair market value (FMV) balance prepared by personnel in charge.
The associated Control Design Attributes should be;
Control Attribute 1: The review Manager’s competence is adequate, which is authorized by the BoD (in such a written form as Roles and Responsibilities as part of the company’s Policies and Procedures).
Control Attribute 2: The assumption used to calculate the FMV is determined in accordance with the company’s Policies/Procedures.
Control Attribute 3: The discount rate used for the FMV is determined in accordance with the Policies/Procedures.
Note that the Control example above is a manual, detective one and that, if there was an error/misstatement in the (processing of) assumptions and/or underlying data, the detected error/misstatement would repeat (in the subsequent periods) unless the root-cause of the error, in the process, was rectified.
So, it may be a good idea to automate the Control to prevent the (potential) misstatement.
Pay attention to the term “automatically” below, and note that, in order to design the IT Control that allows the system to “automatically” compute the FMV (in this example), the assumptions/underlying-data must have been already “reasonably valued/measured”.
The IT Control: The system “automatically” computes the FMV, by referring to the relevant assumptions and discount rates within the system.
This Control design will be effective, assuming that all the relevant control design attributes (as listed below, similar to the Control Design Attributes 1 to 3 above) are satisfied;
The IT Control Attribute 1: The company’s ITGC is effective.
The IT Control Attribute 2: The IT Control is authorized by the BoD explicitly in the company’s Policies and Procedures.
The IT Control Attribute 3: The assumption input in the system (used for the FMV) had been approved by the authorized Manager.
The IT Control Attribute 4: The discount rate in the system had been approved by the authorized Manager.
Again, do not try “control” a process of financial reporting (that flows ultimately into a JE);
Instead, design a control to mitigate a misstatement risk (with Assertions) inherent in the underlying (financial reporting) process.