On August 25, 2023, Chief Accountant Dr. Paul Munter issued a Statement titled “The Importance of a Comprehensive Risk Assessment by Auditors and Management.” The Statement begins:
“Management’s and auditors’ risk assessment processes are critical to the decisions regarding financial reporting and the effectiveness of internal control over financial reporting (ICFR). Accordingly, we are troubled by instances in which management and auditors appear too narrowly focused on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.”
Dr. Munter’s Statement addresses several risk assessment issues, including changing business risks, the importance of professional skepticism for auditors, and internal control issues that may be outside of direct financial reporting objectives. These issues in many ways involve entity-level controls and dovetail nicely with a culture assessment tool from the Anti-Fraud Collaboration titled “Assessing Corporate Culture: A Proactive Approach to Deter Misconduct.” The Anti-Fraud Collaboration is comprised of The Center for Audit Quality, Financial Executives International, The Institute of Internal Auditors, and the National Association of Corporate Directors.
In the executive summary of the assessment tool, the group makes this important point:
“When a corporate scandal occurs and stakeholders seek reasons and root causes, the trail often leads back to problems with the organization’s culture. Financial statement fraud is one extreme example of a consequence of a weak ethical culture, while a strong ethical culture can mitigate the risks of fraud…”
When a material financial reporting fraud occurs, very rarely is it the result of only a process level control problem. More often it is the result of material weaknesses in entity-level controls within the control environment that allow process level and other controls to be overridden or otherwise circumvented by persons who can abuse authority within a culture.
A real-world example of this type of weakness is discussed in Roadrunner Transportation Systems’ Form 10-K for 2017, which was issued shortly after a material restatement. These excerpts from Roadrunner’s ICFR report focus on entity-level control weaknesses:
Management’s Report on Internal Control Over Financial Reporting
Management, including our CEO and CFO, is responsible for establishing and maintaining adequate internal control over financial reporting (as defined in Rules 13a-15(f) and 15d-15(f) under the Exchange Act and based upon the criteria established in Internal Control-Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (the “COSO framework”)). Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of our financial reporting and the preparation of our financial statements for external purposes in accordance with GAAP.
……..
Based on evaluation under these criteria, management determined, based upon the existence of the material weaknesses described below, that we did not maintain effective internal control over financial reporting as of the Evaluation Date.
Control Environment
We did not maintain an effective control environment based on the criteria established in the COSO framework. We have identified deficiencies in the principles associated with the control environment of the COSO framework. Specifically, these control deficiencies constitute material weaknesses, either individually or in the aggregate, relating to: (i) our commitment to integrity and ethical values, (ii) the ability of our board of directors to effectively exercise oversight of the development and performance of internal control, as a result of failure to communicate relevant information within our organization and, in some cases, withholding information, (iii) appropriate organizational structure, reporting lines, and authority and responsibilities in pursuit of objectives, (iv) our commitment to attract, develop, and retain competent individuals, and (v) holding individuals accountable for their internal control related responsibilities.
We did not maintain an effective control environment to enable the identification and mitigation of risks of material accounting errors as result of the contributing factors to the material weaknesses in the control environment, including:
| • | The tone from former executive management was insufficient to create the proper environment for effective internal control over financial reporting and to ensure that (i) there were adequate processes for oversight, (ii) there was accountability for the performance of internal control over financial reporting responsibilities, (iii) identified issues and concerns were raised to appropriate levels within our organization, (iv) corrective activities were appropriately applied, prioritized, and implemented in a timely manner, and (v) relevant information was communicated within our organization and not withheld from our independent directors, our Audit Committee, and our independent auditors. |
| • | Our oversight processes and procedures that guide individuals in applying internal control over financial reporting were not adequate in preventing or detecting material accounting errors, or omissions due to inadequate information and, in certain instances, management override of internal controls, including recording improper accounting entries, recording accounting entries that were inconsistent with information known by management at the time, not communicating relevant information within our organization and, in some cases, withholding information from our independent directors, our Audit Committee, and our independent auditors. |
Risk Assessment
We did not design and implement an effective risk assessment based on the criteria established in the COSO framework. We have identified deficiencies in the principles associated with the risk assessment component of the COSO framework. Specifically, these control deficiencies constitute material weaknesses, either individually or in the aggregate, relating to: (i) identifying, assessing, and communicating appropriate objectives, (ii) identifying and analyzing risks to achieve these objectives, (iii) contemplating fraud risks, and (iv) identifying and assessing changes in the business that could impact our system of internal controls.
For auditors, it is particularly important to remember that evaluating entity-level controls is required as part of an audit of ICFR. AS 2201 paragraph 25 states:
Control Environment. Because of its importance to effective internal control over financial reporting, the auditor must evaluate the control environment at the company. As part of evaluating the control environment, the auditor should assess –
-
-
- Whether management’s philosophy and operating style promote effective internal control over financial reporting;
- Whether sound integrity and ethical values, particularly of top management, are developed and understood; and
- Whether the Board or audit committee understands and exercises oversight responsibility over financial reporting and internal control.
-
The points made in the Anti-Fraud Collaboration document, the example above from Roadrunner Transportation and the guidance from AS 2201 dovetail with the points made in Dr. Munter’s Statement. In his conclusion, he makes this point:
“When business risks change, a robust, iterative risk assessment process and strong entity and process-level controls are essential to transparent and high-quality financial reporting. Auditors in their public gatekeeper role serve as an independent check on management’s performance of these critical functions and should transparently communicate with investors in accordance with PCAOB standards.”
As always, your thoughts and comments are welcome.