Using Risk Assessments to Strengthen Internal Control Over Financial Reporting

By Ringside Talent Partners

June 5, 2024

As regulators increase their focus on internal control over financial reporting (ICFR), so should management. Because the foundation of the ICFR system is the financial statement risk assessment, management might want to consider refreshing the risk assessment program to incorporate the right people, processes, and technologies.

Organizations should scale their ICFR program to focus on risks rather than benchmarks,” says Patricia Salkin, a managing director with Deloitte Risk and Financial Advisory at Deloitte & Touche LLP.

Both investors and regulatory bodies, including the Securities and Exchange Commission and the Public Company Accounting Oversight Board, are placing an increasing focus on ICFR. As Wesley R. Bricker, SEC chief accountant, stated in his December 4, 2017, speech at the 2017 American Institute of Certified Public Accountants Conference on Current SEC and PCAOB Developments: “Well-run public companies have effective internal controls not just because internal controls are a first line of defense against preventing or detecting material errors or fraud in financial reporting, but also because strong internal controls are good for business and can have an impact on costs of capital. It is important for audit committees, auditors, and management to continue to have appropriately detailed discussions of ICFR in all areas — from risk assessment to design and testing of controls, as well as the appropriate level of documentation. If left unidentified or unaddressed, ICFR deficiencies can lead to lower-quality financial reporting which can ultimately lead to higher financial reporting restatement rates and higher cost of capital.”

Typically, when an organization seeks to evaluate its ICFR program, it uses the control count as a benchmark metric for program sufficiency. For instance, an organization might consider industry peer group control count data, in order to compare the number of controls. Or an organization might explore what controls can be removed from the ICFR program and still provide enough information to earn a passing grade.

However, using the control count as a benchmark metric can be a flawed approach because no two organizations are the same. Variations in business models, organizational structure, and operating environments, for example, can result in different risks of material misstatements (ROMMs) to the financial statements. Further, each company’s construct of controls differs. In short, unless the risk assessment details driving the selection and ultimate count of controls are known, the benchmarking data may not be meaningful.

The Risk Assessment

To evaluate the sufficiency of an organization’s ICFR program, its starting point should be a financial statement risk assessment. The assessment generally should include specific financial reporting objectives, as well as the identification of the relevant risks. It should also answer the following questions:

  • Which controls are necessary to address the organization’s risks?
  • How many controls does the organization need?
  • What is “just enough” for the organization’s ICFR program?

A robust risk assessment serves to identify the relevant ROMMs, as well as the selection and design of relevant controls. “Organizations that take a reactive approach to the risk assessment — performing them only when issues materialize — may be missing an opportunity to improve their ICFR programs,” says Todd Scarpino, a managing director with Deloitte Risk and Financial Advisory at Deloitte & Touche LLP. “Rather, management should proactively identify and assess new and existing risks,” he adds.

Leveraging Innovation and Analytics

Increasingly, financial and operational transactions are moving online, expanding the array of variables to analyze, outliers to identify, and patterns to interpret. Organizations can leverage the power of innovation in their ICFR program, including data analytics, process analytics, and visualization tools as part of the risk assessment process. These tools can provide powerful details to help to identify what might truly be a ROMM — at a more detailed level — in order to vary the nature, timing, and extent of testing based on risk. The result is often a less costly and more effective ICFR program that is grounded in a meaningful risk assessment.

Advanced audit analytics capabilities also can bring greater value to the audit process by supporting the analysis of large data sets and revealing more granular insights. “By enabling the analysis of entire sets of financial transactions, audit analytics aids in the interpretation and management of a growing storehouse of audit information,” says Amy Estrada, a managing director with Deloitte Risk and Financial Advisory at Deloitte & Touche LLP.

With process analytics, management can take enormous amounts of data and repeatedly adjust the lens through which they’re observed, to gain valuable insight into the state of operations. For example, process analytics can allow management to identify each class of transaction underlying a given account balance and conduct a specific risk assessment for each, and considering the following attributes:

  • Size and composition of the account
  • Susceptibility to misstatement due to errors or fraud
  • Volume of activity, complexity, and homogeneity of the individual transactions
  • Nature of the account or disclosure
  • Nature of the transactions — routine and automated or manual
  • Whether judgment is utilized to record the transactions
  • Accounting or reporting complexities associated with the class of transactions
  • Exposure to losses
  • Existence of related-party transactions
  • Changes from the prior period in account or disclosure characteristics

With a greater understanding of the attributes of a transaction, an organization can assess the inherent risk for each class of transaction and conclude whether the risk of material misstatement is remote, lower, or higher. Based on this risk rating, it can then vary the internal control testing to address the inherent risk for each class of transaction in account balance or disclosure.

Further, integrating data analytics and visualization could potentially help organizations improve the quality of the data analyzed to support robust risk identification and report results succinctly to key stakeholders. This, in turn, can help management gain a better understanding of the risks of material misstatement at a more granular level.

Next-gen Controls

When organizations invest heavily in innovation, key processes are often changed and/or updated, which can alter their risk landscape. Therefore, the following activities should be considered part of the risk assessment:

  • Reducing the number of processes, controls, applications, systems, tools, etc. that are in scope through consolidation, modernization, and risk assessment
  • Centralizing systems, processes, technology, and people into fewer locations and support models, such as data centers, centers of excellence, and shared service centers
  • Standardizing configurations, processes, policies, controls, and procedures
  • Automating the testing and implementation of automated controls

These activities can provide opportunities to create value by reducing compliance costs, redirecting resources to focus on important business initiatives, and potentially increasing stakeholder confidence in the reliability of financial reporting. “Ultimately, that could help drive down the cost of capital,” notes Salkin.

Courtesy of Wall Street Journal