Every public company in the U.S. has an implied yet significant obligation – the obligation to demonstrate the reliability of their financial statements. The responsibility of management is set forth in Section 404 of the Sarbanes-Oxley Act, which implies that the management needs to assess and disclose the effectiveness of their internal control over financial reporting (ICFR). With the issuance of the guidance by the SEC regarding how the evaluation of such internal controls needs to be performed, this process was significantly altered for all companies regardless of their size.
In this blog, you will find out how the principles-based approach of the SEC for the evaluation of ICFR works, why it abandoned the rigid checklist approach for a judgment-based one, and what it entails for accountants and auditors who are responsible for financial reporting.
The Foundation of a Risk-Based Approach to Internal Control
The absence of this guidance meant that most firms used compliance to ICFR in the form of a checklist approach instead of actual risk assessment. The interpretive guidance from the SEC altered this scenario in that it anchored the risk assessment process on professional judgment.
Why "Reasonableness" Replaced Rigid Standards
It is noteworthy how reasonableness is deliberately defined as not being an absolute standard of accuracy. Rather than insisting on one methodology to be the only acceptable one, the SEC noted that multiple methodologies, findings, and evaluation methods can all be considered to meet the standards of Rules 13a-15(c) and 15d-15(c). This is important due to the fact that the multinational conglomerate and the small regional corporation have different operational realities; therefore, putting them through the same evaluation process would not be realistic at all.
For accountants, it meant a change in mentality: compliance was now about designing the evaluation process, which was reflective of the company’s reality, rather than matching an external framework. It also meant that the auditors should have their own rationale behind their decisions and not apply templates from companies having nothing in common with them.
Two Guiding Principles Behind Every Evaluation
These concepts form the basis of the guidelines. Firstly, management has to be able to make an assessment of the degree of control that has been put in place in relation to the risk of material misstatements going unnoticed. Secondly, the documentation of the effectiveness of controls needs to be commensurate with the degree of risk identified. All these concepts together form a logical progression of identifying risk, implementing control and then verify effectiveness of the control.
Such an approach allows firms to efficiently use their time and resources for compliance issues. The firm will not spend equal effort testing every single account. Instead, only accounts that have material consequences for the company if there were any misstatements will receive rigorous testing. Others with less risk get tested less rigorously. For the time constrained CPAs this is a much more efficient approach than testing all accounts equally.
Scaling the Framework for Smaller Public Companies
Acknowledging that many small public companies are unable to have the hierarchical management structure compared to large corporations, SEC has specifically allowed the small companies to scale up their approach while maintaining the same level of rigor. A small and centralized company where management is directly involved in all financial dealings could very well use this involvement for continuous monitoring which is impossible for a decentralized company.
This does not mean that smaller companies get an easier target to meet in terms of compliance. The difference lies in how the information would be collected despite maintaining the same standard of reasonable assurance. Companies that are expanding and conducting the ICFR evaluation for the first time can benefit from developing a scalable documentation process at the beginning itself.
Identifying Financial Reporting Risks and Building Appropriate Controls
After the principles have been defined, then the actual process starts. This involves identifying areas where things can really go wrong and creating controls based on real vulnerabilities instead of general assumptions.
Mapping GAAP Requirements to Business Realities
Risk identification begins with the interpretation of GAAP rules and regulations for the specific transactions, operations, and business activities of the firm. The managers then apply their experience and knowledge in identifying possible risks relating to transaction initiation, authorization of transaction or recording of information in books of accounts.
The process is dependent on the size of the organization. For instance, a larger business entity that has several business segments may require specially trained staff who are knowledgeable in GAAP or IT issues. On the other hand, smaller and centralized business organizations use the proximity of management to their operations for risk identification purposes. In any event, risk identification must be an analytical process and not merely copying last year's risk template from work papers.
Designing Controls That Match the Risk
When risks are identified, management assesses if the current controls in place are sufficient to mitigate them. Controls may assume different shapes, from reconciliations to segregation of duties, approval rights, or asset protection, and could be automated, manual, or even a combination of both. The same control could help mitigate several risks at once, or vice versa, several controls would be needed for addressing one particular risk.
Entity-level controls, including the overall control environment and monitoring activities, should also be taken into account. Certain entity-level controls may only indirectly impact the addressed risk, while other controls can work with a degree of precision required to fully mitigate the identified risk. Determining which category a particular control belongs to is quite a difficult task, and making a mistake can result in an underestimation of the actual risk.
The Role of Information Technology in Control Design
Financial reporting in today’s environment is highly dependent on the use of technology, which is addressed through the guidance as well. General IT controls alone cannot help address the risk inherent in financial reporting but the functioning of automated controls relies on IT infrastructure entirely. Therefore, the considerations of IT need to be integrated in the wider evaluation rather than being performed separately.
Managers do not have to examine general IT controls that are needed to operate other controls that pertain to financial reporting. Controls that do not contribute to the accuracy of financial reporting but only to the efficiency of operations will not be evaluated under this framework.
Evaluating Evidence and Reporting Control Deficiencies
The detection of risks and control design is only half of the equation. Management also needs to have enough evidence that these controls work, and know how to react in case they do not.
Gathering the Right Evidence for the Right Risk Level
What is required will depend largely on the level of risk involved. Testing will normally have to be carried out in high-risk situations by persons who do not have a stake in the results of the test, but in low-risk areas, it may well be sufficient just to monitor. Personnel skill levels, staff turnover, and whether the control has been effective before will all determine what is necessary.
This will allow firms to avoid unnecessary testing of low-risk areas, focusing attention where it really counts. For internal audit departments, the evaluation plan should be revised every cycle, as opposed to repeating it, because the risk profile will have changed.
Handling Deficiencies and Determining Materiality
Not all weaknesses in controls amount to a material weakness. However, differentiating between the two needs one to consider quantitative as well as qualitative aspects such as the nature of the reporting component concerned, the likely size of the misstatement, and if the controls compensate for the deficiency. Circumstances where there is a possibility of fraud by the senior management or financial statement restatements indicate the existence of a material weakness, even though none of them guarantees a material weakness per se.
In case of a material weakness, the company is required to make disclosures. These include an explanation of the weakness, its effect on financial reporting, and the measures being taken to address the problem.
Why This Framework Still Matters Today
Even though this guidance was released a long time ago, these principles still govern how public companies, audit organizations, and CPA firms deal with the ICFR evaluation process. The focus on judgment over rules, risk-based resource allocation, and flexible assessment techniques is very relevant in the present days considering technological advancements and ever-changing risks of fraud.
For finance specialists, sticking to these principles means that you have something that won’t become outdated no matter what changes in the format and tools will take place. In general, adopting this risk-based approach helps a company develop more robust processes of financial reporting.
However, the SEC’s interpretive guidance on evaluating internal controls for financial reporting is one of the most important documents used by public companies while complying with SOX 404. The use of the principles-based approach gives the management the opportunity to develop an appropriate process of evaluation in accordance with the risks of its company, which can be either multinational or a small centralized business. Being aware of how to detect the risks in relation to financial reporting, how to create adequate controls, collect evidence, and manage deficiencies, one increases the accuracy of financial reporting.
Follow The Fino Partners for ongoing industry insights, and explore our professional expertise if your organization needs support refining its internal control processes.
