TheCorporateCounsel.net

Last Friday, SEC Chief Accountant Paul Munter issued a statement cautioning management and auditors against taking a narrow approach in their risk assessments when evaluating the effectiveness of a company’s internal controls. The statement also outlines the OCA Staff’s expectations of management & auditors in the risk assessment process.

The statement says that management must “take a holistic approach when assessing information about the business and avoid the potential bias toward evaluating problems as isolated incidents, in order to timely identify risks, including entity-level risks”. It must then design processes & controls that are responsive to those risks and effectively identify information that they are required to communicate to investors. This excerpt provides some additional insight into the broader approach the Staff expects from management in its risk assessment process:

Changing economic conditions may have a significant and sudden impact on an issuer’s business, which could change risks or create new ones. Therefore, to be effective, risk assessment processes must comprehensively and continually consider issuers’ objectives, strategies, and related business risks; evaluate contradictory information; and deploy appropriate management resources to respond to those risks. For example, management’s risk assessment process may consider observations from regulators, analyst reports, and short-seller reports. Management is also required to provide auditors complete information related to certain communications from regulatory agencies.

Management needs to be alert to new or changing business risks to identify changes that could significantly impact its system of internal control, and design and implement responses that support issuers’ ability to appropriately disclose information in its periodic filings. Business risks, such as a company’s loss of financing, customer concentrations, or declining conditions affecting the company’s industry, could affect issuers’ ability to settle their obligations when due, and affect the risks of material misstatements in financial statements not being identified on a timely basis. Likewise, risks related to changes in technology could impact the effectiveness of controls around processing of transactions.

The statement goes on to provide additional guidance on the Staff’s expectations concerning entity-level controls and what is required of public companies when it comes to their reporting obligations with respect to internal controls. The statement also admonishes auditors about the need for professional skepticism when it comes to risk assessment, noting that they should be alert to potential changes in the company’s “objectives, strategies and business risks” and their implications for the control environment. In particular, the statement notes that auditors should “consider the possible impact of an issuer’s public statements regarding changes in their strategy, board composition, or other governance matters—and whether such statements contradict management’s assessment of its control environment.”

Companies would be well advised to share the Chief Accountant’s statement and discuss its implications with their audit committees.  It’s pretty clear from the statement’s tone that the OCA Staff has concerns about the risk assessment process and the conclusions and disclosures about ICFR that flow from that process. It seems likely that these concerns are going to find their way into Staff comment letters and, potentially, enforcement proceedings as well.

– John Jenkins