The stock value of a public company can drop significantly when an independent auditor finds a material weakness. Financial statement disclosures, internal control over financial reporting (ICFR) assessment reports, and independent audit reports all act as indication to stockholders whether management prioritizes a strong control environment.
A material weakness, which requires public disclosure in a public company, can undermine the organization’s reputation for ensuring sound management practices in their control environment as communicated in their public reporting to investors.
To protect against a material weakness, there are steps financial teams can take to build confidence in their controls and help avoid adverse financial reporting issues from arising:
- Conduct a risk assessment
- Let the external auditor’s guidance inform the internal controls process
- Monitor changes to compliance landscape
- Revisit foundational controls
- Align governance with organizational goals
Below, we explore each step in more detail.
Step 1: Conduct a Risk Assessment
What Is a Risk Assessment?
Once management has established their strategic and operational objectives, they should perform or oversee a risk assessment to identify the barriers to meeting those objectives.
According to Committee of Sponsoring Organizations of the Treadway Commission (COSO), a risk assessment is an interactive process for identifying and assessing those risks that may limit the achievement of enterprise objectives. It should be a structured and disciplined process that is practical, sustainable, and easy to understand and correctly sized to the enterprise’s size, complexity, and geographic reach.
The risk assessment will also establish a hierarchy of priorities for a company to address based on the likelihood of the risk’s occurrence and the impact on the organization. A risk assessment may be conducted in the following ways:
- Broadly over an entire organization
- Narrowly over a specific process or activity, such as period-end financial reporting
- Over a department like payroll
Risk assessments are invaluable because they identify areas of importance that adversely affect an organization. They’re also unique and subjective because the likelihood and impact of each type of risk will vary for each organization.
It’s prudent for organizations to conduct an enterprise-wide risk assessment and establish a baseline of risk appetite or risk tolerance. Then, the organization can map to key environmental or operational impacts such as:
- Implementation of a new enterprise resource planning system
- Merger or acquisition activities
- Changes to regulatory compliance and financial guidance
- Opportunities in the marketplace
For more information on how to conduct a risk assessment and build out a risk management plan, please read our article.
Strategic Risk Solutions
Even the most diligent companies and competently staffed organizations may unexpectedly receive a significant deficiency or material weakness observation on occasion.
In these scenarios, a healthy organization responds to internal control issues by identifying the root cause and implementing a solution that aligns with available resources, company culture, staffing and information system competence, and capabilities of the organization.
Risk is integral to the pursuit of value, so strategic-minded enterprises don’t strive to eliminate all risk—or even to reduce it.
Instead, they seek to manage risk exposures across all parts of their organizations so that, at any given time, they incur just enough of the right kinds of risk to effectively pursue strategic goals.
The traditional business view of risk is that it’s best avoided; strategic risk is a critical shift in perspective that can help use risk to the organization’s advantage.
Consider Risk-to-Reward Potential
The graphic below, which is a reproduction of a chart originally produced by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), represents the idea of finding the sweet spot of risk—accomplished by decision-makers focusing on managing the right amount of risk.
If a company takes too few risks, it may be bogged down addressing minutia with minimal impact. With too much risk-taking, the company may not meet objectives or face undesirable consequences.
Step 2: Let the External Auditor’s Guidance Inform the Internal Controls Process
External auditors conduct detailed evaluations of risk for many different companies, so they can provide management with insights on new process and control activities among public companies, as well as benchmarking information on accepted practices.
The observations identified by their inspectors can provide direction on whether the compliance requirements are becoming more or less stringent and insights into previously unforeseen risk. These insights could help an organization adopt best practice solutions to environmental and regulatory changes.
Auditors expect questions about the process, so organizations shouldn’t hesitate to ask for advice based on what they’re seeing in the marketplace. This is especially true if there have been any regulatory changes.
For example, when COSO 2013 Integrated Framework was released, how did other clients implement the changes with the least impact to current operations?
Or when Staff Audit Practice Alert 11 was released, companies were uncertain if their current approach was sufficient to validate the accuracy of key reports and spreadsheets. How can these requirements be implemented without incurring huge amounts of incremental time and resources?
This issue was addressed later in 2013 when external auditors were able to provide guidance on approaches that had successfully bridged this issue. An organization could consult with an auditor for advice on how a company’s peers had invested in technology solutions to address certain risks to streamline the path to an effective solution to risk.
More recently, the implementation of ASC 606 over customer revenue and ASC 842 over leases provided ample opportunities for companies to leverage lessons learned from early adopters and the largest public filers as conveyed through interactions with their external auditor.
Here are some questions to ask an auditor:
- What are good practices you’re observing in other clients?
- How are changes to compliance requirements impacting my organization?
- What changes to compliance programs do you see on the horizon?
- How have organizations addressed issues with technology?
Step 3: Monitor Changes to Compliance Landscape
Within a short period of time, several factors may come together to alter the financial reporting compliance landscape.
In 2013, COSO released their new framework on internal control and some common noteworthy threads in auditor inspections by the Public Company Accounting Oversight Board (PCAOB) led to promulgation of Staff Audit Practice Alert 11. New standards were also added to the mix, including guidance relevant to related parties and going concern uncertainties.
Additionally, results of PCAOB inspections have influenced how management must document certain accounting activities and the extent to which auditors must apply greater rigor to some of their procedures and support.
Therefore, the compliance environment can change due to explicit new pronouncements and regulations, but also can change via these PCOAB inspection comments.
When it comes to the changing regulatory environment, it’s even more important for organizations to stay abreast of changing requirements and to verify their methodology matches up to the most current guidance. Missing, or poorly executing, new compliance requirements increases the likelihood of an internal-control issue.
Take time before an audit occurs to verify your organization is current on its regulatory compliance; this assurance goes a long way toward strengthening internal controls.
Step 4: Revisit Foundational Controls
Assumptions are often made about the condition of the most basic internal controls, such as segregation of duties (SOD), but significant issues can occur when these assumptions are wrong.
What Is Segregation of Duties (SOD)?
SOD is a highly complex organization control that’s meant to help ensure responsibilities for essential or consequential business functions are dispersed between more than one person or department. Without this separation, risks ranging from asset theft to fraudulent financial statement manipulation become significantly more difficult to manage.
In the case of SOD, material misstatements due to errors or fraud could arise when a single individual is allowed to execute two or more conflicting sensitive transactions. Assigning the responsibility of authorizing and recording transactions to different people, or maintaining custody of assets, could reduce opportunities for any one person to perpetrate and conceal errors or fraud.
SOD is usually dependent on restrictions to IT-system access rights because most critical functions are often performed through the enterprise system. However, because SOD requires technical and policy coordination, it can often fall through the cracks when integrated systems overlap but aren’t reviewed holistically.
Similar high-consequence oversights can occur easily with other foundational controls as well—so they’re worth assessing before an audit occurs.
Assess Key Controls
When assessing key controls, organizations should verify diligence around the following:
Step 5: Align Governance with Organizational Goals
Addressing the roles and composition of an organization’s governing body diminishes the likelihood of misstatements. Assigning a separate risk management function, either internally, externally, or co-sourced, provides incremental objectivity and assurance.
Address Common Issues
In an informal survey conducted by Moss Adams, we found the following governance issues among publicly traded companies.
Of the more than 16,500 companies surveyed, 12.5% of respondents fell short of guidance that a majority of their board be independent directors without a financial or family-related stake in the organization. When there’s a lack of independence, a company is exposed to the significant risk of cronyism because objectivity in oversight is compromised when board directors are interested parties in business decisions.
Steps to take: Establish and maintain an independent and diverse board where members are brought on to provide fresh perspective.
Audit committees without a non-executive director who has recent, relevant financial experience face an increased risk of account misstatements.
To provide governance and oversight, boards should include those with sufficient knowledge, education, and experience of the company’s industry, as well as knowledge of financial reporting and internal control, general accounting and assessment of complex accounting topics, compensation, strategy, management assessment, and external audit requirements.
Steps to take: Make sure at least one—but ideally several—board members have deep and broad financial experience so they can provide oversight and guidance on governance issues relevant to financial result reporting.
Risk management assessment and methodology are part of all internal control frameworks and best practices.
Informal reviews may be more appealing in terms of practical considerations; however, managing risk is most effective when conducted through a rigorous, repeatable, and objective process by a cross-functional team that can provide perspective from all angles within and without the organization.
Steps to take: Implement a risk management function leveraging any one of several available risk management frameworks. Embed risk management practices throughout all levels and departments across the organization and continuously build and mature the function.
We’re Here to Help
Insight into current best practices and success strategies can help your company avoid deficiencies and better align with current and future marketplace trends. For more information on internal controls and risk mitigation, contact your Moss Adams professional.