How to implement a top-down, risk-based approach to certification
CEO/CFO Certification News, December 2007
One of the most important aspects of establishing a robust control system that enables CEO and CFO certifications is the implementation of a top-down, risk-based approach. While most companies now acknowledge its importance, many organizations remain challenged in understanding how to successfully undertake such an approach. The interpretive guidance for management issued by the Securities and Exchange Commission (SEC), Auditing Standard No. 5 issued by the Public Company Accounting Oversight Board (PCAOB), the comparable guidance in Canada comprising the materials issued by the Canadian Securities Administrators and other material issued by the Canadian Institute of Chartered Accountants can assist management with its understanding. However, questions remain and opportunities exist for strengthening the successful implementation of a top-down, risk-based approach.
What does top-down, risk-based really mean?
A top-down approach has two dimensions — scoping and identifying the relevant controls that will be assessed.
Scoping refers to the manner in which the company determines its risks for which internal controls are required. It is difficult to separate top-down from the concept of risk-based when discussing scoping as the two are inextricably linked. A top-down approach considers the key financial reporting risks when determining scope.
From the perspective of identifying relevant controls, top-down refers to identifying entity-level controls prior to identifying lower-level or process-level controls that address risk. It may be possible to identify or implement entity-level controls that operate with sufficient precision to mitigate certain financial reporting risks that reduce or, in some cases, eliminate entirely the need to identify lower-level controls.
A risk-based approach has the largest impact in the following three areas:
- Scoping: Identifying and prioritizing the population of risks.
- Identifying and evaluating internal controls: The nature and number of control activities required to address a financial reporting risk and the nature, extent and timing of the evaluation of operating effectiveness.
- Concluding: Classifying deficiencies that result from management’s assessment activities.
Scoping and identifying likely sources of misstatements
In charting a course for an effective control system enabling CEO and CFO certifications, it is important to understand the end game. In this case, it is about identifying all likely sources of potential material misstatement or disclosure errors in the absence of controls and then ensuring that controls are in place and operating effectively to mitigate these risks.
A logical first step in this exercise is to identify significant financial reporting elements including accounts and disclosures. If necessary, accounts and sub-accounts should be disaggregated to allow for the identification of areas that could result in a material misstatement. Once accounts and disclosures are identified, apply a materiality factor, in addition to other qualitative factors, to determine whether the accounts, sub-accounts and disclosures contain risks that would be included in the overall population of risks. If there is a reasonable possibility of a material misstatement within the account or disclosure, the account would be considered as significant and further analysis would be required to specifically identify the potential reporting or financial statement misstatement. Generally, accounts or sub-accounts greater than management’s materiality will be considered significant. Other accounts will also be considered significant based on qualitative factors such as:
- Susceptibility to errors and fraud
- Volume of activity, complexity and homogeneity
- Exposure to loss
- Extent of judgment
- Related party transactions
- Changes from prior period
- History of misstatements
The next step in the risk assessment involves identifying the likely sources of misstatements by determining what can go wrong and by defining the risks in a manner that enables management to determine whether identified controls would actually reduce the risk to an acceptable level. Relevant assertions are often helpful in assisting management identify what could go wrong in the respective accounts and disclosures. The most commonly used assertions are:
- Existence or occurrence: Assets, liabilities, and ownership interests exist at a specific date, and recorded transactions represent events that actually occurred during a certain period
- Completeness: All transactions and other events and circumstances that occurred during a specific period, and should have been recognized in that period, have, in fact, been recorded
- Valuation or allocation: Asset, liability, revenue, and expense components are recorded at appropriate amounts in conformity with relevant and appropriate accounting principles
- Rights and obligations: Assets are the rights, and liabilities are the obligations, of the entity at a given date
- Presentation and disclosure: Items in the statements are properly classified, described, and disclosed
Determining what could go wrong with each assertion for significant accounts and disclosures helps bring greater precision in the efforts to identify relevant internal controls. The following chart provides a few examples in determining what can go wrong:
|Significant account||Selected assertion||What can go wrong (i.e. risk)|
|Raw material inventory||Valuation or allocation||Inventory is not saleable or usable|
|Finished goods inventory||Existence or occurrence||Shipments of inventory are not recorded in the right period|
||Sales revenues are not recorded in conformity with generally accepted accounting principles applicable in the circumstances
Recognizing that not all risks are of equal importance, the final step in the risk assessment involves assigning a priority level to each account and risk. A common approach is to assign a high, medium or low priority rating. These ratings are important as they will impact the internal control identification process as well as the nature, extent and timing of management’s assessment activities. In assigning the risk rating, the magnitude of the impacted account or disclosure should be determined as well as the likelihood of misstatement for the related risk. The following chart provides an example illustration of the risk mapping exercise:
Identifying internal controls
Once the company’s financial reporting risks are identified and prioritized, the next step is to identify internal controls that mitigate the risks identified. A top-down approach starts with identifying entity-level controls. If a financial reporting risk for a financial reporting element is adequately addressed by an entity-level control, no further controls may be needed to address the risk, particularly for risks rated as low.
Entity-level controls vary in nature and precision and can be categorized into the following three types:
- Indirect and pervasive: Those that have an important, but indirect effect, on the control system effectiveness (e.g., control environment, tone at the top, risk assessment, etc.).
- Monitoring: Those that monitor operations and effectiveness of other controls (e.g., transaction reviews, audit committee, self assessments, etc.).
- Direct and precise: Those that operate at a level of precision that would adequately prevent or detect misstatements on a timely basis.
In situations where entity-level controls adequately address a financial reporting risk at the account and assertion level, the entity-level control would have to be direct and operating with a sufficient level of precision to prevent or detect, on a timely basis, the reasonable possibility of a material misstatement. Addressing risk with entity-level controls can significantly improve the efficiency and cost-effectiveness of a compliance initiative as these controls tend to operate less frequently and therefore result in less effort in assessing their operating effectiveness.
Where financial reporting risks are not sufficiently mitigated by entity-level controls, technology-based and/or process-level controls would have to be identified. Automated controls tend to be more reliable and can often be efficiently assessed and, therefore, should be identified where possible. If automated controls do not exist, manual controls that address the financial reporting risks should be identified.
Evaluating internal controls
The evaluation process, comprising both design and operating effectiveness assessments, will vary from company to company. However, a top-down, risk-based approach to the assessment of internal controls should result in a more efficient overall evaluation of controls.
The assessment of control design refers to management’s determination as to whether suitable controls have been placed in operation to address the company’s financial reporting risks. This determination involves a high level of judgment and, as a result, senior finance personnel should be actively involved in the assessment.
Management’s evaluation of operating effectiveness should be customized taking into consideration management’s assessment of the risk characteristics of both the financial reporting element and the related internal controls. The combination of financial reporting risk (discussed earlier) and control risk is important in determining the overall nature, extent and timing of management’s operating effectiveness assessments. Control risk considers the characteristics of the controls themselves that impact the likelihood that a control might fail. Examples of considerations include the complexity of the control, the risk of management override and the judgment required to operate the control.
Management’s assessment of operating effectiveness can be obtained through day-to-day interaction with the control systems, by direct testing of controls, and through on-going monitoring activities. Direct tests are ordinarily performed on a periodic basis by individuals with an appropriate degree of objectivity relative to the underlying risk to financial reporting of the controls being tested. Management may base their evaluation of operational effectiveness on their day-to-day interactions or on evaluations conducted by appropriately skilled, objective individuals based on observation of the control activity, examination of documentation and other evidence of the operation or re-performance of the control activity.
These latter tests are typically used for higher risk areas. On-going monitoring activities refer to management’s normal, recurring activities that provide information about the operation of controls. For example, with respect to a reconciliation control, the supervisor of the area may perform an appropriately detailed review of the reconciliation each time it is prepared. The supervisor’s review, assuming some assessment of the reconciling items is conducted, informs her as to whether the control is working and also encourages continued effective operation of the control. These assessments are typically used for lower risk areas or in combination with additional direct testing for other areas.
The following chart illustrates a hypothetical evaluation structure based on varying levels of assessed underlying risk:
Concluding on internal control deficiencies
A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect potential misstatements on a timely basis. Design deficiencies, for example, may exist when necessary controls are missing or existing controls are not designed properly. Operating effectiveness deficiencies, on the other hand, exist when controls do not operate as designed or the person performing the control does not possess the necessary authority or qualifications to effectively perform the control.
In concluding on the design or effective operation of internal control over financial reporting, the categorization of a control deficiency as a material weakness does not depend on whether a material misstatement has actually occurred but rather on whether there is a reasonable possibility that the identified controls will fail to prevent or detect a material misstatement.
In implementing a top-down, risk-based approach to concluding as to whether a material weakness exists, consideration should be given to additional factors including those listed in the table below:
|Sample risk factors that affect reasonable possibility that a control will fail:||Sample factors that affect the magnitude of the misstatement from a deficiency:|
Common pitfalls to successfully undertaking a top-down, risk-based approach
Despite the general recognition of the importance of employing a top-down and risk-based approach to compliance, many organizations struggle in their attempts to successfully implement such an approach. The most common mistake made is the failure to involve individuals who have a sufficient understanding of Generally Accepted Accounting Principles and financial reporting in the risk assessment. Their experience and knowledge can prove valuable in the identification of all likely sources of material misstatements in the absence of any controls. Given the subjectivity and judgments involved, risk assessments and scoping activities should include the active involvement of senior finance representatives and, in particular, those individuals within the company with direct responsibility for the preparation, review, approval, and release of the financial statements — those individuals with the necessary skills, training and experience.
Other common pitfalls include:
- Limited knowledge and understanding of certification standards and guidance issued by regulators
- Replication of prior years’ risk assessment and control design and operational effectiveness testing activities without sufficient continuous improvement efforts to reflect recent changes in standards and interpretations
- Failure to update risk assessment on a regular basis (i.e. at least annually) for changes in internal and external risk factors
- Failure to customize the nature, extent and timing of compliance activities based on risk
Inappropriate attention to documenting the linkage of entity-level controls and underlying financial reporting risks and to the opportunity to enhance existing entity-level procedures so that they can be relied upon (i.e. are sufficiently direct and precise)
- Inappropriate reliance on controls dependant on computer-generated information without proper consideration of the risks in the preparation and presentation of the computer-generated information or the completeness and accuracy of the underlying data.
Other interesting articles and publications
Commission Guidance Regarding Management’s Report on Internal Control over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, Securities and Exchange Commission, June 2007
Auditing Standard No. 5 – An Audit of Internal Control Over Financial Reporting That Is Integrated With An Audit of Financial Statements, Public Company Accounting Oversight Board, June 2007
Guidance on Monitoring Internal Control Systems, Committee of Sponsoring Organizations of the Treadway Commission, September 2007
Companion Policy 52-109CP to National Instrument 52-109 Certification of Disclosure in Issuers’ Annual and Interim Filings, Canadian Securities Administrators, March 2007 (see note below regarding CSA Notice 52-319)
Update: New CSA Release – Notice 52-319
On November 23, 2007, the CSA issued Notice 52-319 (the Notice) providing a status update regarding their proposed repeal and replacement of Multilateral Instrument (MI) 52-109 released March 31, 2007 (previously proposed materials). In the Notice, the CSA indicates that the previously proposed materials will not be finalized. Significant revisions will be made and a new set of proposals will be issued for public comment.
In addition, the additional management certifications related to evaluating the effectiveness of ICFR, as contained in the previously proposed materials, will not be effective for year-ends on or after June 2008. No indication was provided regarding a revised effective date.
The Notice also indicates that the new proposals, when released, will no longer require CEOs and CFOs of venture issuers to certify that they have designed and evaluated disclosure controls and procedures (DC&P) or ICFR although current rule requirements are in effect until a new rule is adopted. The rule currently in force requires a quarterly certification regarding the design of DC&P and ICFR and an annual certification regarding the evaluation of effectiveness of DC&P. The Notice advises venture issuers to consult the website of each jurisdiction in which they are a reporting issuer to determine the availability of exemptive relief orders or other forms of accommodation relating to the filing of certificates under MI 52-109.
In its Notice, the CSA did not provide an indication as to when revised proposals will be issued for public comment or a target date for the issuance of a revised National Instrument.
Message to our readers
Due to the fact that changes in certification regulations and interpretations do not occur as frequently as in the past, this issue will be the last regular publication of CEO/CFO Certification News. We will continue to share our insights and points of view with you on a periodic basis as new developments arise. We thank you for your continued support and interest.
To access previous issues, please visit the CEO/CFO Certification services section on Deloitte.ca.