- Corporate Security
- Governance, Risk & Compliance
- Information Security
At its simplest, a “top-down, risk-based” approach to financial reporting is about exposure to risk related to a single objective — filing statements that are free of material error or omission.
And while they’re not a rampant problem, errors and omissions are still a troubling issue. PCAOB findings suggest deficiencies in audits of internal control in as much as 15 percent of audit engagements it inspects, and—in addition— relatively minor errors in an equal amount.
Deficiencies noted include failures to:
A top-down, risk-based approach—properly implemented—can mitigate the risk of these failures and more.
PCAOB’s Auditing Standard No. 5 neatly defines the top-down, risk-based approach:
A top-down approach begins at the financial statement level and with the auditor’s understanding of the overall risks to internal control over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and their relevant assertions. This approach directs the auditor’s attention to accounts, disclosures, and assertions that present a reasonable possibility of material misstatement to the financial statements and related disclosures. The auditor then verifies his or her understanding of the risks in the company’s processes and selects for testing those controls that sufficiently address the assessed risk of misstatement to each relevant assertion.
In a recent webinar entitled “How to develop a top-down, risk-based approach to SOX—truly”, internal audit, risk management, and governance expert Norman Marks clarified that top-down is about learning to live with acceptable risks.
“What is the risk? Where is the risk? You need to, at all times, ensure that your scope is focused on those two questions,” Marks said. “That prevents scope creep—and keeps you from getting distracted by things that would never have resulted in a material error or omission.”
Success, then, lies in concentrating on areas where there is some appreciable chance of a material error or omission—and using controls to provide assurance that other risks are less than reasonably possible.
Wondering where to begin? AS5 suggests starting, predictably, at the start:
The auditor must test those entity- level controls that are important to the auditor’s conclusion about whether the company has effective internal control over financial reporting.
William J Powers, PCAOB National Associate Director, Division of Registration and Inspections, agrees. Powers, in the same SOX webinar, advised beginning at the financial statement level—and focusing primarily on entity-level controls and relevant assertions.
Here’s what counts as an entity-level control according to AS5:
The “mileage” you’ll achieve from entity-level controls can vary, naturally. Some controls are important but only contribute indirectly to your ability to detect or prevent a material misstatement. Some do, in fact, directly influence that ability, but without the level of precision that would allow you to cut back on testing other controls.
Look at entity-level controls. If they can be tested and shown to be both operating and designed effectively, you can minimize the amount of testing you have to do at the process or transaction level.
But others, however, will do a more than adequate job of helping you prevent or detect misstatements to one or more relevant assertions.
By appropriately allocating the energy you spend on these three types of controls, Powers says you’ll enjoy the efficiency advantages of a top-down risk-based approach.
Also speaking on the SOX webinar panel was Richard Arthurs, VP of Risk Management and Chief Audit Executive at Altalink, one of Canada’s largest power transmission companies.
Arthurs gave tips on how to implement a top- down, risk based approach.
Top-down, risk-based may seem daunting at first, but the benefits speak for themselves: