Checking risk oversight can inform audits
Enterprisewide risk management systems have expanded greatly in recent years, primarily as a tool to help management and the board proactively deal with emerging risks. While the entity’s approach to managing many of the risks on the horizon for the organization encompass all kinds of risks, management’s overall attitude and investment in managing risks of any type may provide the auditor with a rich perspective about management’s attitude toward risk taking and the organization’s overall risk culture. These elements ultimately may affect management’s level of investment in processes surrounding risk assessments related to financial reporting.
A lack of executive–level acceptance of the importance of managing enterprisewide risks may signal a lack of commitment to managing risks more narrowly related to financial reporting. Some auditors may believe that understanding management’s broader approach to managing enterprisewide risks may be interesting but not relevant to financial statement audits. For instance, risks such as competitor moves, disruptive innovation, shifts in customer demographics, talent concerns, or the impact of geopolitical events, may seem outside accounting processes and internal controls that encompass the financial reporting process.
That may be somewhat shortsighted. Weak management commitment to addressing risks in general may be an indicator of management’s focus on financial reporting risks as well. Thus, an organization’s enterprisewide approach to risk management may provide auditors with information that is valuable in the audit process.
Learning about a client’s enterprisewide approach to risk management, who is involved, the kinds of business risks identified and prioritized by management as part of that process, how management is overseeing the entity’s response to the top risk concerns, and the board’s oversight of management’s risk–taking actions can provide rich insights for the auditor’s consideration of the entity and its environment, including internal controls, that is required in every audit. This understanding may reveal insights about key business risks and contain insights about management’s risk assessment component of internal control that would be important to the auditor’s assessment of the risks of material misstatement when planning the audit of the financial statements.
The following sections describe considerations that might provide insights for auditors about the entity’s commitment to risk assessment effectiveness.
Without someone or some group of individuals explicitly focused on designing and implementing a risk management process to be applied across the enterprise, an entity’s approach to risk oversight is likely to be ad hoc and insufficient to effectively monitor the volume and complexity of risks. Thus, evaluating whether the organization has selected a leader of the risk management process may be one of the first considerations auditors want to make.
Some organizations have appointed individuals to serve as chief risk officers (CROs), or in positions with equivalent responsibilities, to facilitate the launch and coordination of the ongoing risk identification and reporting processes. Just under half of organizations in an AICPA/North Carolina State University survey indicate that they have designated an individual to serve as the CRO or equivalent, and that percentage increases to 63% for public companies (see the chart, “Organizations With CRO or Risk Committee”).
Organizations with CRO or risk committee
Some organizations are also creating management–level risk committees that consist of a number of the entity’s key business unit leaders who meet regularly to discuss ongoing risk issues. In fact, 59% of entities surveyed have a management–level risk committee, with that increasing to 83% for publicly traded companies.
Auditor inquiries of individuals in these leadership positions may provide insights as to the robustness of management’s risk assessment processes and deeper understanding of some of the most important risks on the horizon for the entity. Inquiries of CROs or equivalents may provide important information about the design of the entity’s risk management process and the level of executive commitment to that process.
Review of agenda materials and minutes from meetings of the management–level risk committees and discussions with risk committee members may provide rich perspectives that help strengthen the auditor’s understanding of the business and industry and the associated challenges (e.g., risks) most on the minds of executives. That perspective may increase the richness of the auditor’s information sources used to assess the risks of material misstatement to the financial statements, in addition to helping provide input into the auditor’s consideration of the entity’s risk assessment component of internal control.
The second principle related to the risk assessment component in COSO’s Internal Control — Integrated Framework states that “[t]he organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” That principle implies that there should be some kind of structured approach used to engage management in the identification and assessment of risks.
Understanding the process used by management to identify risks across the enterprise is critical to the auditor’s evaluation of the above principle related to the risk assessment component. For some organizations, the risk identification process is well–defined, whereby key members of management are engaged annually in activities to help identify future risks. The AICPA/N.C. State research finds that about 75% of entities surveyed engage management at least annually in processes to update their inventories of key risk information.
Auditors may want to pay particular attention to organizations that lack a clear and structured approach to regularly engage management in considering risks. An ad hoc, unstructured, or nonexistent approach to risk identification may lead auditors to question whether there is a sufficient “tone at the top” regarding risk management.
Information about the techniques used to engage management in a risk identification process, who among management is involved in that process, and how frequently it occurs may offer important insights about the viability of management’s risk assessment process.
The purpose of engaging management in risk identification tasks is to ultimately help the organization’s leaders pinpoint the most significant risks likely to affect the achievement of objectives. Understanding the risks generated by that process helps auditors understand the nature and extent of risks most on the minds of management.
Management’s identification of top risks will contain some that are not directly related to the risk of material misstatement in the financial statements. But evaluating top risks is likely to inform auditors about important internal and external factors that might affect the entity’s business model or the success of its strategic plan. That information may, in turn, identify potential pressures on management that could ultimately increase the risk of material misstatement, including the risk of fraud.
Organizations generally report between five and 20 key risks annually to the board of directors. Usually, that information is presented to either the full board of directors or one of its committees, often the audit committee. A number of entities are creating standardized “risk profile” documents in the board’s premeeting reading materials that provide an overall profile of each risk presented to the board. Those profiles often include an overview of the risk concern, its likelihood of occurrence and impact to the organization, how the organization is responding to each risk and the adequacy of each of management’s responses to the risks, and metrics management is using to monitor each risk over time.
Information from management’s risk assessment processes, including risk profiles or other risk reports, may be particularly useful as an input for the required “brainstorming” discussions among the engagement team about the risks of material misstatement, including fraud risks.
While the board of directors is ultimately responsible for the oversight of top risks, it often assigns responsibility for understanding and approving management’s risk management process to a committee. For most entities, the audit committee assumes this responsibility. This is largely because 2004 NYSE Corporate Governance Rules mandate that the audit committee oversee the process of evaluating management’s “risk assessment and risk management processes.” Some entities, especially large banks and insurance companies, are creating board–level risk committees that assume this oversight role because of requirements of the Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010, P.L. 111–203.
Following the initial presentation of top risks, boards of directors often map each of those top risks to agendas for future board or committee meetings to ensure that the board has a sufficient understanding of the top risks and that it stays focused on them throughout the year. Auditors may benefit from understanding how the board allocates responsibility for overseeing management’s risk management processes and how those committees assess the effectiveness of those processes. While minutes of these committee meetings may provide helpful information, auditor discussion with committee chairs or other members of the committee and auditor review of committee meeting packets and minutes may be especially informative about the robustness of the entity’s overall control environment and risk assessment processes. Review of this information might signal the effectiveness (or lack thereof) of the overall governance process.
Some organizations are appointing different members of management across the enterprise to serve as “risk owners” for each of the top 10—20 risks presented to the board. Risk owners are responsible for conducting thorough analysis of their assigned risk to understand root–cause drivers of the risk and to assess the adequacy of the entity’s response to each risk to prevent its occurrence or to minimize its impact. Risk owners are often the ones responsible for updating senior management and the board about the current and expected state of their assigned risk. Understanding whether and how management has established accountabilities for managing key risks will provide a signal about the robustness of its focus and attention to risk oversight. If no one is deemed responsible for top risks, how effective are responses to risks likely to be?
As entities strengthen their overall enterprisewide risk management processes, many are enhancing their dashboard reporting systems to include metrics that help management monitor shifts in emerging risk exposures. These metrics are generally referred to as key risk indicators (KRIs), which may be based on internal or external factors associated with each emerging risk. For example, retailers might be tracking shifts in customer demographics that suggest a migration toward more urban living, for a retailer to forecast future new store locations.
The presence of KRIs on management dashboards may help auditors in planning or analytical procedures, in addition to insights they may provide as part of the analytical procedures performed in the final stages of the audit. KRIs often are based on nonfinancial information, and therefore, they may provide additional opportunities for the auditor to develop expectations about financial statement balances or trends over time.
The rapidly evolving risk landscape is placing a spotlight on the role of risk assessment as it relates to internal controls. While management’s process for identifying and assessing risks is likely to go well beyond the risks of material misstatement in financial statements, auditor consideration of a number of aspects of those processes may help an auditor assess risks to the audit (see a summary of those considerations in the sidebar, “Factors to Consider”). Not investing time to understand and evaluate a client’s overall process for managing risks affecting the enterprise may lead to an insufficient understanding of the effectiveness of management and board risk oversight, but it may also cause the auditor to overlook key business risks that may impact financial reporting. Why take that risk?
Enterprisewide risk management systems have expanded greatly in recent years, primarily as a tool to help management and the board deal with emerging risks. Rather than treat the enterprisewide risk management system as something beyond the auditor’s purview, financial statement auditors may want to consider how information from and about the risk management process might enhance their audit processes.
Has the organization selected a dedicated leader to oversee the design and implementation of an enterprisewide risk management process?
What process does management use to identify risks?
What is the nature of risk information reported to top management and the board?
How effective is the board’s oversight of the risk assessment process?
How effective is management’s information system for monitoring top risks?
In summary, what external audit implications about the entity’s risk assessment process can be derived from the aggregation of responses to these (and other) questions?
About the author
Mark S. Beasley, CPA, Ph.D., is the Deloitte Professor of Enterprise Risk Management and director of the ERM Initiative at North Carolina State University in Raleigh, N.C.
To comment on this article or to suggest an idea for another article, contact Neil Amato, a JofA senior editor, at Neil.Amato@aicpa-cima.com or 919-402-2187.
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.
Research & References of Checking risk oversight can inform audits|A&C Accounting And Tax Services