In Issue 7 of Volume 2 of The Bulletin, we discussed the audit committee agenda over the next 12 months. We also indicated that the subsequent four issues would expound on topics germane to that agenda. This issue of The Bulletin, the last of a succession of four issues following Issue 7, addresses the process of understanding and continuously evaluating an organization’s financial reporting risk profile (FRRP), and why this process is important to senior management and directors.
These are risky times
When significant financial reporting issues arise, in many cases executives and directors have little advance warning. Even regulators are rarely more prescient when it comes to anticipating the next financial reporting meltdown. Prescriptive measures, such as those required by the Sarbanes-Oxley Act of 2002, often have been reactive remedies trailing the financial reporting disasters of the day. Recent Financial Accounting Standards Board (FASB) developments with respect to “principles-based” accounting rules (which are intended to make reporting more transparent for investors, but are not necessarily easier for preparers to generate) and fair-market accounting valuations (which will involve a higher level of subjectivity than the traditional historical cost model), as well as increasingly stringent filing deadlines mandated by the Securities and Exchange Commission (SEC) for large accelerated filers, are likely to further complicate the financial reporting process.
To surmount these ever-expanding challenges, companies need to work in an anticipatory mode to get out in front of financial reporting issues before they become reputation threatening. The FRRP is a proactive approach to identifying financial reporting issues and managing them to head off financial statement restatements before they occur, thereby enabling management to better focus efforts on more important matters and reduce reputation risk to an acceptable level.
A focus on the internal control environment
In its interpretive guidance approved in May 2007, the SEC stated that certain financial reporting elements – such as those involving significant accounting estimates, related party transactions or critical accounting policies – generally would be assessed as having a higher risk for both the risk of material misstatement to the financial reporting element and the risk of control failure. The Public Company Accounting Oversight Board (PCAOB) stressed similar guidance to external auditors in its revisions to Auditing Standard No. 2. The point is this:
When the controls related to these financial reporting elements are subject to the risk of management override, involve significant judgment or are complex, they generally should be assessed as having higher internal control over financial reporting (ICFR) risk. This is the underlying premise of an FRRP: Do management and the audit committee know where the “soft spots” are with respect to the company’s financial reporting? The pitfalls associated with consistently achieving accurate and reliable financial statements are too numerous not to review for soft spots from time to time.
An effective FRRP focuses on six areas: (1) accounting principle selection and application, (2) estimation processes, (3) related party transactions, (4) business transaction and data variability, (5) sensitivity analysis, and (6) measurement and monitoring. These areas are discussed further below. The objective of an FRRP is to identify the most likely areas of potential misstatements so that the appropriate oversight and control can be established to reduce financial reporting risk to an acceptable level.
Accounting principle selection and application
ICFR includes controls over the selection and application of appropriate accounting policies. According to the SEC, these policies are the ones that are “most important to fair financial statement presentation, and require management’s most difficult and subjective judgments. These judgments are often a result of having to make estimates about the effect of matters that are inherently uncertain.” Controls over these policies are integral to the company’s period-end financial reporting process and disclosure controls and procedures because they ensure that the company is using appropriate accounting policies, has communicated its accounting policies throughout the organization, and is applying the selected policies appropriately and consistently from period to period.
Now more than ever, organizations continually are being bombarded with new accounting mandates from multiple sources spanning a wide spectrum of topics, ranging from tax accounting to revenue recognition to inventory/cost of sales considerations. The application of accounting principles, and the ongoing guidance provided to companies toward achieving proper application, has touched on every aspect of the financial reporting process, e.g., the timing of transactions, the amount to be booked and the geography of the presentation in the statements. The increasing complexity of this environment drives the need for a risk-based process to sharpen management’s focus when evaluating ICFR.
An FRRP identifies the risks related to (a) the nature and types of accounting policies, (b) the nature and types of accounts and transactions, (c) unique industry issues, and (d) unusual business relationships (such as vendor/customer alliances and related party transactions). A comprehensive mapping of current financial reports to the corresponding financial reporting standards, along with an assessment of the cumulative exposures associated with specific accounting and reporting requirements, would better equip executives and directors in understanding and managing their companies’ financial reporting risks. For example, in the area of revenue recognition, there are “generic” rules for the timing of revenue recognition (including specific rules for different kinds of revenue streams), as well as fact-based and industry-specific rules regarding presentation, e.g., the inclusion (or not) of reimbursed expenses in the revenue line and gross versus net treatment of distribution arrangements, chargebacks and rebates.
When evaluating ICFR, a risk-based approach allocates more effort to financial reporting areas requiring significant accounting estimates or assumptions. According to the SEC, these estimates or assumptions are significant when their nature is material “due to the levels of subjectivity and judgment necessary to account for highly uncertain matters or the susceptibility of such matters to change; and the impact of the estimates and assumptions on financial condition or operating performance is material.” Because of their subjective nature, the estimates inherent in the financial reporting process are some of the most easily manipulated (and more readily second-guessed) components of financial statements. Accordingly, the controls in this area are subject to increasing scrutiny by the external auditors, as well as by regulators.
With continued FASB momentum toward principles-based and fair-value accounting, financial reporting preparation likely will become even more judgmental in the future, as well as more susceptible to exploitation and override, with differing views possible among reasonable men and women as to the ranges of the value and likelihood of potential future outcomes. Consequently, it is imperative that management and the audit committee understand the extent to which key estimates affect the consistency and reliability of reported earnings, and where the company sits within the acceptable range of estimates. Whether management is very aggressive or ultraconservative, or somewhere in between these two extremes, should be an important discussion topic for audit committees, management and external auditors.
An FRRP identifies the processes for evaluating and updating estimates, provides insights as to the quality of the underlying data supporting those estimates, and summarizes the business drivers that could cause variability in that data. By tracing the lineage from estimate to supporting data to related business and economic activity, an FRRP allows management to better determine if their estimates and assumptions are being applied consistently over time or are improperly influenced for inappropriate reasons. The profile also can be used to evaluate the sensitivity of different estimates on the achievement of management incentive targets.
To illustrate, a new accounting pronouncement, FASB Interpretation No. 48 (FIN 48), requires different accounting and disclosures for “uncertain tax positions,” leading companies to assess, or reassess, how they have accounted for income tax benefits and liabilities in instances where the tax regulations are unclear, subject to interpretation, or at risk of audit. under FIN 48, companies must use estimation methods, which may differ from the processes or evaluative criteria that they have been using for years. They also must disclose, in the footnotes, much more information than had been required previously. An FRRP would focus on the data requirements and other factors influencing these estimates.
Related party transactions
While related party transactions are common in business, it is important to understand that they are often the root of major financial scandals. When parties are not independent of each other, the traditional checks and balances do not function as effectively, if at all. Therefore, these types of transactions require special attention because they present greater risk. In particular, the risk is as much about what is, as it is about what is not, disclosed and reflected in the financial statements and footnotes.
An FRRP identifies the nature and effect of related party transactions, and evaluates the adequacy of their identification, tracking, accounting and disclosure in the financial statements. It also provides an objective view of potential trouble spots in accounting for, reporting of and disclosing such transactions for senior management and the audit committee to consider.
Business transaction and data variability
Companies need to stay on top of trends affecting accounting estimates and the implementation of accounting principles. In particular, companies need to focus on trends affecting the industries in which they operate and the prevailing winds of the marketplace. Specific business transactions – from sales and purchase agreements to acquisitions and divestitures – present unique challenges to companies as they strive to identify the applicable accounting and reporting conventions, and properly apply those conventions once identified.
An FRRP considers potential changes in the operating environment and possible management decisions on the horizon, as well as how the company is prepared to address these changes and the related impact on financial reports. Financial reports will only be as good as the data supporting them. unreliable or inconsistent data flowing through even the best theoretical accounting principle framework will lead to errant financial reporting. To the extent that different systems, sources and alternative uses of data (such as reports prepared for “management reporting” versus those prepared for “financial reporting”) exist, an FRRP will help management and the audit committee assess whether or not that information is provided and evaluated appropriately to ensure that accounting standards are applied accurately and consistently.
The current accounting guidance is voluminous. Often, there are one or more permitted alternatives to the prescribed accounting treatment for a business transaction. In addition, there may be differing views on which alternatives to apply or how to apply them. The degree of judgment and subjectivity in applying an accounting principle also can provide a range of alternative financial reporting outcomes.
In situations where there are alternatives to selecting standards, a financial reporting risk profile highlights the alternatives that may apply. Similarly, where those alternatives could lead to a material impact on operating results, an FRRP will highlight those impacts and shed light on how the outcome of those deliberations and calculations could affect executive compensation, targeted performance, debt covenants and other key variables. The more senior management, the board and its committees know about what motivates decision-making, the better positioned they are to monitor the effectiveness of ICFR.
Measurement and monitoring
As the management maxim goes, “You can’t manage what you don’t measure.” As noted earlier, an FRRP provides management with needed insights about the potential “soft spots” within the organization’s financial reporting. For example, an effective profile identifies areas where:
- There may be “disconnects” between the activities of the company’s operating personnel and the finance function’s understanding of those activities and how they affect the financial statements.
- The documentation of both the rationale and approach to the accounting for a particular area is insufficient to support the external audit process and ensure repeatability over time in the event of changes in personnel, even though accounting rules are currently being applied appropriately.
As a business evolves, operating personnel may not understand clearly their role in financial reporting. In other words, they may not understand the impact of the information generated by their work on financial reports – especially as new revenue streams, joint ventures and the like impact the company. For instance, many companies have experienced issues around revenue recognition because of the language used by their sales force in sales contracts or related side agreements. Still others have had issues with accounting for joint ventures and the related party transactions resulting from those ventures. In other cases, accounting rules could change, requiring changes to the source or flow of information from operations to the finance function. The previously mentioned need for more data regarding uncertain tax positions is just one example. The need for a company’s human resources department to track statistics on exercises and forfeitures of equity awards to meet the ongoing requirements of new accounting and reporting rules for stock options is yet another example.
The insights provided by an FRRP support a more focused oversight and control framework that measures and monitors sensitive financial reporting areas, as the organization matures and the applicable accounting standards inevitably change. The profile can be used by management as a means of monitoring the applicability of existing standards, the potential impact of new standards, and the potential impact of impending transactions. Management also can use these insights to identify areas where the flow of data between business units and functions can be streamlined and improved, resulting in more cost-effective business processes, and increased controls automation and efficiency. Operational management then can focus on decision-making, and financial reporting management can focus on preparing external reports – both with the same information – and reduce the likelihood of material errors associated with costly manual data flows and controls.
The following are several steps for conducting an initial FRRP:
- Begin with the scoping documents driving your ICFR evaluation. These documents prioritize the financial statement captions, footnote support and relevant financial reporting assertions. Because the recently approved SEC guidance and PCAOB standard will have companies and their external auditors applying a top-down, risk-based approach when scoping and executing their Section 404 evaluations, the ICFR evaluation documentation provides valuable context for the FRRP. Not only does their use ensure management doesn’t have to “start from scratch,” a completed FRRP is a great way to kick-start a reassessment of the Section 404 scoping process because it points to the areas with the greatest inherent risk of material misstatement.
- Inventory your key financial elements and, for each, ask appropriate questions. For example, do we have a clear understanding of the critical issues and the accounting principles which apply?Should there be policy or process documentation addressing these issues? Does this documentation exist (i.e., is there a white paper or an issues summary)? If so, is the documentation sufficiently robust to address current needs? Is it flexible enough to accommodate future changes?
- With the “issues documentation” in hand, consider additional assessments. If there are any SEC comment letters, where have the questions been focused? If there are management letters from the external auditor, where have the findings been focused? Have underwriters and analysts raised any questions requiring attention? Are there any pipeline issues driving changes to the business model or accounting rules?
- Address any remaining gaps and unresolved questions. Do the required fact gathering and analysis close the gaps?
The FRRP is not another “one-off ” assessment. Therefore, it should be updated periodically for change.
Financial reporting is not an exact science
Updated periodically, the FRRP strips away the “black box,” and makes transparent the drivers and magnitude of financial reporting risks for all to see. A robust FRRP creates awareness of the drivers of earnings variability, provides a sensitivity assessment of financial estimates and the underlying data, identifies financial reporting exposures and regulatory trends within the industry, proactively evaluates the reliability of estimation processes, and ensures consistency in the application of accounting standards – all of which lead to the strengthening of ICFR and improving the overall quality of financial reporting.
Key Questions to Ask
Key questions for board members:
- Are you confident that senior management is fully equipped – with internal and external resources and the appropriate tools – to monitor the financial reporting areas that are highly susceptible to changes in environmental factors, such as technological or economic developments?
- Has the audit committee endeavored to understand the most sensitive financial reporting risk areas? Is a financial reporting risk profile documented periodically in a manner to facilitate identification of the significant risk areas? Is the profile discussed with senior management and the external auditor to obtain their perspectives concerning significant accounting estimates, critical accounting policies and other matters?
Key questions for management:
- Has your organization experienced any of the following during the last 18 to 24 months, indicating that a financial reporting risk profile would likely yield benefits in the form of increased transparency and decreased complexity in financial reporting practices:
- Sensitive areas presenting a risk of a possible restatement in previously issued financial reports?
- Identification of any significant financial reporting misstatements and/or significant deficiencies or material weaknesses in ICFR?
- Initiatives planned or underway to improve the cost-effectiveness and sustainability of ICFR?
- Significant mergers or acquisitions?
- New and/or impending regulations and/or technical GAAP standards relevant to your organization’s operations?
- Significant shifts in key trends in your company’s predominant industry?
- Has your organization experienced recent changes in executive and/or financial leadership? Has it experienced recent changes in, or rotation of, its external auditor, or changes in the engagement partner of the same audit firm? If so, would a financial reporting risk profile facilitate the “fresh look” at financial reporting practices that often results from such changes?
The Bulletin (Volume 2, Issue 11)