On Aug. 25, 2023, Paul Munter, the Chief Accountant of the U.S. Securities and Exchange Commission (“SEC”), issued a Statement (the “Statement”) titled “The Importance of a Comprehensive Risk Assessment by Auditors and Management” in which he wrote:
“[W]e are troubled by instances in which management and auditors appear too narrowly focused on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls” (par. 1).
First, it may be well to consider what an auditor does. As set out in Steven Bragg, CPA’s “Auditor Definition” on his site Accounting Tools:
“An auditor is an individual who examines the accuracy of recorded business transactions. Auditors are needed in order to verify that processes are functioning as planned, and that the financial statements produced by an organization fairly reflect the operational and financial results” (par. 1).
Similarly, the SEC said the following in a June 24, 2002 Investor Publication:
“An auditor is an independent certified public accountant who examines the financial statements that a company’s management has prepared. …. [An] auditor examines the company’s financial statements and provides a written report that contains an opinion as to whether the financial statements are fairly stated and comply in all material respects with[Generally Accepted Accounting Principles] GAAP”(par. 2-3).
The SEC’s lengthy Regulation S-X outlines how financial information about a company should be recorded and reported. That guidance is built upon using GAAP, the set of principles promulgated by the Financial Accounting Standards Board and reinforced for auditors examining public company financials by standards adopted by the SEC’s accounting affiliate, the Public Company Accounting Oversight Board (“PCAOB”). The complex interaction and application of this guidance should not be undertaken without lengthy training and continuing education, as reflected in several of my previous blogs, including:
Now comes the SEC’s Chief Accountant, who states that he and the Staff of the Office of Chief Accountant (see footnote 1 of the Statement) are “troubled” that auditors have been “too narrowly focused,” and asserts:
“When business risks change, a robust, iterative risk assessment process and strong entity and process-level controls are essential to transparent and high-quality financial reporting” (par. 13).
In his Statement, he reminds auditors, as well as public company management, to:
avoid the potential bias towards evaluating problems as isolated incidents, in order to timely identify risks, including entity-level risks;
design processes and controls to identify those risks; and
also identify for management the resulting information that must be disclosed to investors.
In effect, the Statement directs auditors to double-check the risk assessments required to be made by public company management, as part of management’s disclosure obligations to investors, to see if management has missed or misstated something. To that end, auditors are to:
“remain alert” to changes in management’s strategies, and to the risks of the business;
consider the impact of management’s disclosures about changes in strategies and business risks; and
evaluate the level of consistency of management’s disclosures with the information the auditor learns in performing the audit.
The Statement stresses the auditor’s obligation to assess the adequacy of management’s system of internal controls used in creating financial report information. To this end auditors are extolled to avoid “confirmation bias,” which would tend to accept management’s explanations of anomalous results, rather than maintaining a requisite level of “professional skepticism.” Here a treatise on General Psychology is used as a basis for the Statement’s warning. Considering this risk, the Statement requires auditors to “include objective consideration of contradictory information.” This exercise is intended to avoid “defaulting to an assessment of narrowly-defined, process-level deficiencies...” Rather, “auditors’ aggregation analysis should consider the root cause of individual control deficiencies, to determine whether such deficiencies indicate a broader, more pervasive deficiency at the entity-level.” Further, the Chief Accountant urges auditors to consider the so-called “could factor,” or the “magnitude of potential misstatement,” which could lead to a cascade of more misstatements or non-disclosures.
A key to understanding this Statement and the reason for its issuance now may well lie in the repeated term “entity-level” and the insistence on “holism.” One might speculate that an auditor for a buggy whip manufacturer in the late 19th and early 20th century might ask management whether it thought that some disclosure about the growing industry of combustion engine vehicles warranted mention as an entity-level risk. Similarly, one might wonder what risk disclosures about the development of electric-powered vehicles might now warrant comment by an automobile manufacturer, including risks relating to the necessity of recharging stations throughout the land, the availability of certain components necessary for battery manufacture, and the capacity of the nation’s electrical power system both to generate the needed power and to distribute it. But none of those things are expressly required for audit comment under the detailed and complex audit principles and procedures noted above. Nor are auditors specifically trained to identify and elucidate such “risks.”
It may not be solely a coincidence that the PCAOB has recently proposed that auditors of public companies be required to “identify material legal and regulatory compliance risks in the clients’ businesses,” according to Fried Frank Shriver Harris & Jacobson, LLP. The blog notes that “[u]nder the proposal, auditors would be required to identify laws and regulations for which noncompliance would create a material risk” and then discusses whether non-compliance has occurred while“[t]he SEC seems to be pushing accountants to develop standards to climate issues and other ‘non-traditional financial information.’” The law firm continues to claim that “[a]uditors straining to perform their existing obligations should not be tasked with mastering whole new domains of expertise.”
Knowing that the House Financial Services Committee of the U.S. Congress has expressed opposition to the PCAOB proposal and that, as publicly reported, SEC climate disclosure proposals have been the subject of material and continuing criticism, might the SEC Chief Accountant in the Statement be attempting to reach a PCAOB-like result by issuing administrative “guidance,” without being subject to the procedural and substantive restraints of the Administrative Procedure Act with respect to official agency regulatory proposals?
On first reading, the Statement seems to be a modest exhortation to think “outside the box,” but on closer analysis the scope of territory “outside the box” is almost infinite. Thus, the Statement brings to mind the seminal work of the Anglican cleric, J.B. Phillips, whose book Your God is Too Small (1953) sought to find a way to encompass both believers and skeptics; a not erroneous description of responses to current climate change advocacy. The Statement, which is clearly intended to induce compliance by auditors of public companies, would, with its focus on second-guessing management and insuring disclosure of matters of concern to investors, turn auditors into something similar to the Missi Dominici (envoys of the King) employed by Charlemagne in the 8th and early 9th centuries to rule his realm. As the Statement concludes:
“Auditors in their public gatekeeper role serve as an independent check on management’s performance of these critical functions and should transparently communicate with investors IN ACCORDANCE WITH PCAOB STANDARDS” (par. 13, emphasis added).
The Statement deserves scrutiny and careful evaluation and, perhaps, “professional skepticism,” before its “guidance” is accepted.
Assessment of risk is pertinent for companies and their shareholders to remain vigilant and open to their current and potential investors. Any attempt to omit any risks can easily be interpreted as a form of fraud or failure to communicate risks.