The Art of Scoping Significant Accounts

As some companies revamp their approach to evaluating and reporting on their internal controls over financial reporting given the new, relaxed compliance guidelines from regulators, experts say one area that might warrant a fresh look is how a company selects its significant accounts.

Raff

While selecting significant accounts is only one of several crucial decisions companies must make for their Sarbanes-Oxley compliance processes, the selection of accounts (and the disclosures that accompany them) is considered paramount, since it affects the overall scope of the company’s evaluation of internal controls. The scoping question “has been what’s driving companies up a wall with SOX,” says Larry Raff, of KPMG’s 404 Institute.

Under the old SOX Section 404 rules and the now-defunct Auditing Standard No. 2, companies documented and tested countless controls, usually at the prodding of auditors who set their demands exactingly high. Compliance costs soared, corporate executives denounced SOX, and the Securities and Exchange Commission and the Public Company Accounting Oversight Board finally amended SOX compliance rules and scrapped AS2 altogether.

DeLoach

Jim DeLoach, managing director at consulting firm Protiviti, points out that the decisions companies must make about selecting significant accounts “aren’t new,” he says. But “the way those decisions are reached is different” under the new Section 404 guidance adopted by the SEC in May that became effective in June.

Companies aren’t required to follow the SEC guidance. However, the SEC clarified that an evaluation of internal controls that complies with its guidance would satisfy its requirements—a tool companies can use to push back against auditors, should they ask for more extensive efforts.

Previously, DeLoach says, management selected significant accounts and financial reporting elements based on whether they exceeded a materiality threshold, regardless of risk, and then considered qualitative factors to elements below that threshold to determine whether they should be included in scope. He describes that technique as “quantitative first, qualitative additive.”

Under the risk-based approach called for in the SEC’s new guidance, DeLoach says, management must now simultaneously consider materiality and susceptibility to a material misstatement. Or as Raff puts it, companies should “look at risk first, and coverage second.” Previously, most companies looked at risk “second, if at all,” he says.

SCOPE EXCERPT

Below is an excerpt of the SEC guidance released in June for Section 404 compliance, focusing on how to identify significant risks to financial reporting.

Management uses its knowledge and understanding of the business, and its organization, operations, and processes, to consider the sources and potential likelihood

of misstatements in financial reporting elements. Internal and external risk factors that impact the business, including the nature and extent of any changes in those risks, may give rise to a risk of misstatement. Risks of misstatement may also arise from sources such as the initiation, authorization, processing and recording of transactions and other adjustments that are reflected in financial reporting elements. Management may find it useful to consider “what could go wrong” within a financial reporting element in order to identify the sources and the potential likelihood of misstatements and identify those that could result in a material misstatement of the financial statements.

The methods and procedures for identifying financial reporting risks will vary based on the characteristics of the company. These characteristics include, among others, the size, complexity, and organizational structure of the company and its processes and financial reporting environment, as well as the control framework used by management. For example, to identify financial reporting risks in a larger business or a complex business process, management’s methods and procedures may involve a variety of company personnel, including those with specialized knowledge. These individuals, collectively, may be necessary to have a sufficient understanding of GAAP, the underlying business transactions and the process activities, including the role of computer technology, that are required to initiate, authorize, record and process transactions. In contrast, in a small company that operates on a centralized basis with less complex business processes and with little change in the risks or processes, management’s daily involvement with the business may provide it with adequate knowledge to appropriately identify financial reporting risks.

Management’s evaluation of the risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity (for example,

fraudulent financial reporting, misappropriation of assets and corruption), and whether any such exposure could result in a material misstatement of the financial statements. The extent of activities required for the evaluation of fraud risks is commensurate with the size and complexity of the company’s operations and financial reporting environment …

Management should evaluate whether it has controls placed in operation (that is, in use) that adequately address the company’s financial reporting risks. The

determination of whether an individual control, or a combination of controls, adequately addresses a financial reporting risk involves judgments about whether the controls, if operating properly, can effectively prevent or detect misstatements that could result in material misstatements in the financial statements. If management determines that a deficiency in ICFR exists, it must be evaluated to determine whether a material weakness exists.

Source

Securities and Exchange Commission (June 2007)

Among the factors DeLoach says companies should consider in identifying their significant accounts and disclosures:

Size and composition of the account;

Susceptibility to misstatement due to error or fraud;

Transaction volume and complexity;

Nature of the account or disclosure;

Accounting and reporting complexities associated with the account or disclosure;

Exposure to losses in the account, as well as to significant contingent liabilities;

Existence of related party transactions affecting the account.

In particular, he says the SEC guidance stresses the need to consider the risk of improper management override over controls—which is what caused so many of the high-profile corporate scandals earlier this decade. “That’s where the emphasis needs to be,” says DeLoach.

The SEC guidance even specifies that management should “recognize that the risk of material misstatement due to fraud ordinarily exists in any organization … One type of fraud risk that has resulted in fraudulent financial reporting in companies of all sizes and types is the risk of improper override of internal controls in the financial reporting process.”

Raff notes another reason companies should re-evaluate their processes to make sure they’re focusing on risk first: It could mean fewer deficiencies and lower costs.

A recent study by KPMG’s 404 Institute found that, among those surveyed, leading companies—defined as those with the lowest compliance costs, no material weaknesses or significant deficiencies, and no or low deficiency rates—“focused more on risk in their scoping decisions than on dollar value,” Raff says.

“Companies that applied a risk-based, top down approach and didn’t use coverage as their primary driver ended up having better outcomes,” he says. “That bodes well” for Auditing Standard No. 5, which replaced AS2 as a more risk-oriented standard for auditing internal controls.

For example, Raff says, compared with their peers, leading companies focused more on factors such as susceptibility to fraud, transaction volume, complexity of accounting principles, and the use of judgments and estimates than they did on coverage.

“Risk assessment is the lynchpin of the compliance program,” he says. “Using risk as a filter allows companies to focus on what’s most important.” Raff contends that large companies that have now endured three years of Section 404 compliance have primarily cut their compliance costs “by scoping out controls year-over-year.”

To lower costs going forward, he says, companies may need to change their approach. “Companies won’t be able to continue lowering their costs if they keep their compliance programs the way they are,” he says. “Risk assessment is an area that can help companies drive better outcomes.”