Newsletters

Optimising financial processes

Posted on:

ICFR Deficiency Rates Rising, Risk Management in Focus


Cause for concern? Maybe.

Case for action, definitely.

Inspections are finding “a troubling increase” in audit deficiency rates.

External auditors of public companies are being challenged to do a better job of scrutinizing financial statements.

The PCAOB and the Securities and Exchange Commission (SEC) are urging more focused action.

Insufficient audit evidence was obtained to support auditors’ opinions in 40% of inspected audits in 2022, the most recent year published. During the 2021 inspection cycle, the deficiency rate was 34%, up from 29% in its 2020 inspections.

  • The highest deficient area for Internal Controls over Financial Reporting (ICFR) is in the testing of management review controls.
  • The second highest deficiency rate was in the identification and selection of controls to test.
  • The third highest was the completeness and accuracy of information used in the operation of the control.

A timely warning.

At the same time, I was reflecting on the words of the venerable risk management commentator, Norman Marks.

Reasonable assurance” and “professional judgement” in considering risks to enterprise objectives.

Noman describes the three times when this consideration needs to take place;

  1. In assessing management’s processes for identifying, evaluating, assessing, and then addressing individual and aggregate risk to enterprise objectives. Both the overall risk management program and the risks arising from business processes and functions, the external context or environment, information security and cyber, et al.
  2. In the development and maintenance of the continuously updated audit plan and the actual or potential sources of risk that should be included in the scope.
  3. In considering risks to enterprise objectives arising from a deficiency in internal controls (either in their design or operation) identified in an audit.  

The three are closely related but the last is the one that most closely affects the SEC and PCAOB concerns above.

Norman argues that “reasonable assurance” must be based on “professional judgment”.

Management and internal audit should focus on those areas where there is at least a reasonable possibility that a failure of internal control would result in an unacceptable risk to enterprise objectives.

Internal control deficiencies should be evaluated in the same way.

This may result in reducing the number of controls, whilst enhancing focus on the most significant risks.

Maybe time for some “controls rationalisation” based on the “Disk of Risk” . .

You can read the article, by Soyoung Ho of Thomson Reuters, that sparked my interest here . . .

You can read Norman’s article here . . .

Thanks for reading . . . .