Reflecting on the SEC Statement from August
Photo by Werner Pfennig - courtesy of Pexels.com
“We are troubled by instances in which management and auditors appear too narrowly focused on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.”
In an August statement from the SEC by Paul Munter, Chief Accountant, the SEC came out - rather boldly - and declared that Auditors and management need be more focused on those “entity-level issues” that impact financial reporting. But what does that mean?
At Internal Audit Next, we believe that is the SEC saying that they expect Internal Audit teams, Boards, and Risk Management functions to be more focused on what matters when it comes to running public companies and that the lines of defense — all of us in the Audit/Compliance space — need to start asking the hard questions. Those big questions that should be regularly asked of management. You know, the ones that management doesn’t want GRC functions, especially Internal Audit, to ask. As we look ahead to 2024, we think greater emphasis — and scrutiny — will be placed on the role of Audit, Compliance, and Risk Management functions as well as management and, most importantly, corporate boards.
Don’t take our word for it, here is what the SEC said in their statement:
“This statement discusses management’s obligation to (1) take a holistic approach when assessing information about the business and avoid the potential bias toward evaluating problems as isolated incidents, in order to timely identify risks, including entity-level risks; (2) design processes and controls that are responsive to identified risks; and (3) effectively identify information that issuers are required to communicate to investors.”
The SEC goes on to point out that they see:
“auditors’ responsibilities as gatekeepers to hold management accountable in the public interest.”
What does that mean to you, the Audit professional and board member? Here is our take:
Risk Landscapes and profiles are changing more quickly than ever. The SEC points this out in the statement, “Changing economic conditions may have a significant and sudden impact on an issuer’s business, which could change risks or create new ones.”
Risk Assessment needs to move beyond the check-the-box exercise it has become in many companies where the Enterprise Risk Management function sends out a survey, has a few meetings, produces a deck, and calls it a day.
Internal Audit and Enterprise Risk Management (ERM) functions will be asked if they understand the business objectives and strategies along with how they vector against the risk landscape/profile. Something we at Internal Audit Next see as a weak spot in many companies.
The SEC puts it best when they say, “Risk assessment forms the basis of the audit process.” More importantly, deep dives into risk within a company, what it means to the business on different time horizons, and what internal teams are doing about it are going to be critical.
Again, using the SEC’s words here: “A lack of professional skepticism, including objective consideration of contradictory information, in this critical process (Auditing) could result in an auditor not identifying or assessing risks appropriately.” We are calling this out because we interpret this to mean what we feel strongly about here at Internal Audit Next: Internal Audit needs to be seen as a healthy challenge function within the business. Period. Management needs to embrace that notion and welcome Internal Audit into every aspect of business operations.
It is essential for corporate boards to be plugged into all aspects of the enterprise risk management process and be closely aligned with their Internal Audit teams to make sure that management is being challenged regularly. An uninformed board cannot ask the right questions of management.
The SEC beautifully sums up the statement with the words (while quoting Chair Gary Gensler):
“there’s a basic bargain in our capital markets: investors get to decide what risks they wish to take while [c]ompanies that are raising money from the public have an obligation to share information with investors on a regular basis. Timely and transparent reporting by management, and informative, accurate, and independent reports by auditors, are critical components of the system that help companies maintain their end of the bargain—their commitment to provide high quality financial information and information about the effectiveness of their ICFR to investors.”
Enough said. We believe 2024 is going to come with even greater emphasis on the role of compliance, governance, and assurance. So enjoy your New Year’s celebrations and then get to work!
Internal Audit Next Founding Team
Copyright 2023 - Internal Audit Next, All Rights Reserved