September 1, 2018
Published: Journal of Accountancy
By Mark Beasley, CPA, Ph.D.
A strong or weak commitment to addressing enterprisewide risks may be an indicator of management’s focus on financial reporting risks.
Enterprisewide risk management systems have expanded greatly in recent years, primarily as a tool to help management and the board proactively deal with emerging risks. While the entity’s approach to managing many of the risks on the horizon for the organization encompass all kinds of risks, management’s overall attitude and investment in managing risks of any type may provide the auditor with a rich perspective about management’s attitude toward risk taking and the organization’s overall risk culture. These elements ultimately may affect management’s level of investment in processes surrounding risk assessments related to financial reporting.
A lack of executive-level acceptance of the importance of managing enterprisewide risks may signal a lack of commitment to managing risks more narrowly related to financial reporting. Some auditors may believe that understanding management’s broader approach to managing enterprisewide risks may be interesting but not relevant to financial statement audits. For instance, risks such as competitor moves, disruptive innovation, shifts in customer demographics, talent concerns, or the impact of geopolitical events, may seem outside accounting processes and internal controls that encompass the financial reporting process.
That may be somewhat shortsighted. Weak management commitment to addressing risks in general may be an indicator of management’s focus on financial reporting risks as well. Thus, an organization’s enterprisewide approach to risk management may provide auditors with information that is valuable in the audit process.
Learning about a client’s enterprisewide approach to risk management, who is involved, the kinds of business risks identified and prioritized by management as part of that process, how management is overseeing the entity’s response to the top risk concerns, and the board’s oversight of management’s risk-taking actions can provide rich insights for the auditor’s consideration of the entity and its environment, including internal controls, that is required in every audit. This understanding may reveal insights about key business risks and contain insights about management’s risk assessment component of internal control that would be important to the auditor’s assessment of the risks of material misstatement when planning the audit of the financial statements.
The following sections describe considerations that might provide insights for auditors about the entity’s commitment to risk assessment effectiveness.
– Who leads the Risk Management Process?
– What is the Risk Identification Process?
– What Type of Risk Information is Reported?
– How effective is Board Oversight of Risk Assessment?
– How effectively is Management Monitoring Risks?
– Aggregating Insights for an Auditor’s Assessment