SEC’s Chief Accountant, Paul Munter, recently offered insights on how companies should reimagine risk assessment. In his address, ‘The Importance of a Comprehensive Risk Assessment by Auditors and Management,’ he highlights a concerning trend where management and auditors often focus primarily on data and risks directly influencing financial reporting and overlook entity-level concerns.

According to Munter, a more encompassing risk assessment approach is needed – one that takes into account the broader aspects of a company’s operations. He specifically expresses concerns regarding the tendency among management and auditors to isolate challenges rather than understand them in the broader context of the organization’s overall financial reporting risk profile or potential vulnerabilities in Internal Controls over Financial Reporting (ICFR).

Munter gives examples of the types of scenarios that are sometimes wrongly treated as stand-alone incidents. These include:

• A cybersecurity breach in a system not part of the ICFR, 
• Repeated regulatory findings related to non-financial reporting classified as low risk, 
• Adjustments to financial statements referred to as ‘r’ restatement, 
• A breach of counterparty risk limits.

Munter emphasizes the need for management and auditors to avoid evaluating such incidents individually without proper consideration of contradictory evidence. This, he argues, leads to an incorrect conclusion that such matters do not reach the threshold for management disclosure or auditor communication requirements.

Munter further provides an in-depth discussion on three major topics:

1. Risk Assessment: Munter underlines the need for companies to ensure their risk assessment process is sufficiently robust to identify and manage new or changing business risks. This is not just for internal controls but also public disclosures. He further advises auditors to consider any public statements that may be contradictory to management’s assessment of the control environment when conducting their risk assessments.

2. Entity-Level Controls: Here, Munter accentuates the role management should play in ensuring that the company has robust processes and controls. He encourages them to look beyond just those controls tied to financial reporting and speaks of the ‘could factor.’ This refers to the possibility that control deficiencies could affect a wide range of the company’s accounts or transactions.

3. Reporting Obligations: Munter stresses the need for companies to maintain transparency regarding their ICFR evaluations and changes in controls, as mandated by the SEC. This includes discussing any major factors that could render investing in the company speculative or risky. He further highlights the auditors’ role in communicating risk matters to shareholders and potential investors.

While Munter’s remarks are mostly aimed at management and auditors, audit committees should not overlook the insights that he imparts. His emphatic viewpoint suggests that the SEC advocates a panoramic approach to risk assessment. This is a point that audit committees might find useful to discuss with management and auditors, examining its potential impact on their respective risk assessment procedures.