Enterprisewide risk management systems have expanded greatly in recent years, primarily as a tool to help management and the board proactively deal with emerging risks. While the entity's approach to managing many of the risks on the horizon for the organization encompass all kinds of risks, management's overall attitude and investment in managing risks of any type may provide the auditor with a rich perspective about management's attitude toward risk taking and the organization's overall risk culture. These elements ultimately may affect management's level of investment in processes surrounding risk assessments related to financial reporting.
A lack of executive-level acceptance of the importance of managing enterprisewide risks may signal a lack of commitment to managing risks more narrowly related to financial reporting. Some auditors may believe that understanding management's broader approach to managing enterprisewide risks may be interesting but not relevant to financial statement audits. For instance, risks such as competitor moves, disruptive innovation, shifts in customer demographics, talent concerns, or the impact of geopolitical events, may seem outside accounting processes and internal controls that encompass the financial reporting process.
That may be somewhat shortsighted. Weak management commitment to addressing risks in general may be an indicator of management's focus on financial reporting risks as well. Thus, an organization's enterprisewide approach to risk management may provide auditors with information that is valuable in the audit process.
Learning about a client's enterprisewide approach to risk management, who is involved, the kinds of business risks identified and prioritized by management as part of that process, how management is overseeing the entity's response to the top risk concerns, and the board's oversight of management's risk-taking actions can provide rich insights for the auditor's consideration of the entity and its environment, including internal controls, that is required in every audit. This understanding may reveal insights about key business risks and contain insights about management's risk assessment component of internal control that would be important to the auditor's assessment of the risks of material misstatement when planning the audit of the financial statements.
The following sections describe considerations that might provide insights for auditors about the entity's commitment to risk assessment effectiveness.
WHO LEADS THE RISK MANAGEMENT PROCESS?
Without someone or some group of individuals explicitly focused on designing and implementing a risk management process to be applied across the enterprise, an entity's approach to risk oversight is likely to be ad hoc and insufficient to effectively monitor the volume and complexity of risks. Thus, evaluating whether the organization has selected a leader of the risk management process may be one of the first considerations auditors want to make.
Some organizations have appointed individuals to serve as chief risk officers (CROs), or in positions with equivalent responsibilities, to facilitate the launch and coordination of the ongoing risk identification and reporting processes. Just under half of organizations in an AICPA/North Carolina State University survey indicate that they have designated an individual to serve as the CRO or equivalent, and that percentage increases to 63% for public companies (see the chart, "Organizations With CRO or Risk Committee").
Organizations with CRO or risk committee
Some organizations are also creating management-level risk committees that consist of a number of the entity's key business unit leaders who meet regularly to discuss ongoing risk issues. In fact, 59% of entities surveyed have a management-level risk committee, with that increasing to 83% for publicly traded companies.
Auditor inquiries of individuals in these leadership positions may provide insights as to the robustness of management's risk assessment processes and deeper understanding of some of the most important risks on the horizon for the entity. Inquiries of CROs or equivalents may provide important information about the design of the entity's risk management process and the level of executive commitment to that process.
Review of agenda materials and minutes from meetings of the management-level risk committees and discussions with risk committee members may provide rich perspectives that help strengthen the auditor's understanding of the business and industry and the associated challenges (e.g., risks) most on the minds of executives. That perspective may increase the richness of the auditor's information sources used to assess the risks of material misstatement to the financial statements, in addition to helping provide input into the auditor's consideration of the entity's risk assessment component of internal control.
WHAT IS THE RISK IDENTIFICATION PROCESS?
The second principle related to the risk assessment component in COSO's Internal Control — Integrated Framework states that "[t]he organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed." That principle implies that there should be some kind of structured approach used to engage management in the identification and assessment of risks.
Understanding the process used by management to identify risks across the enterprise is critical to the auditor's evaluation of the above principle related to the risk assessment component. For some organizations, the risk identification process is well-defined, whereby key members of management are engaged annually in activities to help identify future risks. The AICPA/N.C. State research finds that about 75% of entities surveyed engage management at least annually in processes to update their inventories of key risk information.
Auditors may want to pay particular attention to organizations that lack a clear and structured approach to regularly engage management in considering risks. An ad hoc, unstructured, or nonexistent approach to risk identification may lead auditors to question whether there is a sufficient "tone at the top" regarding risk management.
Information about the techniques used to engage management in a risk identification process, who among management is involved in that process, and how frequently it occurs may offer important insights about the viability of management's risk assessment process.
WHAT TYPE OF RISK INFORMATION IS REPORTED?
The purpose of engaging management in risk identification tasks is to ultimately help the organization's leaders pinpoint the most significant risks likely to affect the achievement of objectives. Understanding the risks generated by that process helps auditors understand the nature and extent of risks most on the minds of management.
Management's identification of top risks will contain some that are not directly related to the risk of material misstatement in the financial statements. But evaluating top risks is likely to inform auditors about important internal and external factors that might affect the entity's business model or the success of its strategic plan. That information may, in turn, identify potential pressures on management that could ultimately increase the risk of material misstatement, including the risk of fraud.
Organizations generally report between five and 20 key risks annually to the board of directors. Usually, that information is presented to either the full board of directors or one of its committees, often the audit committee. A number of entities are creating standardized "risk profile" documents in the board's premeeting reading materials that provide an overall profile of each risk presented to the board. Those profiles often include an overview of the risk concern, its likelihood of occurrence and impact to the organization, how the organization is responding to each risk and the adequacy of each of management's responses to the risks, and metrics management is using to monitor each risk over time.
Information from management's risk assessment processes, including risk profiles or other risk reports, may be particularly useful as an input for the required "brainstorming" discussions among the engagement team about the risks of material misstatement, including fraud risks.
HOW EFFECTIVE IS BOARD OVERSIGHT OF RISK ASSESSMENT?
While the board of directors is ultimately responsible for the oversight of top risks, it often assigns responsibility for understanding and approving management's risk management process to a committee. For most entities, the audit committee assumes this responsibility. This is largely because 2004 NYSE Corporate Governance Rules mandate that the audit committee oversee the process of evaluating management's "risk assessment and risk management processes." Some entities, especially large banks and insurance companies, are creating board-level risk committees that assume this oversight role because of requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, P.L. 111-203.
Following the initial presentation of top risks, boards of directors often map each of those top risks to agendas for future board or committee meetings to ensure that the board has a sufficient understanding of the top risks and that it stays focused on them throughout the year. Auditors may benefit from understanding how the board allocates responsibility for overseeing management's risk management processes and how those committees assess the effectiveness of those processes. While minutes of these committee meetings may provide helpful information, auditor discussion with committee chairs or other members of the committee and auditor review of committee meeting packets and minutes may be especially informative about the robustness of the entity's overall control environment and risk assessment processes. Review of this information might signal the effectiveness (or lack thereof) of the overall governance process.
HOW EFFECTIVELY IS MANAGEMENT MONITORING RISKS?
Some organizations are appointing different members of management across the enterprise to serve as "risk owners" for each of the top 10—20 risks presented to the board. Risk owners are responsible for conducting thorough analysis of their assigned risk to understand root-cause drivers of the risk and to assess the adequacy of the entity's response to each risk to prevent its occurrence or to minimize its impact. Risk owners are often the ones responsible for updating senior management and the board about the current and expected state of their assigned risk. Understanding whether and how management has established accountabilities for managing key risks will provide a signal about the robustness of its focus and attention to risk oversight. If no one is deemed responsible for top risks, how effective are responses to risks likely to be?
As entities strengthen their overall enterprisewide risk management processes, many are enhancing their dashboard reporting systems to include metrics that help management monitor shifts in emerging risk exposures. These metrics are generally referred to as key risk indicators (KRIs), which may be based on internal or external factors associated with each emerging risk. For example, retailers might be tracking shifts in customer demographics that suggest a migration toward more urban living, for a retailer to forecast future new store locations.
The presence of KRIs on management dashboards may help auditors in planning or analytical procedures, in addition to insights they may provide as part of the analytical procedures performed in the final stages of the audit. KRIs often are based on nonfinancial information, and therefore, they may provide additional opportunities for the auditor to develop expectations about financial statement balances or trends over time.
AGGREGATING INSIGHTS FOR AN AUDITOR'S ASSESSMENT
The rapidly evolving risk landscape is placing a spotlight on the role of risk assessment as it relates to internal controls. While management's process for identifying and assessing risks is likely to go well beyond the risks of material misstatement in financial statements, auditor consideration of a number of aspects of those processes may help an auditor assess risks to the audit (see a summary of those considerations in the sidebar, "Factors to Consider"). Not investing time to understand and evaluate a client's overall process for managing risks affecting the enterprise may lead to an insufficient understanding of the effectiveness of management and board risk oversight, but it may also cause the auditor to overlook key business risks that may impact financial reporting. Why take that risk?
Enterprisewide risk management systems have expanded greatly in recent years, primarily as a tool to help management and the board deal with emerging risks. Rather than treat the enterprisewide risk management system as something beyond the auditor's purview, financial statement auditors may want to consider how information from and about the risk management process might enhance their audit processes.
Factors to consider
Has the organization selected a dedicated leader to oversee the design and implementation of an enterprisewide risk management process?
- Where in the organization does this individual reside, and to whom does this position report in the organization? Does the person have access to the board of directors?
- What is the scope of this individual's risk management responsibilities?
- Is there a management-level risk committee? If so, who are its members, what are the committee's responsibilities, and how often does it meet? Does the committee maintain meeting minutes that can be reviewed?
- What kind of relationship, if any, does the risk leader and/or risk committee have with others involved in the risk management process? To what extent do they share information with others in charge of financial reporting?
- What insights do these leaders have about risks to the financial statements and disclosure?
What process does management use to identify risks?
- If different members of management were asked to describe their processes for identifying, assessing, and managing risks at the enterprise level, how consistent would their responses be?
- Are there identifiable, explicit actions and processes surrounding the organization's enterprisewide risk management, or is the approach mostly ad hoc and unstructured?
- What processes are used to engage management in an explicit risk identification task? How frequently does the organization engage management in that process? Who among the management team is involved?
- How does management conclude it has an effective system of internal control if there is no identifiable process used by management to identify, assess, and monitor its top risks?
What is the nature of risk information reported to top management and the board?
- What types of risks are generated by management's enterprisewide risk oversight process? What risks are being reported to senior management and the board of directors?
- How does management document and report details to the board of directors about top risk exposures facing the organization? How might that information be useful to the auditor's consideration of risks to financial reporting?
- To what extent might some of the entity's top risk exposures identified by management and discussed with the board impact financial statement reporting and disclosures?
How effective is the board's oversight of the risk assessment process?
- What is the board's role in risk oversight? Has the board acknowledged its responsibility for risk oversight in its charter? Could the board articulate management's process for overseeing enterprisewide risks?
- Has the board delegated risk oversight to one of its committees? If so, what specific tasks are delegated to the committee? Does the committee assume responsibility for reviewing and approving management's risk assessment process? Is the committee responsible for reviewing top risks coming out of the risk assessment process, or is that the responsibility of the full board?
- To what extent do the prereading packets for the board of directors include insights about top risks and management's responses to those risks?
How effective is management's information system for monitoring top risks?
- Has management allocated "ownership" of the management of certain risks to specific individuals who are part of the management team? What types of accountabilities are in place to ensure the organization is effectively responding to its most critical risk exposures?
- How do senior management and the board gain confidence that responses to top risks are implemented and effective? What role does internal audit have in evaluating the effectiveness of top risk responses?
- What types of metrics are included in management's information reporting to help them keep an eye on emerging risk trends? Does management have an effective system for recognizing shifts in risk conditions? How might those indicators provide useful insights to assist auditors in developing expectations when performing analytical procedures in the audit?
In summary, what external audit implications about the entity's risk assessment process can be derived from the aggregation of responses to these (and other) questions?
About the author
Mark S. Beasley, CPA, Ph.D., is the Deloitte Professor of Enterprise Risk Management and director of the ERM Initiative at North Carolina State University in Raleigh, N.C.
To comment on this article or to suggest an idea for another article, contact Neil Amato, a JofA senior editor, at Neil.Amato@aicpa-cima.com or 919-402-2187.
- "Companies See Need to Manage Risks, but They're Slow to Act," JofA, March 20, 2018
- "Confronting Risk With Strong Leadership," FM magazine, May 1, 2017
- "Becoming a Strategic Risk Adviser," JofA, Feb. 2015
- COSO Enterprise Risk Management Certificate Program (#167300 online access; GT-COSO-ERMC, group pricing)
- Assessing and Responding to Audit Risk in a Financial Statement Audit (#AAGARR16P, paperback; #AAGARR16E, ebook; #WRA-XX, online access)
- Strategy and Risk Management: An Integrated Practical Approach (#PCG1309P, paperback; #PCG1207E, ebook)
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.