Share

Why a Strong Risk Assessment Is Essential in Today’s Regulatory Climate

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its Internal Control – Integrated Framework in 2013 to help organizations design and implement effective internal control systems. Item 308 of SEC regulation S-K requires management to identify and disclose the framework used to evaluate the effectiveness of internal controls over financial reporting (ICFR).   

COSO is by far the most widely used framework adopted by public companies and includes five essential components. A comprehensive risk assessment is one of the five components of the internal control framework. Included in this component are four principles: 

1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.  
2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.  
3. The organization considers the potential for fraud in assessing risks to achieving objectives.  
4. The organization identifies and assesses changes that could significantly impact the system of internal control. 

While the COSO framework establishes the foundation for effective risk assessment, perspectives on its application can differ significantly in practice. The following outlines Centri’s viewpoint alongside that of the SEC, emphasizing both the practical implementation challenges and the regulatory expectations associated with applying these principles effectively.

Centri perspectives: 

Despite the Treadway Commission issuing specific guidance on the principles expected in a risk assessment for internal controls, there continues to be very differing perspectives on what is sufficient to demonstrate compliance. In a typical ICFR evaluation program, the first step annually is to perform a risk assessment, looking at quantitative and qualitative factors. Anecdotally, we often see registrants, particularly those subject to an internal assessment of controls in Section 404a, do little, or sometimes nothing, to address this first step. An ICFR program without risk assessment is like building a house without a supporting foundation. Lack of a solid risk assessment exposes the company to several potential risks: 

1. The company will be unable to defend its ICFR evaluation to regulators or shareholders. 
2. Not effectively aligning current or future efforts with the external auditors. 
3. Unnecessary ICFR documentation and testing if the ICFR program is not appropriately scaled to the specific industry, locations, size, and maturity of the company. 
4. The company is not taking advantage of the opportunities to streamline and improve processes, systems, and controls through a focus on the most significant risk areas. 

We believe that a strong SOX program should include a risk assessment annually addressing the quantitative factors (balances, fluctuations from another period, etc.) and the qualitative factors (accounting and reporting complexities, the subjectivity in determining balances, the accounts susceptibility to error or fraud, transaction volume, complexity, homogeneity, and centralization, etc.). A comprehensive risk assessment is crucial as it identifies vulnerabilities, prioritizes risks, enhances decision-making, and improves the resilience of an organization. 

SEC perspectives: 

The Chief Accountant at the Securities and Exchange Commission (SEC) issued a statement on August 25^th, 2023, titled “The Importance of a Comprehensive Risk Assessment by Auditors and Management,” in which he described the importance of risk assessment processes, commenting “to be effective, risk assessment processes must comprehensively and continually consider issuers’ objectives, strategies, and related business risks; evaluate contradictory information; and deploy appropriate management resources to respond to those risks.”  

The statement concludes with the comment by former SEC Chair Gary Gensler that “there’s a basic bargain in our capital markets: investors get to decide what risks they wish to take,” while “companies that are raising money from the public have an obligation to share information with investors on a regular basis.”  Timely and transparent reporting by management, and informative, accurate, and independent reports by auditors, are critical components of the system that help companies maintain their end of the bargain—their commitment to provide high-quality financial information and information about the effectiveness of their ICFR to investors. When business risks change, a robust, iterative risk assessment process and strong entity and process-level controls are essential to transparent and high-quality financial reporting.”  

Centri perspectives: 

As one can infer from the comments above, the SEC has significant expectations regarding the rigor and the importance of performing an appropriate and impactful risk assessment. In addition, the SEC stressed how the risk assessment should be “iterative” and continual in considering the impact on controls of changes to the underlying business. 

One such example is Item 308(c) of Regulation S-K and the form of management’s Section 302 of the Sarbanes Oxley Act certification requiring disclosure of material changes in internal control over financial reporting that occurred during a fiscal quarter. These requirements underscore the need for organizations to maintain a dynamic and responsive risk assessment process that evolves in step with their operational and regulatory environment.

How Centri Can Help 

Conducting a thorough risk assessment is not just a best practice; it’s a regulatory and operational necessity. We reinforce the importance of performing this assessment at least annually, and more frequently when business conditions change, to ensure your ICFR program remains effective, relevant, and defensible. A well-executed risk assessment lays the foundation for a scalable and efficient internal control environment that aligns with both COSO principles and SEC expectations.

Our Risk Advisory experts can support your organization by:

• Performing a quick and efficient initial, or planning, risk assessment for a company from their public filings (Form 10-K, Forms 10-Q and 8-K) and relevant industry trends. This assessment would start with an initial assessment of materiality and then consider other significant factors. 
• Updating this assessment periodically throughout the period, such as people, process, technology changes, or business changes. 
• Using the results of our risk assessment, we can identify significant accounts and significant classes of transactions within the relevant processes. 
• Discussing the results of our risk assessment with the external auditors. 
• Assisting with the preparation of Item 9a in Form 10-K and Item 4 in Form 10-Q and any related required disclosures in the financial statements. 

Gareth Montague-Smith

Managing Director | SOX and Internal Audit Practice Leader | CPA

Gareth is a Managing Director and the SOX and Internal Audit Practice Leader at Centri Business Consulting. He has more than 28 years of finance and accounting experience, providing financial, auditing, and internal audit services across multiple industries. View Gareth Montague-Smith's Full Bio

Kevin Zeina

Director | CPA, CGMA

Kevin is a Director at Centri Business Consulting within the Risk Advisory Practice. He has more than 14 years of experience in internal audit, SOX testing, and risk advisory services. View Kevin Zeina's Full Bio