Our friends at Deloitte have shared their insights on a "framework" for ensuring that organizations minimize the risk of exercising poor judgment where called for in accounting and financial reporting.
In their report, CFO Insights – Financial statements: Framing your judgment calls, they make a number of good points:
"In the United States in 2013, 290 accelerated filers (defined as companies with market capitalizations greater than $75 million, among other criteria) had to restate their financials, up approximately 3% from 2012. Common mistakes included those related to revenue recognition, accounting for income taxes, and measurements of complex financial instruments, all areas that involve a significant degree of judgment."
"While finance chiefs and their teams typically produce reams of analyses to support their financial statements, errors can still occur — often because of a lack of rigor around accounting judgments."
"…this may be a good time to revisit controls over your company's judgment calls."
At this point, Deloitte makes a mistake. They state that "while COSO directs companies to identify risks to financial reporting and implement controls to address risks of noncompliance, it does not explicitly address the need for specific controls over the processes involved in making accounting judgments."
This is technically true but in practice misleading.
The COSO Internal Control–Integrated Framework directs organizations to identify and assess risks (Risk Assessment component) to the achievement of their objectives (in this case, we are talking about the objective of filing financial statements with the regulators that are free from material error or omission). COSO then says you should identify controls (Control Activities component) to provide reasonable assurance that the risk is managed at acceptable levels. As Deloitte points out, a significant source of error is a failure in judgment.
Clearly, anybody diligently following COSO and a top-down risk-based approach (or Auditing Standard Number 5, or SEC Interpretive Guidance) would have identified financial reporting risks involving judgment — such as the interpretation of accounting and tax rules and regulations, reserves, and accruals.
Deloitte does well to discuss bias and rush to judgment as issues worth considering.
However, Deloitte does not, in my opinion, sufficiently emphasize the need to ensure that the appropriate people are either involved in making the judgments where there is financial reporting risk, or provide a detective control through their review activities that would identify in a timely manner any potentially material judgment errors. These people should be sufficiently trained and experienced (Control Environment component) so that the risk of poor judgment is minimal.
When it comes to review controls, I recommend a careful read of the PCAOB's Staff Alert of October 2013. It covers other points made by Deloitte, such as whether the individual performing the review has sufficient information (COSO Information and Communication component).
Errors from a failure in judgment are a real risk and I congratulate Deloitte for raising the red flag.
How well is this type of risk addressed in your internal control over financial reporting program?
I welcome your comments.