The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently published new guidance on how companies can promote “risk appetite” as part of decision-making. It’s especially relevant in today’s uncertain marketplace.

The COSO guidance, “Risk Appetite — Critical to Success: Using Risk Appetite to Thrive in a Changing Word,” explains that management must learn to anticipate and understand their risk when change happens. It defines risk appetite as, “The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value.”

This definition is intentionally broad to apply across an organization. It may differ within various parts of your organization to remain relevant in changing business conditions. When establishing your appetite for risk, the goal is to enhance long-term growth and innovation.

“Risk appetite is a fundamental part of setting strategy and objectives, providing context as the organization pursues a given level of performance,” said COSO Chairman Paul Sobel. He stressed the importance of recognizing that the choice of strategies and objectives requires an understanding of the appetite for risk.

In volatile times — like during the COVID-19 pandemic or when facing regulatory uncertainty from a contentious upcoming election — a business may need to alter it to take advantage of growth opportunities as market conditions evolve.

COSO lists six things to remember when establishing your company’s appetite for risk:

Risk appetite applies through the development of strategy and objective-setting. It focuses on the overall goals of the business. Risk tolerance, on the other hand, applies to the execution of strategy and focuses on objectives and variation from plan.

To be effective, your company’s risk appetite should permeate its culture. To get the message out across the organization, management should consider creating an appetite statement that includes measurable benchmarks. For example, you might say, “ABC Co. isn’t comfortable accepting more than a 10% probability that it will incur losses of more than $200,000 in pursuit of emerging market opportunities.”

The choice of language and length of an appetite statement will vary by organization. Some statements require several sentences to balance brevity with clarity.

Taking risks is essential to growing your business. However, risks can’t go unchecked. Setting and understanding risk appetite is an important element of corporate governance, strategic planning, and decision-making. We can help you better understand and apply this concept, communicate it to stakeholders, and monitor progress. Contact us today for help.

Before you jump headfirst into the year-end financial reporting process, review the roles and responsibilities the audit committees play in providing investors and markets with high-quality, reliable financial information.

Under Securities and Exchange Commission (SEC) regulations, all public companies must have an independent audit committee or have the full board of directors act as the audit committee. Likewise, many not-for-profit entities and large private companies have assembled audit committees to oversee the financial reporting process and help reduce the risk of financial misstatement.

SEC leadership recently issued a joint statement. It highlights the following key areas of focus for audit committees.

Audit committees set the tone for the company’s financial reporting and the relationship with the independent auditor. The SEC statement encourages audit committees to proactively communicate with auditors and understand how they resolve issues.

This is a shared responsibility of the audit firm, the issuer and its audit committee. The SEC statement suggests that audit committees consider corporate changes or other events that could affect independence.

The audit committee is charged with helping management comply with existing GAAP. The SEC statement reminds audit committees to consider major new accounting standards that have been adopted in recent years, including the new revenue recognition, lease and credit loss rules.

Audit committees are responsible for overseeing ICFR. The SEC statement stresses the importance of following up on the remediation of any material weaknesses.

Audit committees must openly communicate with external auditors throughout the audit reporting process. The SEC statement recommends discussing such issues as accounting policies and practices, estimates and significant unusual transactions.

These metrics, when used appropriately in combination with GAAP measures, can provide decision-useful information to investors. The SEC statement suggests that audit committees learn how management uses these metrics to evaluate performance — and whether they’re consistently prepared and presented from period to period.

Discontinuation of the London Interbank Offered Rate (LIBOR) may present a material risk for companies with contracts that reference LIBOR. The SEC statement encourages audit committees to understand management’s plan to address the risks associated with reference rate reform.

These are material accounts or disclosures communicated to the audit committee that require the auditor to make a subjective decision or use complex judgment. Beginning in 2019, auditors are required to include CAMs for certain public companies in the auditor’s report. The SEC statement reminds audit committees to understand the nature of each CAM, including the auditor’s basis for determining it and how it will be described in the auditor’s report.

Collaboration between the audit committee and external auditors is critical, regardless of whether a company is publicly traded or privately held. Contact us with any questions you have regarding the financial reporting process.

Audit season is right around the corner for calendar-year entities. Here’s what your auditor is doing behind the scenes during the risk assessment process — and how you can help facilitate the planning process.

Every audit starts with assessing “audit risk.” This refers to the likelihood that the auditor will issue an adverse opinion when the financial statements are actually in accordance with U.S. Generally Accepted Accounting Principles (GAAP) or (more likely) an unqualified opinion when the opinion should be either modified or adverse.

Auditors can’t test every transaction, recalculate every estimate, or examine every external document. Instead, they tailor their audit procedures and assign audit personnel to keep audit risk as low as possible.

The auditor’s role is to attest to your company’s financial statements. Specifically, your audit firm assures that your financial statements are “fairly presented in all material respects, compliant with GAAP, and free from material misstatement.”

Unqualified (or clean) audit opinions require detailed substantive procedures, such as confirming accounts receivable balances with customers and conducting test counts of inventory in the company’s warehouse. Generally, the more rigorous the auditor’s substantive procedures, the lower the likelihood of the audit team failing to detect a material misstatement.

Auditors evaluate two types of risk:

Separate risk assessments are done at the financial statement level and then for each major account — such as cash, receivables, inventory, fixed assets, other assets, payables, accrued expenses, long-term debt, equity, and revenue and expenses. A high-risk account (say, inventory) might warrant more extensive audit procedures and be assigned to more experienced audit team members than one with lower risk (say, equity).

New risk assessments must be done yearly, even if the company has had the same auditor for many years. That’s because internal and external factors may change over time. For example, new government or accounting regulations may be implemented, and company personnel or accounting software may change, causing the company’s risk assessment to change. As a result, audit procedures may vary yearly or from one audit firm to the next.

The risk assessment process starts with an auditing checklist and, for existing audit clients, last year’s work papers. However, auditors must dig deeper to determine current risk levels. In addition to researching public sources of information, including your company’s website, your auditor may call you with a list of open-ended questions (inquiries) and request a walk-through to evaluate whether your internal controls are operating as designed. Timely responses can help auditors plan their procedures to minimize audit risk.

Audit fieldwork is only as effective as the risk assessment. Evidence obtained from further audit procedures may be ineffective if it’s not properly linked to the assessed risks. So, it’s important for you to help the audit team understand the risks your business is currently facing and the challenges you’ve experienced reporting financial performance, especially as companies implement updated accounting rules in the coming years.

Contact us to get help with your risk assessment process.

In July, the (PCAOB) published two guides to help clarify a new rule that requires auditors of public companies to disclose critical audit matters (CAMs) in their audit reports. The rule represents a major change to the brief pass-fail auditor reports that have been in place for decades. One PCAOB guide is intended for investors, the other for audit committees. Both provide answers to frequently asked questions about CAMs.

CAMs are the sole responsibility of the auditor, not the audit committee or the company’s management. The PCAOB defines CAMs as issues that:

Examples might include complex valuations of indefinite-lived intangible assets, uncertain tax positions and goodwill impairment.

Critical audit matters aren’t intended to reflect negatively on the company or indicate that the auditor found a misstatement or deficiencies in internal control over financial reporting. They don’t alter the auditor’s opinion on the financial statements.

Instead, CAMs provide information to stakeholders about issues that came up during the audit that required especially challenging, subjective or complex auditor judgment. Auditors also must describe how the CAMs were addressed in the audit and identify relevant financial statement accounts or disclosures that relate to the CAM.

CAMs vary depending on the nature and complexity of the audit. Auditors for companies within the same industry may report different CAMs. And auditors may encounter different CAMs for the same company from year to year.

For example, as a company is implementing a new accounting standard, the issue may be reported as a CAM, because it requires complex auditor judgment. This issue may not require the same level of auditor judgment the next year, or it might be a CAM for different reasons than in the year of implementation.

Disclosure of CAMs in audit reports will be required for audits of fiscal years ending on or after June 30, 2019, for large accelerated filers, and for fiscal years ending on or after December 15, 2020, for all other companies to which the requirement applies.

The new rule doesn’t apply to audits of emerging growth companies (EGCs), which are companies that have less than $1 billion in revenue and meet certain other requirements. This class of companies gets a host of regulatory breaks for five years after becoming public, under the Jumpstart Our Business Startups (JOBS) Act.

Critical audit matters may change from year to year, based on audit complexity, changing risk environments and new accounting standards. Each year, auditors determine and communicate CAMs in connection with the audit of the company’s financial statements for the current period.

A significant event — such as a cybersecurity breach, a hurricane or the COVID-19 pandemic — may cause the auditor to report new CAMs. Though such an event itself may not be a CAM, it may be a principal consideration in the auditor’s determination of whether a CAM exists. And such events may affect how CAMs were addressed in the audit.

For more information on critical audit matter reporting contact us.

Auditors must test the effectiveness of internal controls before signing off on your financial statements. But it’s impossible to analyze every transaction that’s posted to the general ledger, due to time and budget constraints. Instead, auditors select and analyze a representative sample of transactions to make assertions about the entire population. Here’s more on how sampling works — along with the pros and cons of using it during internal control testing.

Auditors may use statistical techniques to develop a sample of transactions to test. For example, an auditor might select enough transactions to represent a specific percentage of 1) the total transactions in an account, or 2) the company’s total assets or revenue. Alternatively, a sample of transactions may be pulled randomly using statistical sampling software.

Auditors also can use nonstatistical sampling techniques based on a dollar threshold or professional judgment. These techniques tend to be more effective when the CPA has many years of audit experience to ensure that the sample chosen is representative of the population of transactions.

Before analyzing a sample, your auditor has expectations about the number of “exceptions” (such as errors and omissions) that will appear in the sample. If the actual exceptions exceed the auditor’s expectation, he or she may need to perform additional procedures. For instance, your auditor might expand the sample and conduct more testing to assess the degree of noncompliance.

Ultimately, your auditor might conclude that your internal controls are ineffective. If so, he or she will perform more work to estimate the magnitude of the control failure.

Sampling helps keep audit costs down by streamlining the internal control testing process. It also reduces disruptions to business operations during audit fieldwork. When applied correctly, the results of sampling are theoretically as accurate as if the audit team had analyzed every transaction posted to the general ledger. But, in practice, sampling can sometimes cause problems during internal controls testing.

For example, sampling presumes that controls function consistently across the whole population of transactions. If an exception doesn’t appear in the sample — because the sample was too small or otherwise unrepresentative of the entire population — your audit team could reach the wrong conclusion about the effectiveness of your internal controls.

There’s also a risk that your internal audit team could rely too heavily on nonstatistical sampling. Relying more on judgment than statistical methods could result in errors, especially if an auditor lacks professional experience.

You can help maximize the benefits of sampling by providing the audit team with document requests in a timely manner and following up on your auditor’s management points at the end of each year’s audit. It’s frustrating to both auditors and business owners when internal control weaknesses recur year after year. Our auditors have extensive experience testing internal controls, and we’d be happy to answer any questions you have on testing and sampling techniques. Contact us to get started.

Whether you’re a business owner or an individual planning for the future, knowing the right questions to ask your accountant gives you a powerful advantage. Having a list of both current and future questions to discuss during your time together will help keep you efficient, prepared, and on track to meet your financial goals. Here is our list of Top 40 Questions to Ask your Accountant.

1. How does the legal structure of my business affect my taxes?

2. Am I on track for my growth goals?

3. What are the industry-specific tax regulations that I should know about?

4. What can I cut down for better cash flow?

5. Do you have any recommendations on collection policies for faster sales?

6. Should I consider seeking equity or debt financing?

7. Do I need an employee benefit plan audit?

8. Do you have referrals for lenders and investors?

9. Do I need a financial statement audit?

10. Do I qualify for R&D credits?

11. How can I avoid red flags or mishaps with my returns or audit?

12. What are my best choices for valuing inventory for tax purposes?

13. When do I need to start paying estimated taxes?

14. What accounting software do you recommend?

15. What is my breakeven point?

16. How can I be prepared for the upcoming tax season?

17. How long do I need to keep my business records?

18. What qualifies as a business deduction?

19. How is my business impacted by the 2017 Tax Reform Act?

20. Am I required to collect sales tax?

1. What information and/or records should I keep, what can I toss, and how long should I hold on to the retained documents?

2. How will the 2017 Tax Reform Act affect me?

3. Can I deduct my car for any of my business purposes?

4. What direct business expenses can I deduct and are there any limitations?

5. How much of my household bills and/or equipment is deductible as a business expense?

6. When should I set up my estate and trust?

7. Should I consider charitable donations as a transfer of wealth?

8. How many dependents can I claim?

9. Are there any deductions that I am not currently claiming that I should?

10. How often should I consult with you about my taxes?

11. Can you help me estimate my taxes for the upcoming year?

12. Should I increase my 401(k) contributions?

13. Should I change my tax withholding?

14. Do you have recommendations for a financial advisor?

15. Am I on track for my retirement goals?

16. What is the best way to pass my wealth to my children?

17. What can I do to protect my dependents from tax implications upon my death?

18. What sort of events in my life are important for you to know?

19. I own my business, what steps should I take to separate my business and personal expenses?

20. What can I do to maximize my deductions better?

Have questions for us? Contact us for help.

Here is a simplified comparison:

While the list above displays their differences, there are also similarities. The first similarity is that both plan their audit effort around the areas that pose the highest risk to the achievement of company objectives. The second similarity is that both types of audits assess internal controls to determine if they are in place and working to ensure the reliability of financial data. Internal audits, which have a heavier focus on controls, usually add coverage of controls that help ensure effectiveness and efficiency of operations, compliance with laws and regulation, and safeguarding of assets. A third similarity is that both types of audits are performed in accordance to certain professional standards — such as the Statement on Auditing Standards for external audits and the International Standards for the Professional Practice of Internal Auditing for internal audits.

With all their similarities and differences, both types of audit services can play an important role in creating an effective governance structure and can help contribute to the company’s success. If you have questions about the internal or external audit process, please contact us.