Underlying the SEC guidance is the idea that management's assessment of risk is central to its process for evaluating internal control. Within this context, there are two types of risks. Although they are related to each other, it is important for you to distinguish between the two of them as you plan your evaluation process.

  • Misstatement risk is the risk that the financial statements could be misstated, irrespective of the entity's internal controls. For example, consider a high-technology manufacturing company. The nature of its business means that the company is vulnerable to rapid advances in technology, which could make its products obsolete. This obsolescence must be reflected in the company's financial statements (in the way inventory is valued). Because of the materiality of inventory to its financial statements and due to the high degree of judgment in making an estimate of the value of high-tech inventory in a constantly changing business environment, you might consider misstatement risk related to inventory to be high.

  • Risk of control failure is the risk that a failure in the design or operation of a control could lead to a material misstatement of the financial statements.

    The risk of control failure is a function of misstatement risk and the likelihood of a control failure. If this combination of factors is high, then the risk of control failure increases. If this combination of factors is low, then the risk of control failure decreases.

Get How to Comply With Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.