Editor: What are common mistakes companies make when going through the process of completing their Sarbanes-Oxley compliance efforts?
Schroeder: The biggest mistake might be treating this as something different than a solid business practice. A CIO of a mid-sized company told me this week, she thought a key reason their SOX program was successful was that they leveraged it to improve business practices. Another very significant problem has been that companies have frequently not taken a risk-based approach to the development of control activities.
Editor: What does it mean to deploy a risk-based approach to controls?
Smith: From a SOX perspective, a risk-based approach means identifying potential weaknesses that individually or in aggregate could impact the integrity of financial activities and reporting, and then aligning to these risks, controls that effectively mitigate the risk. Adopting a risk-based approach is challenging, because it requires a deep understanding of the business environment and the company's business process. So in that respect, no two companies are alike, and it requires a lot of judgment on the part of the auditor.
Schroeder: We have several clients that have found that the logical progression of a risk-based approach is to rationalize controls. Rationalization is about "right-sizing" controls. While this is important for SOX, it becomes even more important when you aggregate risk and control considerations across the business, to include GxP, HIPAA, FFEIC, or other compliance programs, and also operational risks and controls. The goal is to identify controls that may mitigate multiple risks and at the same time eliminate redundant controls. And also to improve business processes.
Editor: What types of benefits can companies realize from establishing a continuous risk-assessment approach?
Valaitis: Organizations are continually exposed to significant errors, frauds and inefficiencies that could lead to financial losses and increased levels of risk. These demands have put increased pressure on chief audit executives and their staffs to implement a continuous auditing strategy, and technology is an important element. Continuous risk-assessment is an effective way to demonstrate to rating agencies and government that compliance is not merely a "sometime thing," but that the organization has truly embedded a culture of controls. For example, Moody's and S&P have both recently added risk assessment and governance to their evaluation criteria.
Schroeder: We have had a number of clients endorse the concept of continuous risk assessment because they recognize that it is one key element of corporate governance. The underlying driver of continuous risk assessment is the rate of change in business; from inside and outside the organization. For example, anytime a company changes their processes, procedures, and information system they introduce risk to the organization. Without some form of continuous risk assessment process, the company can never be sure their controls are aligned to their current risk profile. So in this light, continuous risk assessment is a prerequisite for continuous change and improvement.
Smith: We have heard occasions where banks and insurance carriers ask for a company's risk-assessments so that they can understand the risks within an organization and evaluate the extent to which it has taken steps to mitigate them.
Editor: At a recent board meeting of a nonprofit that I attended, the outside accountants distinguished between "high risk" and "low risk" audits. How do you differentiate between the two and what does documentation have to do with it?
Schroeder The PCAOB, SEC, and AICPA agree that auditors need to do a better job of understanding risks and should take risks into account when they structure their audit plan. The terms you mentioned distinguish between audits where greater or lesser attention must be paid to risks - for example, if the company has an effective risk assessment program and continuously monitors risk, the burden on the auditors is less and the risk that the auditors will overlook an important compliance issue is less. This enables the auditor to do less work (and charge less) because the company can show that it has an effective risk control system in place.
Valaitis: A study published by the University of Wisconsin in April is revealing. It concluded that the cost of capital was significantly higher in the case of organizations that had internal control deficiencies. Another benefit of the continuous risk-based approach is that it reduces the potential for misstatements. Errors and omissions will occur in any organization. The question becomes how soon do you catch the errors. If you catch them before they become material, you can keep your reputation intact.
Smith: A risk-based approach to the auditing of internal controls is an immense help to the auditors as well. The external auditors can take a look at the risk assessment and determine where they should focus their attention.
Editor: What is Enterprise Risk Management (ERM) and how can companies gain value from it?
Valaitis: The COSO definition of ERM is that it is a process designed to identify potential events that may affect the entity so that it can manage risks in a manner consistent with its risk appetite and the achievement of its objectives. Ultimately, it is a way of hedging an organization-wide risk appetite. It is a new concept; very few firms have completed an ERM risk assessment. In short, ERM is looking at operational, financial, strategic, market place and every dimension of risk for an organization.
Schroeder: When you boil down the COSO ERM framework to its simplest terms , it is about taking a comprehensive approach to understanding risks across the enterprise, continually assessing that risk, aligning controls with risk in a cost effective manner and then monitoring the effectiveness of those controls. More than ever, risk is pervasive in today's business environment and companies are increasingly recognizing they need a comprehensive and organized model such as ERM for managing it.
Smith: Every organization does its own less formalized risk-assessment, regardless of size. CEOs, executive teams and boards have been doing it for years. ERM is different because it is a systematic and comprehensive process. It takes into consideration every aspect of the risk environment rather than being a knee-jerk reaction to a specific risk.
Editor: What is entailed in continuous auditing and continuous monitoring?
Schroeder: Continuous auditing and monitoring is a means of ensuring that the organization's objectives for deployment of controls is actually achieved. Implicitly this means the organization has deployed responsibility and accountability for controls to people that are in the best position to execute them. Continuous monitoring and auditing also means the organization has embedded the controls into processes and procedures. The most cost effective means of achieving this is often through workflow and controls embedded into business applications.
These concepts are changing the nature of audits; for example, what used to be a big annual event, is being smoothed out over the year. Eventually we expect strong continuous control environments to drive big efficiencies into SOX and financial audits.
Editor: Does this move the auditing process in-house with only a periodic review by the outside auditors?
Smith: We think that is what is happening, but only to a degree. The outside auditors are going to be more interested in how the internal monitoring is being done than in the detailed and costly process-testing that currently takes place.
The shift is to internal monitoring through a continuous process of self-assessment - not just within the structure of external or internal audits; it becomes ingrained in the culture as people check themselves and others.
Valaitis: Continuous auditing is consistent with the new COSO ERM framework that was released several years ago. Monitoring is one of the eight categories with continuous auditing fitting within that category.
Editor: Why would companies wish to employ continuous auditing?
Schroeder: For the following reasons: better control, improved cost effectiveness and better integration with the external audit functions. The external auditors should be able to place much more reliance on internally produced results while concentrating on testing controls which should result in a dramatic reduction in external audit fees.
Editor: How often do you prefer to meet with clients during the year to hear how they view the risk factors of their business and whether new controls should be instituted?
Smith: We recommend that an annual formal update of the risk assessment be performed and that a quarterly review be done in connection with required quarterly disclosures. When there are significant changes in the business, the risk assessment should be done more frequently to reflect any changes.
Editor: Do you also keep clients apprised of any industry developments, even those of a non-financial nature, which may affect their business?
Valaitis: Absolutely. We have strong core practice areas covering developments in the pharmaceutical, healthcare, manufacturing, insurance, and biotech industries. We advise audit committees or the executives about trends or recent events that may be grounds for them to revisit their risk assessments.
Editor: What changes have you seen in corporate America since the passage in 2002 of Sarbanes-Oxley in terms of greater sensitivity to risks, institution of controls consonant with those risks, the need to test controls and to provide proper documentation?
Valaitis: There have been tremendous changes. It has been an eye-opener for everyone in industry, whether they are senior executives or members of boards or audit committees. Changes in the composition and responsibilities of the audit committee and in corporate governance and financial disclosure have had a tremendous impact on business. Process owners have been made accountable for financial controls and business practices. This has created a whole new level of awareness. In addition to that, you see general counsel getting much more involved in financial or internal audit issues. You see the convergence between governance and compliance. Every director I have spoken to indicated that there is more accountability at the senior executive and board level than ever existed in the past. Tone at the top has become an important job requirement for senior executives at public companies in the post-Enron environment.
Published October 1, 2006.