Beyond SOX

Life beyond Sarbanes-Oxley

George Matyjewicz, PhD

Presented to New Jersey Chapter of the Institute of Internal Auditors

March 11, 2004

 Let’s look at what we gained from the Sarbanes-Oxley (SOX) exercise.  C-level officers learned the importance of establishing objectives, identifying risks that will prevent them from meeting those objectives and establishing controls that will mitigate those risks.  Under SOX those objectives translated into disclosure control objectives and procedures for financial statement assertions - Existence, Completeness, Valuation, Rights and Obligations, and Presentation and Disclosure. 

SOX forced companies to develop a dynamic repository to store their internal controls as opposed to the books that were on a shelf and dusted off whenever the external auditors visited.   The CEO and CFO are required to certify that they have internal controls over financial reporting, and whether or not there have been any significant changes from one quarter to the next. The quarterly evaluation process includes review and test the controls by appropriate personnel (and at the appropriate levels of the enterprise) and sign off that they are in place.  Where there are deficiencies or weaknesses, action must be taken to remediate the risk of financial statement misstatement.

Of course, we all know why these C-levels undertook these exercises…

 Get Out Of Jail Free!

 The Act provides for severe penalties for false certifications. These include forfeiture of certain bonuses and profits realized from the sale of company stock, fines, and imprisonment.

What did we learn?  In the early days of auditing, internal auditors used checklists when auditing an entity or process.  While checklists may work in those environments, they really don’t work when analyzing risks.  Now internal audit needs to understand the business, and address risks that will prevent management from meeting it’s objectives.

With the deadlines imposed with SOX, organizations rushed out to get solutions fast!  So they often used checklists, and focused on documenting internal controls. Which is OK, as long as they understand they need to pay later. 

Many companies believe that the SOX compliance is an expense.  Rather they should look at it as a much-needed exercise in efficiency.  It is the start of Enterprise Risk Management (ERM).  Actually, it’s: 

COMMON SENSE DOCUMENTED!

Déjà vu All Over Again.   Remember these headlines?

“Retirement funds lost!  Thousands of workers lose their pension funds!”

“Multiplying layers of entities and hidden movement of capital and goods causes collapse of...” 

“Shell corporations and bank confidentiality and secrecy havens discovered at...” 

“Executives investments and illegal actions...” 

“Government levies a record fine on accounting firm”

 U.S. scandals right?

 Wrong!    Those were the hot topics in the news in the 1980s and 1990s with the U.K. high-profile scandals and collapse of BCCI, Robert Maxwell and Nick Leeson and Barings.

 U.K. History.  The scandals resulted in the Cadbury Report which drew heavily on the work of the Treadway Commission in the USA.  The report focused on internal controls, the need for effective audit committees and a recommendation that the roles of chairman and chief executive should be separate. Subsequently, the Turnbull Report was produced focusing on internal control and on how companies manage their risks, for example the risk of corporate fraud. 

 In 1997, a steering committee from prominent global companies met with a UK national partnership of accountants and business advisers, to discuss solutions for risk management and for complying with Cadbury (and later Turnbull).  The committee focused on specific issues: 

In July 2000, after 2 ½ years of discussion and development the first risk management solution application was rolled out.  Subsequently it was adopted to newer legislative initiatives like SOX. 

Lessons Learned.  This steering committee, through their discussions and meetings learned that the requirements of a risk management solution included:

What is Risk Management.  Organizations need to establish objectives of the direction of the organization.  Where do you want to be in five years, three years and this year?  Once objectives have been identified, the next exercise is to identify the risks that will prevent management from achieving the objectives.   

In addition to identifying risks, you also need to identify the impact the risk will have on the organization and the likelihood the risk will happen.  The combination of impact and likelihood is a ranking of risks, and it behooves the organization to address those risks with a high impact and high likelihood of happening. 

Now that the risks have been identified and ranked, what controls are needed to mitigate those risks?  How do we monitor those risks and controls and how do we communicate to the organization?

 The strategy adopted to manage the risks varies according to the risk-taking preferences or risk appetite of the company. Risk management experts often summarize the options as treat, terminate, transfer or take (or tolerate): the 4 Ts. Treating a risk means taking direct action to reduce either its potential impact or its likelihood of occurrence. In many instances the treatment is internal control.  One means of mitigating the customer acceptance risk might be via a marketing campaign – not something most people would think of immediately as a ‘control.’ To terminate a risk is to walk away from it. A company with a low risk appetite, faced with the risks of sourcing products from an unstable country, may decide simply to source products elsewhere. Risks may also be transferred to others, either by insurance or through contracts, often with outsourced service suppliers. Finally, there are some risks that go with the territory. You do what you can but, in the end, you have to accept, tolerate or take them.  

Enter risk-based auditing.  As we have seen, a risk is a set of circumstances that hinder the achievement of objectives.  It is management’s responsibility to determine what risks exist, ensure that internal controls mitigate these to acceptable levels and assure the organization’s executive team that it is monitoring the system of internal control. 

Internal audit’s (IA) main function is to assist the organization to achieve its internal control and risk management objectives.  Internal auditing provides independent and objective assurance to an organization’s management, board and other stakeholders that its risks are being mitigated to an acceptable level, and reports where they are not.  

Managers own risks and it is their responsibility to control them.  Internal auditing provides assurance, to management, that risks are controlled.  Internal audit may be asked to provide advice, and more, on risk management, providing... 

With risk-based auditing the organization identifies risks and looks at high impact risks, i.e., those risks that will prevent the organization from meeting its objectives.  Internal audit then analyzes the gap between the gross (inherent) risk and net (residual) risk and plans to audit those risks where controls are in place to mitigate the risks, and the resultant gap is high and/or impact is high.   

Internal audit needs a tool that permits the integration of management’s self-evaluation of risk with effective audit management solution that enable internal audit to complete its mission, i.e., a tool that provides risk management-based auditing.  This mission should go beyond SOX, and embrace the full spectrum of ERM using the new proposed COSO framework.

###