Paul J. Sobel
SO YOU'VE COMPLETED YEAR-ONE COMPLIANCE with Section 404 of the U.S Sarbanes-Oxley Act of 2002 and have begun wrapping up year two. Or perhaps you're not an accelerated filer, and you're still working on the year-one initiative. Either way, you've thought a lot about risk, documented numerous controls, and educated employees about risk management and control activities. Perhaps you're also familiar with The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) enterprise risk management (ERM) framework and have thought about repurposing your Section 404 control work for ERM. But does this process represent a small step or a giant leap?
[ILLUSTRATION OMITTED]
[ILLUSTRATION OMITTED]
It's actually a little bit of both. In many ways, investments in Section 404 can be leveraged so that a few small steps will pave the way toward implementing certain aspects of COSO ERM. However, some giant leaps will also be needed to fully implement the ERM framework.
THE JOURNEY TO ERM
Investments in Section 404 compliance have resulted in greater control discipline and more pervasive control consciousness throughout the organization. Companies have evaluated risks to meeting their financial reporting objectives and established controls to help manage those risks. The growing attention to control issues and increased control-related activity provide organizations with a potential foundation for enterprise risk efforts.
ERM's scope, however, is much more expansive than the Section 404 requirements. To comply with Section 404, a company need only focus on internal controls over financial reporting, which represent just a portion of COSO ERM's overall reporting objectives. To fully implement ERM, companies need to consider all objectives covered in the framework, as well as additional activities embedded in each of the COSO ERM components.
Key differences exist between Section 404 requirements and the requirements necessary to implement ERM. Those differences can be summarized along the eight ERM components.
INTERNAL ENVIRONMENT According to the COSO ERM framework, an organization's internal environment reflects its ERM philosophy and the way its people view and address risk. The environment encompasses an organization's approach to establishing its risk appetite, integrity, and ethical values.
COSO ERM requires organizations to evaluate the control environment relative to the achievement of all business objectives, not just those related to financial reporting. Although this process may be similar to Section 404's entity-level review, some of the control environment criteria may result in different conclusions when viewed through the broader lens of ERM. For example, while Section 404 compliance requires a commitment to maintaining competent financial and accounting personnel, other business objectives may be owned by nonfinancial managers with lesser commitments to staff competence. Ultimately, the discrepancy could result in an inconsistent control environment for ERM.
To embark on an ERM implementation, companies must determine their risk management philosophy and risk appetite--a task usually performed by the board and senior management--and communicate it throughout the organization. This exercise provides the context for all of the subsequent components in ERM, as failure to articulate the philosophy and risk appetite may result in inconsistent or incomplete risk management activities throughout the organization. Section 404 does not feature this requirement.
Meeting COSO's internal environment conditions represents a small step for most Section 404-compliant companies. The groundwork established through entity-level control evaluations should provide a solid foundation for companies starting the ERM journey. Although many companies may need to expand portions of the evaluation to cover all business objectives, this process should not be particularly difficult. Other small steps required include drafting a risk management philosophy statement that reflects the views of management and the board, and working with the board to define risk appetite parameters relative to broad outcomes, both financial and nonfinancial.
OBJECTIVE SETTING COSO defines objective setting as follows: "Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite." ERM requires organizations to establish a broad range of business objectives. By contrast, Section 404's primary objective to comply with pertinent regulations from the U.S. Securities and Exchange Commission (SEC) constitutes a narrow focus. And while secondary objectives may exist for Section 404 projects, these are not nearly as extensive as the business objectives that companies must fully identify and articulate for ERM, such as growing market share and operating in a socially responsible manner. In addition, ERM-related business objectives must be consistent with the company's risk appetite, both financial and nonfinancial, whereas most companies in compliance with Section 404 have likely focused only on the financial element.
Risk tolerance decisions under Section 404 are generally limited to material weakness and significant deficiency levels, which tend to be quantitative and formulaic. COSO ERM requires companies to consider tolerance levels related to all possible outcomes, some of which may require qualitative judgments (e.g., reputation and customer service). Considering these differences, moving to ERM represents a giant leap for most companies. Although many firms have documented their strategic objectives, few have likely taken the time to formally identify all objectives entitywide that fall within COSO ERM's four designated categories--strategic, operations, reporting, and compliance. Completing this process involves a substantial effort, and it expands the scope of the strategic planning process considerably.
With Section 404 compliance as a starting point, key additional steps to ERM objective setting include:
* Identifying and categorizing all key business objectives according to the COSO ERM framework.
* Determining the risk appetite relative to each of the key business objectives, which involves relating the broad outcomes of each objective to the company's overall risk appetite.
* Establishing specific risk tolerance levels relative to each objective, which requires the company to articulate acceptable variability from the specified risk appetite for all possible outcomes.
* Creating a framework for depicting the relationships between business objectives and risk tolerance levels. A visual framework will make it easier to communicate tolerance levels throughout the company.
Although taking these steps may be a giant leap for most companies, their efforts at this stage will lay the foundation for success with subsequent ERM components.
EVENT IDENTIFICATION According to COSO ERM, management must identify events affecting an entity's ability to successfully achieve its objectives, distinguishing between risks and opportunities. The opportunities then need to be channeled back to management's objective-setting process. By contrast, the types of events that impact financial reporting are somewhat limited, and most companies do not conduct a formal event identification exercise under Section 404. Instead, they simply identify risks to the financial statement assertions and then proceed to the risk assessment phase.
Event identification represents a critical step in COSO ERM. Failure to identify possible risk events will likely result in an incomplete risk universe. Moreover, ERM focuses on risks to the achievement of all business objectives, not just the financial statement assertions. Building upon Section 404 efforts to achieve ERM event identification objectives, therefore, represents a giant leap for most organizations. ERM event identification also involves a greater cross-section of management than Section 404, as possible events include business scenarios of which financial management may not be aware.
Key additional steps to achieving ERM event identification objectives include examining each business objective with relevant managers via facilitated risk event (scenario) exercises, and evaluating event-scenario drivers to determine interdependencies and interrelationships. Moreover, when implementing ERM, similar events should be combined to develop an initial risk universe and determine how to track and update the listing of potential events and risks.
RISK ASSESSMENT COSO defines risk assessment as: "Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and residual basis." Risk assessments conducted under Section 404, however, are much simpler. The only impact levels important to Section 404 assessments relate to "material" (weakness), "significant" (deficiency), and "inconsequential" ratings; relevant likelihood levels include only "remote" and "more than remote" ratings. With ERM, however, organizations must consider a full range of impacts--including outcomes that are nonfinancial in nature--as well as a full range of likelihood levels. ERM also requires a much more granular assessment of risk than Section 404, and projects may include multiyear time horizons, compared to the one-year Section 404 assessments.
In light of these differences, risk assessment for ERM projects represents a giant leap when compared to Section 404. The universe of potential business risks is much more expansive than financial reporting risks. In addition, the organization's consideration of controls must be assessed to determine residual risk, which then should be compared against management's risk tolerance to identify areas of greatest focus and concern. These activities are more time consuming, at least the first time through, than Section 404 risk assessments. Some of the specific steps needed to bridge the risk assessment gap between Section 404 and ERM include:
* Conducting a comprehensive risk assessment and ensuring the assessment considers inherent, residual, and tolerable risk.
* Considering the interrelationships among risks to better understand how the occurrence of one risk may cause or impact the occurrence of other risks.
* Identifying risk owners for each risk to establish responsibility and accountability.
* Creating a company-specific risk model to help communicate risks throughout the organization.
Armed with a comprehensive, sufficiently assessed risk universe, the organization should be well-positioned to evaluate how best to manage its key business risks.
RISK RESPONSE COSO ERM indicates that management should identify risk response options and develop actions that align with the organization's risk tolerances and risk appetite. Responses include avoiding, accepting, reducing, or sharing risk.
Under Section 404, a company's options for responding to risks are more limited. The primary objective is to eliminate residual risk or reduce it to an inconsequential level. Although circumstances may exist where risk can be transferred (or shared), this option may create additional challenges, such as the need for a Statement on Auditing Standard No. 70 report from the vendor with whom the risk is shared. Other situations may merit risk acceptance, such as when the cost of remediation exceeds the residual risk, but this response must be used sparingly to prevent the risks from becoming significant or material in aggregate.
All four response options may be viable under ERM, in addition to exploiting certain risks or opportunities, as a means of gaining competitive advantage. Companies can select the best risk response based on their overall risk appetite. And unlike Section 404, which requires risk reduction efforts and aggregation to be effective by year-end, ERM risk responses are not bound by the calendar year.
Despite the differences in this area, activities required within the risk response component represent a small step when moving from Section 404 to ERM. And while ERM offers more risk response options, companies will already have been exposed to decisions related to reducing, sharing, and accepting risks under Section 404. To better address typical ERM risk response decisions, management should determine the current responses to each key risk and reassess whether these continue to represent the best options. Management should also evaluate opportunities to aggregate risk responses and identify risk exploitation opportunities, or risk areas where the company has a competitive advantage and may be able to create value by taking on more risk.
CONTROL ACTIVITIES In its definition of control activities, COSO ERM states, "Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out." Control activities may include approvals, recalculations, supervision, monitoring, segregation of duties, and access restrictions. ERM requires evaluation of all controls necessary to assure the achievement of business objectives.
Under Section 404, companies need only evaluate key controls that address risks to the financial statement assertions. Moreover, the controls must operate effectively only at year-end, whereas ERM-related control activities may need to be effective throughout the year.
To some extent Section 404 encourages a pass/fail mentality, where internal control quality is viewed as less important. It merely requires that controls provide reasonable assurance that the financial statements do not contain material misstatements. Under ERM, however, the quality of controls may impact the degree to which a company achieves its objectives, as well as its overall success as a business.
Still, control activity efforts require only a small step to advance from Section 404 to COSO ERM requirements. Section 404 has given companies extensive experience designing and executing control activities. And while the nature and timing of ERM control activities may be different, leveraging and building on Section 404 controls should not prove too difficult. Additional steps required to make the transition may include documenting the control activities designed to manage/mitigate each key business risk and incorporating Section 404 control activities into this analysis to ensure the company has a complete database of risks and controls. In addition, the company's risk management capabilities may need to be evaluated for each key risk, focusing on the maturity of key controls, not just whether they pass or fail.
INFORMATION AND COMMUNICATION, MONITORING According to COSO ERM, pertinent information needs to be identified, captured, and communicated in a way that enables personnel to perform their responsibilities. Effective communication must occur in a broader sense as well, COSO adds, with information flowing down, across, and up the organization. In its discussion of the framework's Monitoring component, COSO says, "The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both." In other words, sustainable ERM requires necessary information to be available to the right people at the right times, and risk management activities need to be monitored to ensure ongoing effectiveness.
Under COSO ERM, risk owners need to monitor both the occurrence of risk events (the past) and the emergence of risks (the future). Communications to the board must be sufficient to enable its members to exercise their governance responsibilities. The framework also specifies that communication should focus on the needs of the business, which may require information to be available to risk owners monthly, weekly, or even daily.
By contrast, Section 404 work focuses mainly on quarterly monitoring activities that help ensure control effectiveness and identify any material changes. Although this effort also requires effective communication and control environment monitoring, these activities are more limited and less frequent compared to ERM implementations.
When building on the foundation of Section 404 work, information and communication activities represent a small step to ERM. To successfully comply with Section 404, a company must implement effective communication techniques and ensure the necessary information flows up, down, and across the organization. While such communications may be more extensive and frequent under ERM, the work completed during Section 404 compliance--including communications with the board and audit committee--should provide an ample starting point.
Monitoring activities, however, may require a greater leap for most companies. Although many firms have established monitoring techniques for Section 404, effective ERM requires extensive continuous monitoring to track and address risk incidents that may cause immediate threats to business objectives. If a company has experienced an environmental incident, for example, management cannot wait until quarter-end to determine how to deal with it--the risk must be handled immediately. Without appropriate monitoring techniques, companies will likely find it more difficult to sustain ERM efforts.
In the areas of information and communication, and monitoring, companies will likely need to take the following steps when leveraging their Section 404 efforts:
* Determine the nature, extent, and timing of communications with the board regarding the effectiveness of risk management activities.
* Determine the nature, extent, and timing of communications between risk owners and senior management.
* Develop continuous monitoring techniques to help the company identify risk occurrences and react timely to minimize the impact of such occurrences.
* Define the role and responsibilities of internal auditing, focusing on obtaining an appropriate balance between assurance and risk consulting activities.
* Ensure integration of ERM with quarterly Sarbanes-Oxley activities.
Although companies can easily lose momentum when implementing ERM, success in these final stages will help ensure the initiative's long-term sustainability and success.
A DIFFICULT JOURNEY
While the road from Section 404 to ERM requires several giant leaps, the most difficult challenge does not lie within specific ERM processes. Instead, it involves obtaining the buy-in and companywide motivation necessary to initiate an ERM program. Companies subject to Sarbanes-Oxley have to comply with Section 404 requirements, but they must want to do ERM. The lack of a compliance requirement separates wishful thinkers from those committed to using ERM to establish competitive advantage and further value creation. For those companies falling within this second category, Section 404 can serve as an effective springboard. Let the journey begin.
To comment on this article, e-mail the author at psobel@theiia.org.
PAUL J. SOBEL, CIA, CPA
VICE PRESIDENT, INTERNAL AUDIT
MIRANT CORP.
ILLUSTRATION BY DOUG ROSS
RELATED ARTICLE: Linking Section 404 to COSO ERM
Several key Section 404 activities coincide with elements of COSO's Enterprise Risk Management-Integrated Framework. The ERM cube below illustrates how these activities are embedded in the framework's eight components. More specifically, the Sarbanes-Oxley activities link to COSO ERM as follows:
* Evaluate and test control environment. As part of the Section 404 evaluation of entity-level controls, a company must evaluate and test controls related to the control environment, for example as defined in COSO's Internal Control-Integrated Framework. Many companies have created questionnaires or checklists to help evaluate the effectiveness of entity-level controls. These controls also constitute a key part of COSO ERM's Internal Environment component.
* Comply with regulations; establish materiality and significance. The primary objective associated with Section 404 is compliance with pertinent SEC regulations. In addition, companies must determine levels of materiality and significance--their objectives typically include ensuring that no material weaknesses, and few if any significant deficiencies, exist at year-end. These objectives are embedded in the Objective Setting component of COSO ERM.
* Identify scope and risks to achieving assertions. Many of the company's accounts, processes, and locations can fall outside the scope of a Section 404 project, and each item's impact on the financial statements must be assessed. Moreover, the company's opinion on internal control effectiveness over financial reporting is based on whether each of the financial statement assertions has been achieved. Although a variety of risks might impact the achievement of those assertions, only the key risks--those that might individually or in aggregate prevent that achievement--must be evaluated. Determining Section 404 project scope and identifying key risks follow the same methodology found within COSO ERM's Risk Assessment component. When implementing the ERM framework, companies must focus their efforts by determining which business risks should be included in the project's scope.
[ILLUSTRATION OMITTED]
* Remedy or accept deficiency. Companies have two choices once they identify a financial reporting deficiency: Remedy the deficiency or live with the risk at year-end. This decision corresponds to considerations involved in the Risk Response component of COSO ERM, where companies have various options to examine when determining how to address risks.
* Evaluate controls. Evaluating control design and testing for control effectiveness are key Section 404 activities. Both of these processes are embedded in COSO ERM's Control Activities component. Accordingly, companies execute controls aimed at mitigating risk to an acceptable level.
* Compile results. An organization's opinion on the effectiveness of internal controls is made at the companywide (or SEC-registrant) level. However, many of the individual activities associated with developing that opinion may be carried out at the distributed-process or location level. To assess overall internal control effectiveness, a company must therefore receive information on the results of design evaluations and testing from various processes and locations, and assess those results at the registrant level. COSO ERM's Information and Communication component also includes this type of activity. To evaluate risk impact enterprisewide, companies must compile risk information from all areas of the company.
* Monitor quarterly. Section 302 of Sarbanes-Oxley requires companies to perform a quarterly assessment of disclosure controls. Because this process typically involves subcertification activities, many companies are combining their Section 404 control evaluations with the Section 302 compliance process. This form of interim evaluation is embedded in COSO ERM's Monitoring component, where key enterprise risk monitoring occurs on a periodic basis.
COPYRIGHT 2006 Institute of Internal Auditors, Inc.
COPYRIGHT 2006 Gale Group
No comments:
Post a Comment