Leveraging SOX Risk Assessment Practices for Better ERM
This article is part one of a three-part series written in partnership with MISTI, recognizing the 15th anniversary of the Sarbanes-Oxley Act.
When Sarbanes-Oxley compliance arrived in the 2000s, many companies were forced for the first time to assess financial reporting risks and develop stronger internal controls to manage them. Little surprise, then, that as companies went through the experience, some senior executives would ask whether that meant the company was “doing ERM.”
The short answer is no; SOX compliance only addresses financial reporting risks. Enterprise risk management is another level of complexity.
The more thoughtful answer, however, is closer to “not really”—but effective SOX compliance does give companies a leg up to get there.
Now, 15 years into the SOX compliance era, even more boards, CEOs, and risk managers want to leverage all that investment and spring into ERM. The time and money spent on analysis of business processes, streamlining controls, assessing risk, managing audits—what foundation does it lay to help corporations keep a stronger grip on other risks and compliance obligations, beyond SOX?
A solid one, in several ways.
First, remember that the Sarbanes-Oxley Act compelled the audit committee to take more responsibility for risk management. Sure, in the first few years of SOX compliance, those audit committees dwelled on the details of financial reporting risk and what should be in scope for a SOX audit. Arlene Nelson, a principal at Primary Process Controls in Houston, describes the “basic fire drill” of SOX compliance in the 2000s as “let’s get what we can, identify it, put some controls in there, and get the message out.”
For many companies, those growing pains have passed. New issues have crowded onto the audit committee’s plate—and the art of managing those issues bears strong resemblance to earlier SOX challenges around internal control over financial reporting. The risk assessment techniques honed under SOX can apply here, to improve an organization’s management of enterprise risks.
Map It Out
The key step for any SOX risk assessment is to understand the business process in question: to map it out, using flowcharts or narratives that break down a process into its component parts, and identify all the risks along the way. Risks for what? In a SOX risk assessment, risk for material misstatement of financial results. For enterprise risk management, the risks can be much more diverse. But the steps are the same, and even the tools can be the same.
Take the rise of cloud-based data storage providers as one example. Most business executives in the operating units do grasp that service providers can pose serious risks. They use service providers anyway. The question is how they find and use the providers, and what that means for risk.
If the answer is some version of “employee finds vendor via Google search, begins storing company data in cloud after $9.95 charge”—that speaks volumes about the risks the company has (data security and data privacy, to name only two), and the types of controls that the organization will need to add.
Or consider anti-bribery risks from the Foreign Corrupt Practices Act. Most of the enforcement risk comes from third parties acting on a company’s behalf in overseas markets. Therefore a risk assurance team examining FCPA risks will want to understand the company’s process to find third parties and bring them into its extended enterprise.
Finding the process owner, understanding the process, flagging risks to each step of the process: those are time-honored ways of unpacking a risk into its component parts.
Consider the Controls, Entity or Otherwise
After a risk is mapped out, a next logical step is to identify entity-level controls that address it, and lower-level controls at the transactional level to reduce the risk if the entity-level controls don’t work.
Let’s return to anti-bribery risks. Entity-level controls might include clear policies against using resellers or agents in emerging markets where any of the principals are “politically exposed persons.” It could require the use of an outside service that performs background checks on third-parties overseas. The company might even structure its operations to avoid using agents entirely in high-risk countries.
A sophisticated risk assessment, however, must consider what other controls can backstop that risk, should the entity-level exhortations against bribery fail. At the transactional level, such a control might be policy that all payments to third parties in emerging markets must be approved by a business unit president; or all payments to third parties in high-risk countries are held until the party certifies anti-bribery training.
Another example could come from supply chain management. Say the objective is “avoid sourcing any components made by slave labor or human trafficking.” Entity-level controls could include training procurement managers on how slave labor typically works in emerging markets, so they know what red flags to monitor; plus a suppliers Code of Conduct that requires them to certify their goods as slave-labor free. Transaction-level controls could include regular audits of critical suppliers, to ensure that none might cause business interruption if they turn out to use slave labor and are dropped from the supply chain suddenly.
Regardless of the specific enterprise risk, the steps to assess it are the same that exist for SOX: assess entity-level controls; see if their design fits the risk in question; consider what other controls at the transactional level can achieve the same objective, if the entity-level control is insufficient.
Tie in the Evidence
After assessing risks and identifying the entity-levels and transactional controls to address them, the other critical task for SOX compliance is to audit their effectiveness. That means determining what tests or audits to perform, when to perform them, and what evidence to collect and document.
For audit and internal control executives, this is a process challenge: how do I audit all this, to gain the assurance the organization needs about the risk? Which locations require independent testing, and which can make do with self-assessments and reporting? How do I take the results and report them to the proper business executives in the proper ways? The evidence required for each of those questions arises from the risks defined in earlier phases. For example, which locations require independent testing? The ones with the most reliance on foreign agents to resell the company’s products. Where can we rely on self-assessments? In places with senior executives who receive extensive training, who oversee processes with low regulatory enforcement concerns.
Those questions hold true of any risk management effort, well beyond SOX and financial reporting risks. Technology helps immensely; documenting evidence in a spreadsheet is just as tedious and error-prone for sustainability, anti-bribery, or supply chain availability, as it is for financial reporting.
Simplify
Most companies learned Sarbanes-Oxley compliance the hard way in the 2000s, through exhaustive, manual testing and documentation of financial controls. Then came the push to simplify internal controls down to fewer, more key controls; and simpler, more automated processes, both to reduce compliance burdens placed upon process owners and to accelerate the testing and documentation work done by auditors.
One prosaic example: certifications from business process owners that, yes, they have tested the controls assigned to them and that all controls work efficiently. Once upon a time, SOX compliance teams chased those certifications via email, collecting and documenting the replies in a spreadsheet. Some companies may still do that.
A more modern approach is to use web-based certifications, where each process owner has a unique URL he or she visits to submit a certification. That accelerates the process of gathering self-assessments: no more manual chasing process-owners missing certifications, no more double-checking that they didn’t alter the form of the assessment. In turn, the risk assurance team now has more time to analyze data from those self-assessments (How many admit deficient controls? How many don’t include appropriate evidence?) or even to analyze risks that emerge from the self-assessment process itself (Why does the Texas office always submit assessments exactly two weeks late?).
Remember the Humans
Those innovations in simplification, automation, reporting—they work irrespective of the risk in question. They are advances in tools and process. They can apply to all sorts of risk that an enterprise wants to assess and manage. Plenty of vendors offer technology and advice to help organizations tackle that end of risk management effectively.
The most difficult part of managing risks, financial or otherwise, is people. The biggest challenge for risk assurance executives is simply to have the right conversations with the right people, from the audit committee to the 1st Line of Defense business executives, to process owners further down the chain of command.
Audit committee members might understand industry risks, but not transactional risks. Process owners in one function (say, sales) might know how to circumvent internal controls in another (procurement, trying to block unauthorized vendors). People know when an objective doesn’t make sense, when entity-level policy doesn’t address their daily business concerns, and when transactional-level controls don’t work as designed.
Those truths became painfully apparent in the early years of SOX compliance. The best practices to manage them have improved immensely since SOX arrived in 15 years, and those practices can be applied to the wide range of enterprise risks that weigh on boards’ and CEOs’ minds today.
Which is good news, because the complex, interconnected risk environment for organizations today will only get even more complex from here.
Matt Kelly is the founder of Radical Compliance, which provides consulting and commentary on corporate compliance, audit, governance, and risk management. Kelly is also the former Editor and Publisher of Compliance Week.