Not every management is throwing up its hands and assuming they will not see savings from AS5 this year. Alfa Corp. has installed a new ERM solution with which it will go to battle with any auditor who challenges Alfa’s ability to quantify and prioritize risk
By Dave Lindorff, Treasury and Risk, February 2008
Connie Whitecotton, chief risk and compliance officer at Alfa Corp., slashed external audit hours by 60%, bringing total 404 compliance costs for Alfa way down. Her secret was to shift from simply achieving compliance on 404 to a 404 audit based on the enterprise risk management (ERM) program she was implementing. Enter LogicManager, with a platform that company CEO Steve Minsky says not only identifies risks, but also assesses whether each risk is material, evaluates which risks require action, determines how to mitigate risk and then monitors the process of mitigation.
“Now, we can prioritize risk factors,” says Whitecotton, “and then it becomes a matter of negotiating with auditors.” With management pointing the way to key material risks–all documented by LogicManager–the incentive is for the auditor to focus on those areas and keep costs down. Alfa’s system is working so well that Whitecotton managed to negotiate a fixed–fee contract with her auditors.
Manage Tomorrow’s Financial Surprises Today
With the right ERM program, you can manage tomorrow’s financial surprises today. Your general ledger reports how successfully yesterday’s risks were managed. However, an effective ERM infrastructure enables the CFO to manage tomorrow's financial surprises today while there is still time to change the outcome.
Register to receive a whitepaper, “Five Ways to Manage Tomorrow’s Financial Surprises Today”, or register for a custom analysis of your organization’s possible compliance savings.
To achieve benefits, companies have to rejigger the way they assess risks–away from the checklist of controls in place and towards a prioritization of risks that matter. “Companies should be aggregating risks from the top down, but in practice they’re aggregating them from the bottom up, and are mitigating against risks that aren’t important,” says John Hagerty, vice president at AMR Research Inc.
The top–down approach is exactly what the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) mandated when they replaced the documentation–oriented, compliance–based Auditing Standard 2 (AS2) with the more risk management–based AS5. The new rule, which took effect for larger companies with fiscal years that ended after Nov. 15, 2007, specifically calls for management–driven audits that reserve rigorous testing for higher–risk controls. Management, however, must be able to prove to auditors that risks are, or are not, material to move to this type of audit. “Unless management takes the bull by the horns and goes in and really assesses where the material risks are and takes the lead, companies are not going to see the advantage from AS5 for years,” Whitecotton insists.
There are processes that a company can implement to get that documentation, but many experts recommend finding risk assessment software to facilitate the effort and ensure the company‚s ability to maintain real–time data to track current risk exposure. “It definitely makes sense to use ERM as a framework to simplify expenses and focus on specific risks, and we’re starting to see a lot of companies doing that,” says Keith Webster, managing director at Dun & Bradstreet’s Enterprise Risk and Compliance unit.
Go to www.treasuryandrisk.com for the full story.