The approval by the PCAOB Board to the overhaul of the Sarbanes-Oxley legislation on May 23rd has profound significance for the credibility of Enterprise Risk Management as a discipline and its charter for action within organizations. For nearly a decade, big compliance software and consulting firms have been profiting from a “Compliance First” approach. This approach rather than evaluate priorities, is characterized by a treatment of all controls and mitigation activities as having equal significance regardless of materiality. Fear, Uncertainty and Doubt are the tools of compliance that have held a gun to management’s head in setting priorities and the agenda.
The new PCAOB rule recognizes the over burdensome effect of this approach and opens the door to significantly reduce SOX 404 external and internal costs. This new regulation has stated in clear terms that this is to be achieved by empowering management to be responsible, not for consultants to determine for themselves what risks are material and focus their resources accordingly.
Now that we are set free, the issue shifts correctly to the more important questions of how is materiality decided? How is a consistent standard developed and applied? What is the scope of a remediation effort? Most importantly, how does business value become part of the equation? Enterprise Risk Management is the decision support framework that brings objectivity and consistency to answering these questions and providing the “how to” to implement this new guidance.
According to Harvey Pitt, former chairman of the SEC, “Financial statement risk management is but a subset of enterprise wide risk management. If management implements a comprehensive enterprise-wide risk management approach, the danger of material errors in financial statements will be vastly reduced.” Enterprise Risk Management as a discipline offers a common methodology, governance and framework that cuts across business silos and prioritizes efforts. Typical savings are estimated to be in the 30-60% range for reduction of external audit fees.
Enterprise Risk Management provides several tiers for evaluation of risks at increasingly granular levels which risks are most significant and which mitigation activities have the most “bang for the buck” in terms of impact, likeliness and effectiveness. These levels of increasing granularity include entity, business unit, process, account and mitigation activities. Evaluations at each level filter out appropriate low risk threats based on consistent and objective criteria.
The “top-down, risk-based” approach of Enterprise Risk Management empowers managers to use their expertise to address risks not only to financial reporting but also take into consideration the strategic, security and business continuity aspects as well. For example, entity wide control evaluations can be turned from a required “check box” activity to a real linkage of with process based activity level controls to help management understand the connection between principles and action.
In the ERM approach, mitigating activity becomes a strategic activity in support of corporate objectives and brings an agility that is a competitive advantage to early adopters. In this way, this new guidance paves the way not only for the reduction of external audit fees, but also to right size the resources applied to testing and documentation as well as take business value added activities into scope at the same time.