|
Enterprise Risk Management SOX: Friend or foe? Corporations can gain a competitive advantage by moving from SOX compliance to ERM By Michael J. Moody, MBA, ARM
The Sarbanes-Oxley Act of 2002 (SOX) has now been in place for a little more than two years. Congress passed SOX in response to an increasing number of corporate wrongdoing cases against officers and directors of some of Wall Street’s most visible companies. Without question, SOX is the most comprehensive white-collar criminal legislation ever passed in the United States. It was specifically designed to address a wide range of problems that had been occurring in corporate America. Among the most important aspects of the Act are requirements that deal with everything from altering financial statements to misleading auditors to intimidating whistle blowers—and everything in between. Corporate officers and directors soon found out that SOX would be a watershed event in the evolution of corporate governance. Although interest in corporate governance started in early 1960s when investors questioned how well corporate conglomerates were being managed, it had rarely attracted significant attention. But that all changed in 2002. First, the news of Wall Street darling Enron caused well publicized investor outrage at the company and its auditors. This was followed closely by the misstatement of revenues from Global Crossing. But it was the $3.8 billion of accounting irregularities at telecom giant WorldCom that finally got Congress to act. President Bush signed the bill into law on July 30, 2002, and corporate America has not been the same since. As a result of the passage of the landmark legislation, corporate governance was placed on the front burner of all publicly owned corporations. SOX 404 SOX is extremely broad in its scope, and touches on many of the aspects of a public company’s financial dealings. However, the one item that has stood out for many corporate executives is the Section 404 requirements. In essence, this portion of SOX states that the primary corporate officers (CEOs and CFOs) must comment on the company’s efforts regarding internal controls. As such, the annual financial report must affirm that it is the responsibility of management to establish and maintain an adequate internal control structure and procedures for proper recording of the financial condition of the organization. Further, it must also contain an assessment as to the effectiveness of these controls. Failure to comply with these provisions can result in harsh personal financial penalties as well as possible jail time. Prosecution of corporate officers from both Enron and WorldCom has proven the seriousness of this aspect of the Act. Needless to say, corporate America has been spending massive amounts of time and money in an attempt to comply with the SOX regulations. For most financial executives, compliance with the massive scope of the Act required a blueprint; and many turned for guidance to the authoritative “Internal Control - Integrated Framework” produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). While this document has been in publication since 1991, it quickly became the de facto template for how companies should comply with the 404 requirements. This report has now been used by many organizations as the basis for their reporting under Section 404 of SOX, and many outside auditors and consultants frequently cite it as the definitive guide to 404 compliance. A fork in the road Most corporate financial executives have been burning the midnight oil over the past few years to bring their companies up to compliance with SOX, and for the most part they have been successful in doing so. While some corporations have had to restate their financials, most have received a clean bill of health. But now corporations are entering a critical time, because they need to turn their initial year’s project management efforts into an ongoing process management approach. This change can typically be accomplished in one of two ways: Corporations can either choose to continue to provide perfunctory, internal SOX 404 compliance controls or they can take a more forward looking approach and move in a strategic direction by embedding enterprise risk manage-ment into the corporate culture. On the surface, it may appear that it’s a major jump to go from SOX 404 compliance to an enterprise risk management (ERM) culture; however, it is not. In fact, the recently released “Enterprise Risk Management - Integrated Framework,” the groundbreaking ERM implementation publication, was also a COSO document. Further, both documents, the Internal Control Framework and the ERM Framework, have been written for COSO by PricewaterhouseCoopers and both share significant amounts of information and application. The ERM Framework is fully aligned with the Internal Control Framework. To be sure, there are significant differences between the two concepts. First, it should be noted that SOX is an externally driven law that focuses on the many details of financial reporting and the demands of annual compliance. It requires the documen-tation and confirmation that many financial controls are implemented and functioning as required, and it also carries the risk of criminal punishment for officers and directors who fail to comply with the Act. On the other hand, ERM is internally driven and focuses on the big-picture risks a corporation faces. ERM is by design a “top of the wave” type program that assists an organization by identifying and managing its most significant exposures. But both sets of frameworks also share many similarities. Most significant is that both focus their attention on a holistic view of the organization. Additionally, both are designed to spread risk management responsibility throughout the entire organization. And since the informa-tion that is gathered as a part of the SOX compliance is done on a company-wide basis, it can serve equally well as a starting point for the ERM program. As corporations begin to establish their strategies for another year of SOX compliance, they need to realize that those that remain committed to the compliance approach will gain little, if any, competitive advantage from all of their work and effort. It is only by moving to a higher level of management oversight through an ERM program, one that considers the entire organization’s risk portfolio, that they can gain any major competitive advantages. Conclusion There is little doubt that ERM is a good idea; however, it currently appears that compliance in general, and specifically SOX 404 compliance, is the driving force behind today’s renewed interest in corporate governance and transparency. As an example, more and more major consulting firms are beginning to group the functional responsibilities of governance, risk management and compliance into a single discipline. Organizations should look at this alignment and observe the similarity of the SOX requirements, as noted in the Internal Control Framework, to those in the ERM Framework. Together, these two concepts can create a “best-in-class” enterprise risk management program and provide the competitive advantages that corporations are looking for. * |
||
|
