ERM creates a stable base for Sarbanes-Oxley compliance

Sarbanes-Oxley isn't new. But judging by the way most CFOs still treat financial controls, you'd think the ink wasn't even dry on the Sarbanes-Oxley Act. CFOs have had years to adapt, but still face big risks of material financial misstatements.

A bottom-up, control-based approach usually results in excessive costs, massive inefficiencies, a false sense of security and a major distraction from business.

Companies must pioneer a true risk-based approach and sidestep the controls and compliance-focused approach most use today. And they must do it quickly, with a comprehensive enterprise risk management system that ensures a repeatable, sustainable risk-based methodology and process. That system can reduce external audit hours by 30% to 60% while improving corporate decision making.

If the early-filers' history repeats itself, more than 11% of companies with financial reporting and compliance programs will be found to have material weaknesses. And about 86% of material weaknesses will be discovered not by management or consultants but by external auditors.

The consequences are real. Companies affected see more than a 4% drop in stock price; their CFOs face a 62% likelihood of being replaced; and a 150%-plus jump in ongoing external audit fees.

As problems like these mount, CFOs are beginning to realize that an ERM-based SOX effort works much better than a controls-based SOX effort or an ad hoc approach to risk. The problem with the SOX compliance approach used by most organizations is that it focuses on controlling symptoms of material weakness rather than the root cause of problems. That results in the destruction of business value as a byproduct of compliance.

The chorus of calls for a consistent risk-based approach is growing.

The Public Company Accounting Oversight Board's Audit Standard 5 guidance prescribes a risk-based approach. But simply talking about risk is not enough. The financial reporting compliance process and systems most organizations use must be overhauled to be truly successful.

You need to do more than just adopt an ad hoc risk-based approach. The only way to realize all the benefits of a risk-based approach is with a formalized ERM governance framework.

Multiple but distinct levels of top-down risk assessments can best qualify and quantify the scope of activity.

For example, five levels address entitywide controls, significant accounts and disclosures, ranking of process risks, separate risk-based scoping of information technology general and application controls, and comprehensive assessment of risk by process owners.

Activities determined to have low significance in each of the successive five levels suggest where internal and external scope of work can be reduced, while providing systematic and objective documentation to justify decisions. Robust scoping leads to a more efficient and effective control environment.

Most companies have sophisticated general ledger accounting systems to manage the effects of risk. But most lack ERM systems to track risk's root causes and to connect these root causes to the effects in their financial systems.

The right technology infrastructure makes it easy to present results of robust analyses of five different levels, rolled up into one consolidated "bang for the buck" number. Sustaining these kinds of analyses simply would not be feasible using spreadsheets alone.

Chief financial and risk officers must choose a platform that integrates SOX alongside business activities, while managing the diverse set of risks under a single enterprisewide risk management umbrella. This enables management to compare SOX risks to other risks on the same scale, improving overall business.

Steven Minsky is chief executive officer and founder of LogicManager Inc., a Boston-based provider of enterprise risk management software for governance, risk and control.