Myth vs. reality: Sarbanes-Oxley and ERM; A recent IIA Research Foundation study finds that most companies are not leveraging compliance efforts to implement enterprise risk management

Internal Auditor, April, 2007 by James Roth

AS COMPANIES AROUND THE WORLD STRUGGLE TO COMPLY with the U.S. Sarbanes-Oxley Act of 2002 or one of the growing list of regulations modeled after the law, they want to make sure that the resources they're expending benefit the business. Many of these companies are talking about expanding Sarbanes-Oxley compliance into enterprise risk management (ERM). On the surface, this seems like a natural progression. After all, Sarbanes-Oxley deals with financial reporting risks and controls; ERM deals with all risks and controls.

A recent IIA Research Foundation study, Four Approaches to Enterprise Risk Management ... and Opportunities in Sarbanes-Oxley Compliance, draws some surprising conclusions about the current state of ERM. The expansion from Sarbanes-Oxley to ERM is not happening--at least not yet. But companies that have implemented ERM have proven that the transition does not have to be the resource-intensive, somewhat academic exercise it is often presented to be.

The research consisted of an online survey, focus group discussions, and in-depth case studies. It began with three assumptions:

* Companies that are complying with Sarbanes-Oxley Section 404 have developed risk assessment tools that can support an ERM program.

* Companies with ERM in place have been able to integrate compliance with Section 404 or similar regulations into their existing ERM process.

* Organizations that want to expand Section 404 compliance into ERM will get professional guidance from The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management-Integrated Framework.

The results of the research suggest that these assumptions, while not entirely wrong, were not exactly correct either. Sarbanes-Oxley compliance can be a stepping stone to ERM, but not in the way, or to the extent, anticipated. Instead, the findings indicate that there are myths and realities regarding Sarbanes-Oxley compliance and ERM. At the same time, the study reveals that companies are taking a variety of approaches to implementing ERM.

MYTHS AND REALITIES

The ERM study's assumptions were based on what researchers were hearing from seminar participants, professional colleagues, and consulting firms. Although there may be organizations whose experience fully supports these assumptions, the fact that the study could not identify any such organizations strongly suggests that, if they exist, they are the exception, not the rule.

MYTH NO. 1: THE SARBANES-OXLEY SECTION 404 COMPLIANCE PROCESS AND TOOLS CAN BE EXPANDED INTO ERM. This assumption seems logical. If an organization has implemented all five components of COSO's Internal Control-Integrated Framework--control environment, risk assessment, control activities, information and communication, and monitoring--toward financial reporting objectives, risks, and controls, it should be able to apply the same process and tools to the other ERM objectives. All that remains is to ensure that objectives are aligned and aggregate the results of the detailed analyses into a portfolio view of risk. In fact, the most important component--the control environment--is the same for all objectives, so it should already be fully in place. Also, the process used to aggregate Section 404 testing results into the overall assertion on internal control over financial reporting should be a sound basis for the ERM aggregation process.

The 359 responses to the online survey confirmed that this assumption is a widely held belief. Of respondents whose organizations are Sarbanes-Oxley compliant, 76 percent at least intend to expand their efforts into ERM, including 25 percent who say they are in the process of doing so and 8 percent who say they are well along or fully implemented.

REALITY: ORGANIZATIONS HAVE NOT YET LINKED SARBANES-OXLEY COMPLIANCE AND ERM. A closer look at the organizations that reported they were well along or had fully implemented ERM revealed that some were using entirely different processes for the two efforts. It was only in the third year of Sarbanes-Oxley compliance that they were looking at ways to integrate the two.

According to the research, the main reason organizations haven't linked Section 404 compliance with ERM is that compliance has not been risk-based for most companies during the first two years. Instead, their driving motivation has been satisfying their external auditors that the organization's process for evaluating financial reporting controls is sound. Early on, the audit firms were not in a position to give their clients guidance on what would satisfy them because they had not received any guidance from the U.S. Public Company Accounting Oversight Board (PCAOB). The situation did not improve when the PCAOB produced that guidance in Auditing Standard No. 2 ([AS.sub.2]), because [AS.sub.2] focused so heavily on documenting and testing control procedures that it tended to discourage, rather than encourage, a risk-based approach. Also, external audit firms were concerned that PCAOB examiners would find their work deficient if they did not do enough testing, which drove up audit fees and resulted in their clients doing more testing.