A Risk Based Approach to SOX
The Effectiveness of internal control systems is now an issue for public policy and formal law. Section 404 of the Sarbanes-Oxley law is aimed at helping companies prevent financial reporting mistakes and fraud. The rule requires companies to include in their annual reports:
- A statement of management's responsibility for establishing and maintaining "adequate" controls over financial reporting
- Management's assessment of the effectiveness of the company's internal controls
- A statement identifying the framework used by management to evaluate the effectiveness
- An auditor's report on management's evaluation of internal controls
- Any material weaknesses identified in the internal controls review
While the rule only requires companies to disclose material weaknesses in their annual reports, many companies have begun alerting investors about deficiencies and potential problems. The rule is intended as a disclosure mechanism to alert investors about problems, but companies could face SEC action if they report serious deficiencies or if they fail to disclose serious shortcomings. "The internal control disclosure requirement has the potential to provide the greatest long-term benefit in financial reporting," said Alan Beller, SEC's director of corporation finance.
Good corporate governance will depend on the effective management of internal controls and on the availability, confidentiality, and integrity of information. Corporate reputation, brand preservation, and financial results all depend on the defense of business processes and on compliance. PCAOB current guidelines call for companies to develop internal controls based on risk management considerations. Moreover, the costs of protections should be proportionate to the consequences they prevent or other benefits they bring to the business.
The risk-based internal control system has become an increasingly significant regulatory object. Regulatory incentives exist to have ‘good’ internal controls in a wide variety of areas: solvency and capital adequacy, health care, safety, environment, business continuity, teaching, waste management and so on. Organizational internal control systems have been made public, codified and standardized and repackaged as a blueprint for extending the reach of risk management. To lack internal controls, or to have a defective internal control system, is to fail as a legitimate organization.
The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states: "The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting." IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified — through experience or formal risk assessment — suitable risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance.
Risk management applies to the entire spectrum of activity within an organization, not just to the application of IT. IT cannot be considered in isolation, but must be treated as an integral part of all business processes. Choosing IT controls is not simply a matter of implementing those recommended as best practices. They must add value to the organization by reducing risk efficiently and increasing effectiveness. Analyzing and assessing risk in relation to IT can be complex. The IT infrastructure consists of hardware, software, communications, applications, protocols (rules), and data, as well as their implementation within physical space, within the organizational structure, and between the organization and its external environment. Infrastructure also includes the people interacting with the physical and logical elements of systems.
In today’s global market and regulatory environment IT-controls are essential to protect assets, customers, partners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. A Risk Based Approach provides the foundation for Better More Informed Decisions in the Face of Uncertainty which increases Control & Governance of the Organization.