Risk and Control Approaches for Sarbanes-Oxley Compliance
Cooling Down the Hot Issues
JUNE 2007 -
After much criticism and debate over the best approach to regulating
business, the Public Company Accounting Oversight Board (PCAOB)
in December 2006 proposed a new audit standard for implementing
section 404 of the Sarbanes-Oxley Act (SOX). Concurrently, the SEC
introduced interpretive guidance for management’s assessment
of internal control. Both exposure drafts promise change through
a risk-based approach.
changes seem like a good idea in theory, and the Institute of
Management Accountants (IMA) applauds the SEC and PCAOB for making
a move in the right direction. A closer look at the drafts, however,
reveals that they continue to be problematic. Businesses still
have no practical guidance on how to implement a risk-based framework.
Despite their best attempts, the SEC and PCAOB would, in effect,
perpetuate a regulatory regime with high cost and massive inefficiency
without significantly improving investor protection.
Reading through the hundreds of pages of the PCAOB and SEC proposal
brings three questions to mind:
what are the characteristics of risk- and control-based approaches?
- Are they
really fundamentally different?
- Are the
new approaches really risk-based within the broader context?
the different approaches the SEC and PCAOB are proposing (risk
versus control), it may be helpful to make a simple comparison
in a more familiar context. A risk-based approach to home fire
safety, for example, involves identifying all potential sources
of fire and learning as much as possible about the risks. This
involves identifying root causes of failure as a first step in
risk management. Extensive statistics are publicly available on
the root causes of fire in the home. No such statistics are readily
available on the root causes of SOX deficiencies. This is a significant
flaw in the control-based approach to SOX.
approach to fire safety would focus on mitigation measures, including
taking all imaginable precautions against any sort of fire, regardless
of its root cause. Extending this rationale, smoke detectors and
fire extinguishers would be placed in every room in the home,
and inspected regularly. Pure control-based approaches do not
address the root cause of the risk; rather, they consider the
risk of a control failing.
Produces Better Results?
and control-based approaches seek to achieve the same goal, with
different approaches to implementation. Risk-based approaches
require rigor to ensure that all risks to achieving the end objective
are identified and analyzed, then controls are put in place to
mitigate or minimize the risk to an acceptable, “tolerable”
approaches, on the other hand, often overemphasize the control
(the smoke alarm in every room) versus starting with the risks
(presence of combustible materials or putting an extra alarm only
where there is higher risk of fire).
Not Bias, Between Approaches
newly proposed audit standard and the proposed SEC interpretive
guidance seem to imply a rebalancing between risk and controls
(more of the former, less of the latter). In reality, both continue
to emphasize controls over risks and both gather far more information
about controls versus risks. Neither the SEC nor PCAOB proposals
are risk-based by any broader general standard, and they remain
too audit- and control-centric to be cost-effective. The root
causes of SOX deficiencies must first be clearly understood through
better risk assessment. To help cool down the burning SOX compliance
issues—just as to prevent a fire in one’s home—balance,
not bias, between risk (assessment) and controls (mitigation),
A. Sharman, ACMA, is president and CEO of the Institute
of Management Accountants (www.imanet.org),
headquartered in Montvale, N.J.
CPA Journal is broadly recognized as an outstanding, technical-refereed
publication aimed at public practitioners, management, educators,
and other accounting professionals. It is edited by CPAs for CPAs.
Our goal is to provide CPAs and other accounting professionals
with the information and news to enable them to be successful
accountants, managers, and executives in today's practice environments.
The New York State Society of CPAs. Legal