Balancing Risk and Control Approaches for Sarbanes-Oxley Compliance
Cooling Down the Hot Issues

By Paul A. Sharman

E-mail Story
Print Story
JUNE 2007 - After much criticism and debate over the best approach to regulating business, the Public Company Accounting Oversight Board (PCAOB) in December 2006 proposed a new audit standard for implementing section 404 of the Sarbanes-Oxley Act (SOX). Concurrently, the SEC introduced interpretive guidance for management’s assessment of internal control. Both exposure drafts promise change through a risk-based approach.

These changes seem like a good idea in theory, and the Institute of Management Accountants (IMA) applauds the SEC and PCAOB for making a move in the right direction. A closer look at the drafts, however, reveals that they continue to be problematic. Businesses still have no practical guidance on how to implement a risk-based framework. Despite their best attempts, the SEC and PCAOB would, in effect, perpetuate a regulatory regime with high cost and massive inefficiency without significantly improving investor protection.
Reading through the hundreds of pages of the PCAOB and SEC proposal brings three questions to mind:

  • Exactly what are the characteristics of risk- and control-based approaches?
  • Are they really fundamentally different?
  • Are the new approaches really risk-based within the broader context?

In considering the different approaches the SEC and PCAOB are proposing (risk versus control), it may be helpful to make a simple comparison in a more familiar context. A risk-based approach to home fire safety, for example, involves identifying all potential sources of fire and learning as much as possible about the risks. This involves identifying root causes of failure as a first step in risk management. Extensive statistics are publicly available on the root causes of fire in the home. No such statistics are readily available on the root causes of SOX deficiencies. This is a significant flaw in the control-based approach to SOX.

A control-based approach to fire safety would focus on mitigation measures, including taking all imaginable precautions against any sort of fire, regardless of its root cause. Extending this rationale, smoke detectors and fire extinguishers would be placed in every room in the home, and inspected regularly. Pure control-based approaches do not address the root cause of the risk; rather, they consider the risk of a control failing.

Which Produces Better Results?

Both risk- and control-based approaches seek to achieve the same goal, with different approaches to implementation. Risk-based approaches require rigor to ensure that all risks to achieving the end objective are identified and analyzed, then controls are put in place to mitigate or minimize the risk to an acceptable, “tolerable” level. Control-based approaches, on the other hand, often overemphasize the control (the smoke alarm in every room) versus starting with the risks (presence of combustible materials or putting an extra alarm only where there is higher risk of fire).

Balance, Not Bias, Between Approaches

Both the newly proposed audit standard and the proposed SEC interpretive guidance seem to imply a rebalancing between risk and controls (more of the former, less of the latter). In reality, both continue to emphasize controls over risks and both gather far more information about controls versus risks. Neither the SEC nor PCAOB proposals are risk-based by any broader general standard, and they remain too audit- and control-centric to be cost-effective. The root causes of SOX deficiencies must first be clearly understood through better risk assessment. To help cool down the burning SOX compliance issues—just as to prevent a fire in one’s home—balance, not bias, between risk (assessment) and controls (mitigation), is needed.

Paul A. Sharman, ACMA, is president and CEO of the Institute of Management Accountants (, headquartered in Montvale, N.J.




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices