Balancing Risk and Control Approaches for Sarbanes-Oxley Compliance
Cooling Down the Hot Issues

By Paul A. Sharman

E-mail Story Print Story

These changes seem like a good idea in theory, and the Institute of Management Accountants (IMA) applauds the SEC and PCAOB for making a move in the right direction. A closer look at the drafts, however, reveals that they continue to be problematic. Businesses still have no practical guidance on how to implement a risk-based framework. Despite their best attempts, the SEC and PCAOB would, in effect, perpetuate a regulatory regime with high cost and massive inefficiency without significantly improving investor protection.
Reading through the hundreds of pages of the PCAOB and SEC proposal brings three questions to mind:

• Exactly what are the characteristics of risk- and control-based approaches?
• Are they really fundamentally different?
• Are the new approaches really risk-based within the broader context?

In considering the different approaches the SEC and PCAOB are proposing (risk versus control), it may be helpful to make a simple comparison in a more familiar context. A risk-based approach to home fire safety, for example, involves identifying all potential sources of fire and learning as much as possible about the risks. This involves identifying root causes of failure as a first step in risk management. Extensive statistics are publicly available on the root causes of fire in the home. No such statistics are readily available on the root causes of SOX deficiencies. This is a significant flaw in the control-based approach to SOX.

A control-based approach to fire safety would focus on mitigation measures, including taking all imaginable precautions against any sort of fire, regardless of its root cause. Extending this rationale, smoke detectors and fire extinguishers would be placed in every room in the home, and inspected regularly. Pure control-based approaches do not address the root cause of the risk; rather, they consider the risk of a control failing.

Which Produces Better Results?

Both risk- and control-based approaches seek to achieve the same goal, with different approaches to implementation. Risk-based approaches require rigor to ensure that all risks to achieving the end objective are identified and analyzed, then controls are put in place to mitigate or minimize the risk to an acceptable, “tolerable” level. Control-based approaches, on the other hand, often overemphasize the control (the smoke alarm in every room) versus starting with the risks (presence of combustible materials or putting an extra alarm only where there is higher risk of fire).

Balance, Not Bias, Between Approaches

Both the newly proposed audit standard and the proposed SEC interpretive guidance seem to imply a rebalancing between risk and controls (more of the former, less of the latter). In reality, both continue to emphasize controls over risks and both gather far more information about controls versus risks. Neither the SEC nor PCAOB proposals are risk-based by any broader general standard, and they remain too audit- and control-centric to be cost-effective. The root causes of SOX deficiencies must first be clearly understood through better risk assessment. To help cool down the burning SOX compliance issues—just as to prevent a fire in one’s home—balance, not bias, between risk (assessment) and controls (mitigation), is needed.

©2008 The New York State Society of CPAs. Legal Notices