Improve Risk Management
Pressure is increasing on businesses to improve risk management practices. This comes from a variety of sources, including regulators, credit rating agencies, and activist shareholders. Further, the subprime mortgage crisis which became apparent in 2007 has (arguably) exposed systemic risk management concerns.
The 2007 guidance from the SEC and PCAOB regarding SOX Section 404 established a comprehensive framework for conducting a “top-down” financial reporting risk assessment. For example, management is required to identify material misstatement risks and related controls, which then must be tested. (See the Case Study for details.)
Techniques used in top-down risk assessment are applicable to other risk categories. Under the COSO Enterprise Risk Management (ERM) framework, risks fall into strategic, operational, legal/regulatory, and financial reporting categories. SOX compliance implies substantial coverage of financial reporting risks. The SOX compliance process also provides a framework that relates processes, risks, and controls, and the network of managers involved, which can be used to help establish an ERM program.
Many companies also use SOX-compliance database software, which may also be useful for retaining risk information to support an ERM program and as an internal audit workflow tool. For example, as internal audits are completed, the amount of risk and control information expands in such a database, across all risk types.
In response to increased expectations around risk, many audit committees have expanded their scope to include overall risk management. With SOX efforts addressing financial reporting risks, they can focus more attention on strategic and operational risks. Some issuers have also created board risk committees to address non-financial reporting matters.
Improve Financial Processes
The significant cost of the ICFR assessment required under SOX Section 404 represents a “tax” on inefficiency, providing additional incentives for process improvement. Redundant systems, processes, or locations generally require some type of incremental assessment, increasing the scope and cost of compliance. The Financial Executives International (FEI) survey of SOX 404 compliance costs in 20074 indicated that, for companies with average revenue of $4.7 billion, the costs in decentralized companies averaged $1.9 million, 46% higher than the $1.3 million in centralized companies. The difference is likely to be a fraction of the savings available from addressing the underlying process inefficiency.
In addition, manual control procedures involve substantially higher testing costs. For example, a manual control that operates daily may require a sample size of 30 to be evaluated by an expert. However, the same control if automated requires a sample size of just one and does not have to be evaluated each year if certain criteria are met. Leading companies track the number of manual versus automated controls and seek automation opportunities. Reducing the number of manual journal entries is another means of improving the reliability of financial statements and reducing closing-cycle time, while reducing both compliance and personnel costs.
Section 404 is one of the more contentious elements of SOX, due to the significant cost of compliance. According to a survey by FEI that included issuers with an average revenue of $4.7 billion, compliance costs were $1.7 million during 2007, or 0.36% of revenue. The total cost includes internal and external labor and auditor attestation fees.5
Compliance costs have continued to decline since 2004, when Section 404 became applicable for most issuers. The 2007 SEC and PCAOB guidance has provided management with additional flexibility in addressing risk and determining the timing, nature, and extent of testing procedures, further reducing costs.