A risk-based approach to testing and managing your internal controls over financial reporting sounds great, but first you need to assess just what your financial reporting risks are.

To that end, Bill Stepaniuk never goes into a meeting empty handed. Or, as he likes to put it: “I’m a paper-half-full type of person.”

Stepaniuk, head of internal audit for the Calgary, Alberta-based PrimeWest Energy Trust, says he always sits down with management prepared with a list of questions; then he fires away. “It’s kind of like, ‘Here’s what I’m seeing or see the possibility of happening. What do you see?’”

That sort of thorough risk assessment is a central pillar of guidance released earlier this year by the Securities and Exchange Commission and the Public Company Accounting Oversight Board to help companies and their external auditors manage Section 404 of the Sarbanes-Oxley Act. As the new audit season begins and people start to use that guidance, many will zero in on fraud risk, the “things that can really burn as,” Stepaniuk says.


For PrimeWest, that means examining risk in vital areas such as finance and operations, as well as legal, reputation, and regulatory risks. Stepaniuk uses a three-tiered assessment, starting at the top with C-level executives and audit committee members spelling out their desired corporate risk exposure. Then comes a fraud risk assessment survey Stepaniuk gives to business process owners, who in most cases either oversee or execute key controls at the transaction level and are able determine the likelihood and severity of risks. Finally, the business process owners submit their own assessment of what concerns them—things that management might have overlooked.

Kenton Hoover, of Symantec Global Services, says surveys are an excellent idea, if done well. “The mechanism for deployment is less important than providing adequate time for following up with respondents,” he says. “The surveys will generate more questions than answers for your team.” Companies should also provide some point-of-contact for respondents to ask questions they might have about the survey.

Stepaniuk crams all his findings into a risk matrix that serves as the basis for an audit plan used for actual internal audit testing. “These assessments are important in the sense that we really want to go beyond the mere existence of the controls and make sure we have controls that are effective,” he says.

Leaner, Meaner Controls

Well-developed fraud risk assessments are important because they let internal audit departments focus on a select number of predetermined, high-risk areas to audit. That frees them from the “all SOX, all the time” lives they have been living for the last few years, to spend time on other projects.

Indeed, a recent report from risk consulting firm Protiviti found that nearly one-fourth of internal auditing departments have achieved a “rebalancing” of internal audit frameworks. Specifically, Protiviti said, internal audit departments are changing in three ways: 45 percent of companies are reducing the total number of internal controls; 37 percent are paring down their key controls; and 34 percent are pushing their external auditors to rely more heavily on the work of their internal auditors.


Ken Newman, vice president of security for American Savings Bank, a subsidiary of Hawaiian Electric Industries, says this type of “leaner, meaner,” controls framework helps him handle his company’s complex corporate structure. Rather than map his internal controls to a thicket of independent frameworks (COSO, CoBIT, ISO, and others), he starts by looking at how SOX, banking industry rules, and other regulations overlap.

“We look at these two areas—regulations and compliance framework—and then as a result of a joint effort with finance, risk management, and security departments, we then go out and talk to process owners,” Newman says. “This is good because across the organization you can define risk, and then internal audit can come in and everything and everybody gets covered.”

“These assessments are important in the sense that we really want to go beyond the mere existence of the controls and make sure we have controls that are effective.”

— Bill Stepaniuk

Director of internal audit

PrimeWest Energy

Even private companies are getting in on the act, since they are often swept into other companies’ SOX compliance efforts anyway. Regulus Group, a provider of outsourced business process services for other companies, completed its own SAS 70 audit to demonstrate to customers that its internal controls are reliable. The controls defined and tested in the audit are folded into both risk assessments and control matrices at the public companies Regulus serves. Christian Phillips, chief security officer at Regulus, estimates that the company is pulled into nearly 80 audits per year.

The Risks of Risk Assessments

As corporations continue to bring more internal auditing tasks in-house, the fraud divisions of several large external auditors are stepping up their sales pitches to companies—particularly those who want to take a more granular approach to fraud risk assessments.

“We’re definitely seeing now more than ever that companies want to focus on geography, business unit, and industry specific fraud risks,” says Bill Stewart, a partner and fraud specialist at Ernst & Young. “Companies need to use targeted surveys of employees and understand the full spectrum of risk and take extra care when you’re asking companies to in effect police themselves.”

Stewart notes that the new SEC guidance calls for companies to perform fraud risk analyses, but argues that independence is still vital since managers might not understand fraud risks at the process level. Likewise, business process controls often can be overridden by management.

The SEC concedes as much in its guidance, saying internal control over financial reporting “cannot provide absolute assurance due to inherent limitations.” Further, the SEC believes internal controls work is subject to lapses in judgment and “breakdowns” resulting from human failures.


“Tone at the top, and top-down, risk-based surveys sound great, but we need to remember that Enron had one of the best compliance codes of conduct,” cautions Glenn Pomerantz of BDO Consulting. “You have to do more than just check the box, especially with fraud risk.”

Stepaniuk of PrimeWest energy also has his reservations, saying even risk assessments carry an inherent risk: Process owners and managers see the assessment and then know what is, and is not, being monitored.

“The one downside to this approach is that you’re opening sort of a Pandora’s Box where you may be planting seeds in people’s minds and giving away your game plan,” he says. “But it has to be done even though everything you do has a risk to it.”