Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

This is subscriber-only content, you are viewing with temporary unrestricted access. For full access, begin your free, no obligation 5-day trial.

Complying With Internal Controls To Manage Enterprise-Wide Risks Effectively

Farrell John | April 24, 2003

The overhaul in corporate accountability sparked by the Sarbanes-Oxley Act of 2002 marks the most dramatic and far-reaching reform affecting financial reporting in almost 70 years. When it comes to complying with the new rules on certifications and the issuance of management's report on internal controls, Section 404 can be seen as an opportunity to broaden the compliance process to an enterprise-wide risk management perspective.

This developing trend of analyzing and monitoring the full spectrum of business risks-including the risks assessed in an internal controls review-can enable the company to achieve its strategic aims and help increase shareholder and stakeholder value.

Complying with the requirements of Section 404 need not be an impediment to, nor must it drain resources from, enterprise risk management. Rather, it may create an opportunity to address all facets of risk across the enterprise — financial, legal, operational — through a control self-assessment that distributes responsibility for the evaluation among those who are directly involved in the controls process.

Long Term Approach

Internal controls are owned not by an organization's financial officers, but by those within the business who manage day-to-day operations and rely upon the controls for accomplishing their tasks.

These control-process owners are well-equipped to carry out the self-assessment of identifying and analyzing relevant risks to help the business reach its financial goals. The Sarbanes-Oxley regulations have reinvigorated the value of such risk-based self-assessments.

Rather than view the new requirements strictly from a deadline-beating compliance perspective, organizations should take a more long-term approach, treating the internal-controls assessment process-essentially a sustainable risk management process-as an investment in the future.

If a company looks ahead one year, how can it quantify success beyond compliance? For multinational companies, a worldwide controls standard would be one benchmark of success. Formulating a "language" common to an organization's business anywhere in the world enables the company to make best use of its control portfolio — which key controls to retain and which ones the company can do without because they add no value to the organization or are redundant.

Transformation Through 404

Companies can use the Section 404 assertion rules as a means of assisting in an enterprise-wide transformation of business processes. The rigorous internal-controls assessment may yield several efficiencies:

  • Better use of automated system-based controls;
  • Better assessment of process risk and mitigation of risk;
  • Standardization of key controls throughout the organization;
  • The opportunity to drive the responsibility for controls assessment down to the process owners.

The compliance process can be used as a mechanism to screen out unnecessary tasks and to determine what is good practice within each business process, such as:

  • The ability to compare controls in place between different business units or between a company's operations in different countries;
  • Reducing the risk of error by adopting a more systems-based controls method rather than performing the process manually;
  • The ability to internally benchmark processes through the use of key performance indicators, which measure and monitor the effectiveness of a program across a range of risks and over time;
  • The ability to obtain feedback on a global basis, which enhances reporting capabilities.

Automated vs. Manual

In analyzing their control portfolio, companies may find more value, and cost efficiency, in moving toward an automated, systems-based controls approach, rather than a manual controls review.

The internal controls assessment, which is performed through the technique of self-assessment, can solicit information from control owners about the status of key controls, based on the nature and vulnerability of the controls. That is, whether the controls review is automated or manual, as opposed to whether the controls need to be tested every week or other such regular interval. The assessment also should be completed by the operations person inside the process who knows first-hand if the control is vulnerable or not, and not by the CFO or other financial officer.

While the controls self-assessment, or risk assessment, is best handled by the operations person with hands-on experience in their respective processes, the overall risks facing the company remain a corporate-governance focal point for boards and management. Corporate leadership should ask the following questions regarding risk:

  • What kinds of analyses are being done to uncover the risks facing an organization?
  • What is being done to evaluate those risks and determine the best way to leverage or mitigate them?

Other Measures

In response to the mandates and reform recommendations, CEOs and CFOs may also consider several other measures to enhance corporate accountability. These steps include:

  • Assessing the impact of changes in the business that may have an effect on internal controls-for example, acquisitions or divestitures, and new accounting or SEC rules.
  • Obtaining formal internal management representation letters, on a quarterly basis, from internal accounting personnel for domestic and foreign subsidiaries.
  • Holding monthly or quarterly conference calls with accounting staff (including worldwide operations) to educate staff on new accounting pronouncements and other items to facilitate the closing process.
  • Initiating a formal regular meeting with key process owners or segment leaders-including sales, purchasing, human resources and legal-to discuss activities that may influence accounting and disclosure.
  • Assessing self-knowledge and knowledge of others in the organization.
  • Ensuring that a uniform process exists that must be followed by other members of the organization providing internal certification.
  • Requiring internal audit to focus on testing the system of internal controls, not just the operating processes.

Section 404 of the Sarbanes-Oxley Act has trained a spotlight on a company's assessment of internal controls over financial reporting. Since the assessments an organization performs ultimately are manifested in the corporate financial statement, companies would be well advised to adopt a holistic risk-management approach to the compliance process.

Companies that perform their internal controls assessment in the context of an enterprise-wide risk management program are well positioned to ensure the integrity of their financial statements and maintain investor confidence in the economic viability of their enterprise.

This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.