SOX Compliance Proves Beneficial To Organizations, Fuels Risk Consciousness

The survey said the finding is largely attributable to significant decline in compliance costs, as companies gain experience in applying Section 404 of the legislation. This accounts for the lower approval rating in the early years of implementation.

Nonetheless, the jury is pretty much in– SOX compliance makes fraud, malfeasance and plain old dumb mistakes less likely in both public and private companies.

In fact, it has triggered more benefits than these. Our consulting work in the area of enterprise risk management has revealed how effective and efficient internal financial controls can be the basis and the energy behind broader and more comprehensive risk management strategies–for organizations ranging from Fortune 500 companies to midsize businesses and nonprofit organizations.

As an example, a public high-tech storage company conducted its first enterprise risk assessment and found that significant revenue "leakage" was occurring in specific geographic regions.

Revenue growth in these regions was a key strategy for this company, and yet there was not a coordinated approach at the company to review financial and business controls as well as business risks across key functions.

The company took a closer look at its business processes in these areas and found that it needed to strengthen its controls around contract management, the pricing of its deals, and the review and approval of specific types of deals.

As a result, key risks were contained, controls were optimized and the company's revenues in the target regions steadily increased. A side benefit of the exercise was that the company's accounting and legal teams were able to spend less time reviewing "non-standard" deals and devote more time to other important tasks and processes.

This example demonstrates how a closer examination of financial controls creates a risk-oriented mindset in management that feeds into other aspects of a business–in this case, contracts and pricing.

It is our experience that the SOX exercise can have an important impact in the C-suite: Chief financial officers pay close attention to financial reporting and positioning. Literally everything that happens at a company nowadays ends up expressed in the financial statements.

When executives become aware of the risk management benefits of strong internal controls, they begin to think more broadly and strategically about the comprehensive risk profile of their entire company.

Using SOX-compliant internal controls as a foundation, here are a few ideas about what CFOs, risk managers and consultants can do to leverage the risk-consciousness that is generated by the SOX exercise for the rest of the organization:

o Know your risk appetite.

This is part judgment call, part science.

The science is metrics combined with a thorough understanding of all the risks your business faces.

The judgment is based upon taking into consideration the industry in which you operate, market forces and the style of top management.

Once risk appetite is acknowledged, however, it can be communicated to the entire organization and all stakeholders and applied uniformly throughout the enterprise.

o Determine your risk profile.

This involves understanding the full spectrum of risks that your company encounters and takes.

The exercise takes into consideration the risks inherent in everything from the economy to your competitive position, your business category and your actual business processes.

In our current poor economy, financial risks are a special focus. Regulators such as the Securities and Exchange Commission are on high alert in times like these for irregularities in financial reports, accounting methods, stock trading, big-ticket transactions and executive compensation, making both compliance risk and the risk of criminal prosecution higher than normal.

o Start with financial compliance.

Because financial risks are so important and because of regulatory duties and fiduciary obligations they entail, the development of strong internal financial controls is a great place to launch what could become a full ERM program. This prepares your company for so many things, such as a potential IPO.

? Audit your governance.

Screen your board candidates. Be sure you have the right mix of talent and clout.

Determine, with the help of your accountants and attorneys, the optimum size of the board for your company and be sure to include intellectual, as well as industry, diversity. Be sure your audit committee, in particular, has strong leadership and knowledge.

o Acknowledge that risk management is good business and produces value.

In today's more sophisticated understanding of risk, it is not just about being risk averse but about being risk savvy. Risk management is actually an important aspect of the entrepreneurial process.

By understanding thoroughly the risks you are taking in any realm of business–be it a transaction, a function or a process–the opportunities will not only pop out at you, but you will clearly understand the level of risk to which you are exposing your company.

o Make ERM dynamic.

Change is continuous, so you have to be able to continuously evaluate the risks of key changes that occur within your organization and the business environment and how those changes affect key processes of your company.

Processes are integrated and connected. Therefore your program should be flexible and dynamic or "living." That means it should be sensitive to change and capable of making those adjustments and their ripple through an organization visible to decision-makers.

Have metrics that enable executives to see, preferably in real time, how changes affect risks and to what extent those risks need to be mitigated. There are effective new dashboards and online applications that can support this process.

More than ever, investors demand performance improvement and effective risk management from their portfolio companies.

Implementing a strong internal control culture often becomes the basis for improvements in people, processes and technology that support better overall performance. This provides a solid foundation for a practical and balanced approach to risk management that also helps an enterprise steer clear of trouble.

The case for good internal controls is strong. SOX compliance for financial controls can drive a risk culture that identifies the full spectrum of risks that are rationally worth taking–and mitigates the impact of negative challenges that businesses face.

Scot Glover, CPA, is a partner in the consulting group of Armanino McKenna LLP (www.amllp.com) based in California. His practice focuses on governance, risk and compliance. He may be reached at scot.glover@amllp.com.