A Clean SOX 404 Audit Doesn't Mean All is Well
By Ernie Sampias
November 3, 2011 (SmartPros) A clean SOX 404 audit opinion doesn't mean all is well with your company. Audits are great at looking backwards but what about assessing risks?
Just as it can be amusing to hear campaigning politicians promise to wag the economic dog by its tail with their “jobs plans,” it’s equally difficult to regulate good management practices.
Yet those in power – Congress, the SEC, and various self-governing standards bodies – are bound to continue to attempt to make good management practices the rule rather than the exception. To wit: After Enron faked out Wall and Main streets while auditor Arthur Anderson blithely stood by, Congress passed the Sarbanes Oxley legislation in 2002. The close-the-barn-door-after-the-horse-got-out legislation brought along with it, among other rules, the SOX 404 audit of a public company’s internal controls.
Section 404 of Sarbanes-Oxley requires the CEO and CFO to certify that they have tested their internal controls and found them effective. External auditors had to continue their financial statement audits, but they also had to attest on the effectiveness of the company’s internal controls. The whole SOX legislation was about improving the integrity of financial statements after massive frauds of Enron, WorldCom and Qwest. Financial statements, by their nature, are records of historical events.
Then, in 2008, came the financial meltdown, which still hangs over our economy today. Large investment banks and insurance companies bought huge bundles of poorly underwritten home mortgages. This crisis wasn’t caused by unreliable financial statements, but by the banks and other institutional investors being unable to analyze their risks.
Besides the economic fallout, there were regulatory changes as well. The 2008 crash gave us Dodd-Frank legislation, which is essentially Congress telling banks that they need to be better managers of risk, because who wants another fallout of the financial system? Dodd-Frank raised capital requirements and contains requirements for financial holding companies with more than $10 billion in assets, including creating specialized risk committees. For example, I’m a shareholder of Citigroup Inc.; in their 2010 annual report, there are 50 pages devoted to fostering a culture of “intelligent risk-taking.”
So that’s the world we live in today, a financial world that tried to take steps to improve things after the disasters already occurred. Does that mean today’s public companies, with their SOX 404 audits and financial controls, are better capitalized, better managed and make more attractive investments than before? Unfortunately not.
The previously described overhauls of the financial reporting system are essentially backwards-looking. What companies need is a better handle on their greatest risks. This includes better identification of risk, a way to rank the most serious risks and improved forecasting of the impacts of these “value killers.”
A clean SOX 404 audit carries only limited assurance that some level of financial reporting controls is in place and was effective at year end. It doesn’t mean that the company didn’t make execution, planning or strategic mistakes, or that its management won’t continue to make them. That translates to a lot of work that has yet to be done to ensure a company’s best chance of success.
The vast majority of companies does not analyze and rank risk. For example, British Petroleum assessed catastrophic events that might occur and concluded that because of the safety measures in place, the likelihood of a catastrophe was negligible and did not carry a material economic impact. However, the Gulf of Mexico spill’s impact on the company was $40 billion.
Here’s another example: I serve on the board of a company that overestimated the amount of inventory it needed and had to write some of it off. The company had a nice clean SOX audit from a Big 4 accounting firm, but unfortunately that had no impact on our inventory issue other than it being properly accounted for.
Another company that I serve as a director for has to contend with commodity prices as key components of their business. The company hedges against swings in prices for these commodities but recently hedged in the wrong direction, resulting in a materially negative impact to the bottom line. We’ve learned that by identifying and weighting the biggest risk, the company needs to improve its forecasting efforts. Therefore, we implemented risk controls as to the limits of its hedge positions.
Apple did the best it could to address its “key man” risk by appointing Tim Cook the COO a couple years ago. Now Steve Jobs is irreplaceable. Nonetheless, the company didn’t miss a beat in delivering the IPhone 4S when Tim Cook took over as CEO.
On a positive note, the New York Stock Exchange advises its members that their boards’ audit committees be required to demonstrate annually that they’ve evaluated the company’s risks. Also, the SEC enhanced its proxy statement disclosure rules in 2010, setting the implicit assumption that the board plays some role in risk assessment and should tell the public about it.
Identifying responsibility for risk management is all over the map. A recent study showed that risk management responsibility was inconclusive. Some companies thought it should be the whole board; others, the audit committee and still others, management.
One thing is clear: Enterprise risk management is an emerging field that is not to be confused with a financial audit or clean SOX 404 opinion. It takes a systematic, holistic, disciplined process to identify the largest risks your company faces and their potential impact, as well as to devise strategies to avoid major risk.
As the events of the recent past have demonstrated, all companies face risk and uncertainty. Forward- thinking and progressive management teams and their boards of directors are implementing enterprise risk management processes to consistently deliver value in an uncertain and risky world.
About the author
Share this article: >2011 SmartPros Ltd. All rights reserved. Source: heincpa.com