IN THIS ISSUE
Q&A With Dave Harmon
Enterprise risk management and Sarbanes-Oxley seem most applicable to for-profit organizations and don't seem to fit the culture of nonprofit organizations. Isn't it unrealistic for nonprofits to adopt these practices? Isn't it just "window dressing"?
DAVE HARMON, CIA, CCSA, CPA, CISA
DIRECTOR OF FINANCIAL MANAGEMENT PROGRAMS
UNIVERSITY OF CALIFORNIA
Although your questions are somewhat insightful regarding organizational culture and window dressing, I must emphatically answer "no" and "no." The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management — Integrated Framework and the U.S. Sarbanes-Oxley Act of 2002 can, and should, play a major, successful role in both for-profit and nonprofit organizations.
ARE ERM AND SARBANES-OXLEY MOST APPLICABLE TO FOR-PROFIT ORGANIZATIONS?
Enterprise Risk Management (ERM) and Sarbanes-Oxley are different animals, neither of which I accept as the exclusive domain of for-profit organizations. ERM is a control model with universal application, regardless of an organization's type. I'm more than a little surprised when organizations still refer to adopting ERM — ERM isn't an orphan that requires adoption; it's the law of the land. ERM, in its basic form, has had its mandate for more than 10 years and, although ERM finally is getting some respect, it still isn't being implemented fully.
Sarbanes-Oxley, on the other hand, is legislation pertaining to publicly traded companies. Although the use of Sarbanes-Oxley in nonprofits is a legitimate question, the essence of Sarbanes-Oxley does have universal appeal: management accountability and sound financial management. Since when do these principles not apply to nonprofits? The United Nations and its oil-for-food fraud is a perfect example. Nonprofits may have the right to ignore Sarbanes-Oxley, but that doesn't mean they should. Potter Stewart, former U.S. Supreme Court justice, said it best: "There's a big difference between what you have a right to do and what is right to do."
In fact, many nonprofits have embraced relevant portions of Sarbanes-Oxley as best practices. The requirements for auditor independence (i.e., the structure of audit committees and relationships with external auditors) make good sense and are inexpensive to satisfy. Similarly, selected parts of corporate responsibility requirements are relevant, such as establishing a code of conduct and using management certifications. Personally, I would not want to put myself in a position where I had to justify why these steps weren't implemented. Full compliance with the documentation and assessment of internal controls may not be applicable, but neither is the situation where there is no formal documentation of internal controls.
DO ERM AND SARBANES-OXLEY FIT THE CULTURE OF NONPROFIT ORGANIZATIONS?
Possibly not. However, ERM and Sarbanes-Oxley don't fit the cultures of for-profit organizations either. All practitioners acknowledge that adapting ERM to an organization's existing culture is a key to success. I believe the ultimate goal of ERM is to change an organization's culture. Everything else logically flows from that. If organizations had the right culture, it wouldn't be necessary to spend all this time on internal control models. The very fact that ERM does not fit the culture of nonprofits makes the case for its implementation.
Regarding Sarbanes-Oxley, I agree that it doesn't fit the nonprofits' culture. It is a mandate for public companies and was never intended to fit with any culture; it was intended for compliance. Achieving Sarbanes-Oxley compliance will change an organization's culture for the better.
IS IT UNREALISTIC FOR NONPROFITS TO ADOPT THESE PRACTICES?
To this question, I counter by asking whether it is unrealistic for nonprofits not to adopt these practices. By now, you should have a pretty clear sense of my position that nonprofits need good internal controls the same way for-profits do. In fact, the argument could be made that the need is greater. For-profits have the built-in discipline of the marketplace competition to answer to, which helps to "weed out" the worst of the worst for-profit companies, while nonprofits rely on the good stewardship of management. Without a discipline like ERM and relevant portions of Sarbanes-Oxley, stewardship — when it does exist — may tend to lose its effectiveness over time. Organizations like the United Nations, which are created with the noblest of intentions, but have a unique monopoly, are a perfect example. Over time, the concept of good stewardship takes a back seat to bureaucracy and employee entitlements.
IS IT JUST WINDOW DRESSING?
Although implementations of ERM and Sarbanes-Oxley can be window dressing, they shouldn't be. I think with any new change process, there are elements of both form (i.e., window dressing) and substance (i.e., effective change). Early on, substance frequently takes a back seat to form. But, ultimately, if the process has integrity (i.e., the proper sponsorship), substance overcomes form as the prevailing effect.
One easy way to avoid the frustration of a transforming change is to believe the process doesn't apply to you or that the proposed change lacks substance. What tends to get overlooked is the cost of not changing. The assumption that continuing to proceed in an aimless manner, alleging that what has worked in the past will continue to work in the future, only delays — but does not avoid — the consequences.
David Harmon, CIA, CCSA, CPA, CISA, is director of financial management programs at the University of California, Los Angeles and instructs several IIA courses on CSA. Harmon helped to develop a CSA program in his former position at Fannie Mae and contributed to the questions in The IIA's CCSA exam.