IN THIS ISSUE
Enhancing the Bottom Line: Moving From Risk to Compliance
Learn how a risk-based approach to compliance can contribute to better business performance in any organization by saving time and money.
DR. LUC BRANDTS
To comply with Section 404 of Sarbanes-Oxley, publicly listed companies must identify their key controls and prove their design and operating effectiveness to make sure that the controls are properly designed. Simply put, the failing of even one of those key controls would potentially invoke a misstatement or restatement of that company's financial statements.
Testing a key control, including the collection of electronic evidence costs, takes several hours per control for most companies. Therefore, US $500 per tested control is an average reported estimate by The Big Four accounting firms. Reduction of the number of key controls to be tested means less testing, which results in less spending.
In addition, if Section 404 of Sarbanes-Oxley is not the only compliance regulation a control is related to, the monitoring of key controls becomes even more complicated. In some instances, publicly traded companies must comply with multiple regulations (e.g., privacy, product liability, employee safety and health, environmental regulations, anti-money laundering) that often overlap related controls. Typically, different departments conduct assessments with their business colleagues in a highly inefficient and ineffective manner by sending out numerous testing sheets, questionnaires, surveys, and assessments on topics like business continuity, business principles and ethics, information technology (IT) security, and regulatory issues including Sarbanes-Oxley. The value of integrating these frameworks into one common risk framework is enormous. The goal should be to assess once and use many times for all different regulations. A control that relates to Sarbanes-Oxley, as well as to the U.S. Patriot Act and Basel II, will now only be documented and tested once. In the traditional silo approach, the control would have been documented three times in three different systems and tested separately. Front-running companies have already demonstrated the obvious benefit from integrated frameworks.
Besides the convergence of controls, other measures — like implementing automated controls — can be taken to reduce compliance costs. Testing a manual key control requires more effort than testing an automated control. One primary reason is that auditors require larger sample sizes for a manual control. An automated control performs better than a manual control, provided the related IT processes are properly managed. Automated controls are also more economical given the streamlined approach and resulting improved performance. However, despite these benefits, a survey of BWise's client shows that somewhere between 50 and 80 percent of all current controls are manual, with a larger percentage of automated key controls found in highly automated industries like financial services and technology companies.
Increasing the number of automated controls can be beneficial as long as the investment in the automation does not surpass the benefit of less testing and higher reliability. The key to optimizing costs is the standardization of related processes, which is driven by the implementation of a risk-based approach across the organization.
Although some companies have made important first strides by documenting their controls using a risk-based approach, many have not yet taken real advantage of this approach. In figures 1 and 2, a methodology is presented on how to actually implement such an approach. Figure 1 is an example of a simplified risk framework where controls are mitigating certain risks in a particular process. Figure 2 represents an elaborate risk framework where the relations are built between significant accounts, control objectives, processes, risks, and controls within entities and divisions. In reality, however, the risk framework will be even more complex and will include IT systems and entity-level controls.
Even if a company's existing documentation is not constructed like the frameworks shown, it will likely be relatively simple to insert the lacking information. For example, risks or control objectives are added to the company’s existing model. It is important that the risks are identified at a sufficiently high level and not as a negative formulation of the control. In order to truly implement a risk-based approach, risks need to be identified as business risks. For example, a risk identified as "segregation of duties is not implemented" is hardly adding value to a control being identified as "segregation of duties." The risk should preferably be formulated as a business risk, or at least as a risk that is applicable to business processes. The same can be said about the relationship between a risk and a control objective. A control objective is not the opposite of a risk. A control objective is something an organization wants to achieve whereas a risk is something threatening that objective.
In addition, if the existing compliance documentation lacks the business risk component, risk templates are available that allow companies to quickly enrich their existing documentation and proceed from there.
The risk-based approach can be implemented in various ways. Risk-based scenario analysis is probably the most elaborate and sophisticated methodology, but this approach requires a mature sense of risk in the company. Only the most seasoned companies can adopt this approach because it asks for a significant amount of high-quality data. Mature governance, risk, and compliance platforms offer this capability for most companies as a potential growth model.
However, compliance and enterprise risk management software is available that allows businesses to run a risk assessment based on the information a company already has. Loading the existing compliance documentation into a sufficiently comprehensive risk-based compliance solution will allow running a risk assessment without any additional investments. Prior investments — often running into millions of dollars in compliance documentation — can now pay dividends.
Business managers often are asked to assess the impact and likelihood of risks that could occur. And although there are various types of risk assessments, there are more ways to conduct a risk assessment, ranging from high-level enterprise risks to low-level process risks to assessing inherent risk, residual risk, or both.
This initial risk assessment also will immediately show whether the identified business risks make business sense. Business managers should be able to provide answers regarding the potential impact and likelihood as well as:
Several types of risk assessments are used around the world. Following are a few of the more common examples, including their application and benefits for the implementation of a risk-based approach.
Inherent Risk Assessment (Gross Risks)
The inherent risk assessment analyzes the impact and likelihood — or frequency and severity — of risks identified as if there were no controls. In practice, this is often a challenging task for non-experts because it is hard to imagine the controls not in place. However, if the inherent risks are known, they are a strong indicator of where to put in the effort. The inherent risk assessment also states what the specific risk is — in case the control fails (i.e., the control is not effective). Therefore, if the inherent risk impact or severity is higher than a certain threshold (i.e., the materiality level), the underlying controls should be in scope. In other words, the inherent risk assessment is a good tool to use to implement a risk-based approach to compliance but might require risk training for the people conducting the risk assessment.
Residual Risk Assessment (Net Risks)
The residual risk assessment analyzes the risk with the controls in place, including the anticipated effectiveness of the related controls. This is not a control test as is required for Sarbanes-Oxley, but rather a limited assessment of the relevance of that control. These types of assessments are easier to conduct, and not surprisingly, are the ones most commonly used. This is because staff is asked to assess the exact situation they know, as opposed to a virtual situation they can only envision, as is the case in an inherent risk assessment. From a residual risk assessment, experts may conclude which risks are most vital, and therefore, which controls are relevant. This analysis is less thorough than the inherent risk assessment and the most value can be derived if risks are assessed at both an inherent and residual risk level as this combines all relevant information.
Scenario Analysis With Expected and Extreme Value
An assessment type often applied at the enterprise level is a scenario analysis where expected values for impact and likelihood are asked together with extreme values, like a worst and best case. These values can be used to determine which risks are truly relevant, which opportunities should be explored, and which controls should play a vital role.
Quantitative Versus Qualitative Risk Assessments
An important part in every risk assessment discussion is the question of whether quantitative or qualitative answers should be given. Obviously, the quantitative answers are the preference, provided the answers would be correct. The reality is that it is often extremely hard to give a well-augmented quantitative answer. Therefore, many organizations conduct qualitative assessments and translate this back into more quantitative answers in a validation round based on the input of many individuals.
Although there are many ways to implement a risk-based approach for compliance, the first step toward significantly reducing the number of controls and compliance costs in any company is choosing the risk assessment that is most appropriate. For all variants of using risk assessments to implement a risk-based approach to compliance, it is vital to consider the following points:
And above all else, make sure that besides the appropriate governance, risk, and compliance solution (GRC) platform, the appropriate methodology is used.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.