IT IT
CSA Sentinel - The Institute Of Internal Auditors  

IN THIS ISSUE

PUBLISHED BY THE INSTITUE OF INTERNAL AUDITORS
Second Quarter 2007 • Vol. 11 • No. 2
printPrint Article
printPrint Entire Issue

Enhancing the Bottom Line: Moving From Risk to Compliance

Learn how a risk-based approach to compliance can contribute to better business performance in any organization by saving time and money.

DR. LUC BRANDTS
CHIEF TECHNOLOGY OFFICER
BWISE

The latest publications (Dec. 2006 and Apr. 2007) by the Public Company Accounting Oversight Board and the U.S. Securities and Exchange Commission on implementing a risk-based approach to compliance are receiving a lot of attention in the audit world. This is understandable because implementing a risk-based approach is an important driver in reducing audit and compliance costs. In addition, this type of approach ties business performance back into compliance as companies are now asked to focus even more on risks and controls. But can existing compliance investments be leveraged successfully to implement this risk-based approach?

According to a recent KPMG study published in The Netherlands, Return on Compliance: Utopia or Reality, the answer is yes. The study shows that there is a positive relationship between clean Sarbanes-Oxley filings (i.e., filings without significant deficiencies or material weaknesses) and the development of a company's market capitalization. The research showed a 28-percent rise in market capitalization for clean publicly-listed companies compared to the average of 18 percent for typical publicly-listed companies. This example illustrates that investments in proper compliance with Sarbanes-Oxley clearly do pay off, but this isn't the only benefit. Having a risk-based approach to compliance can also significantly improve the bottom line by enhancing related business performance. The risk-based approach can also help a company identify the really important controls — those that would seriously impact the company's financial performance if they failed. That is what Sarbanes-Oxley was all about — protecting companies and their shareholders from serious downfall.

THE VALUE OF KEY CONTROLS

Tips for Managing the Lifecycle of Risks

  • Decide on the objectives to be achieved.
  • Determine what could prevent that objective from being achieved. What could go wrong? What are the risks?
  • Identify inherent risks and opportunities values.
  • Find out what the company wants to do with these risks? What's the risk response?
  • Identify the controls in place for these risks.
  • Determine the residual risks.
  • Decide on what conditions the company will accept these risks.
  • Monitor objectives, risks, controls, and actual losses in a consistent manner.

To comply with Section 404 of Sarbanes-Oxley, publicly listed companies must identify their key controls and prove their design and operating effectiveness to make sure that the controls are properly designed. Simply put, the failing of even one of those key controls would potentially invoke a misstatement or restatement of that company's financial statements.

Testing a key control, including the collection of electronic evidence costs, takes several hours per control for most companies. Therefore, US $500 per tested control is an average reported estimate by The Big Four accounting firms. Reduction of the number of key controls to be tested means less testing, which results in less spending.

In addition, if Section 404 of Sarbanes-Oxley is not the only compliance regulation a control is related to, the monitoring of key controls becomes even more complicated. In some instances, publicly traded companies must comply with multiple regulations (e.g., privacy, product liability, employee safety and health, environmental regulations, anti-money laundering) that often overlap related controls. Typically, different departments conduct assessments with their business colleagues in a highly inefficient and ineffective manner by sending out numerous testing sheets, questionnaires, surveys, and assessments on topics like business continuity, business principles and ethics, information technology (IT) security, and regulatory issues including Sarbanes-Oxley. The value of integrating these frameworks into one common risk framework is enormous. The goal should be to assess once and use many times for all different regulations. A control that relates to Sarbanes-Oxley, as well as to the U.S. Patriot Act and Basel II, will now only be documented and tested once. In the traditional silo approach, the control would have been documented three times in three different systems and tested separately. Front-running companies have already demonstrated the obvious benefit from integrated frameworks.

Besides the convergence of controls, other measures — like implementing automated controls — can be taken to reduce compliance costs. Testing a manual key control requires more effort than testing an automated control. One primary reason is that auditors require larger sample sizes for a manual control. An automated control performs better than a manual control, provided the related IT processes are properly managed. Automated controls are also more economical given the streamlined approach and resulting improved performance. However, despite these benefits, a survey of BWise's client shows that somewhere between 50 and 80 percent of all current controls are manual, with a larger percentage of automated key controls found in highly automated industries like financial services and technology companies.

Increasing the number of automated controls can be beneficial as long as the investment in the automation does not surpass the benefit of less testing and higher reliability. The key to optimizing costs is the standardization of related processes, which is driven by the implementation of a risk-based approach across the organization.

Figure 1
Figure 1: Simplified risk framework

HOW TO IMPLEMENT A RISK-BASED APPROACH

Although some companies have made important first strides by documenting their controls using a risk-based approach, many have not yet taken real advantage of this approach. In figures 1 and 2, a methodology is presented on how to actually implement such an approach. Figure 1 is an example of a simplified risk framework where controls are mitigating certain risks in a particular process. Figure 2 represents an elaborate risk framework where the relations are built between significant accounts, control objectives, processes, risks, and controls within entities and divisions. In reality, however, the risk framework will be even more complex and will include IT systems and entity-level controls.

Even if a company's existing documentation is not constructed like the frameworks shown, it will likely be relatively simple to insert the lacking information. For example, risks or control objectives are added to the company’s existing model. It is important that the risks are identified at a sufficiently high level and not as a negative formulation of the control. In order to truly implement a risk-based approach, risks need to be identified as business risks. For example, a risk identified as "segregation of duties is not implemented" is hardly adding value to a control being identified as "segregation of duties." The risk should preferably be formulated as a business risk, or at least as a risk that is applicable to business processes. The same can be said about the relationship between a risk and a control objective. A control objective is not the opposite of a risk. A control objective is something an organization wants to achieve whereas a risk is something threatening that objective.

Figure 2
Figure 2: Elaborate risk framework

For some companies, documentation is focused on identifying the controls and not much more. In those cases, risks are either not documented or are documented at such a granular level that they have little true business value. Again, similar observations are made with respect to objectives. These are also often defined at too granular of a level. In order to be able to implement a risk-based approach, having them defined at a business level is beneficial, if not a prerequisite.

In addition, if the existing compliance documentation lacks the business risk component, risk templates are available that allow companies to quickly enrich their existing documentation and proceed from there.

THE RISK-BASED APPROACH USING RISK ASSESSMENTS

The risk-based approach can be implemented in various ways. Risk-based scenario analysis is probably the most elaborate and sophisticated methodology, but this approach requires a mature sense of risk in the company. Only the most seasoned companies can adopt this approach because it asks for a significant amount of high-quality data. Mature governance, risk, and compliance platforms offer this capability for most companies as a potential growth model.

However, compliance and enterprise risk management software is available that allows businesses to run a risk assessment based on the information a company already has. Loading the existing compliance documentation into a sufficiently comprehensive risk-based compliance solution will allow running a risk assessment without any additional investments. Prior investments — often running into millions of dollars in compliance documentation — can now pay dividends.

Business managers often are asked to assess the impact and likelihood of risks that could occur. And although there are various types of risk assessments, there are more ways to conduct a risk assessment, ranging from high-level enterprise risks to low-level process risks to assessing inherent risk, residual risk, or both.

This initial risk assessment also will immediately show whether the identified business risks make business sense. Business managers should be able to provide answers regarding the potential impact and likelihood as well as:

  • Understand and assess the risk at a business level by envisioning the risk occurring.
  • Be able to perform the risk assessment within a reasonable amount of time, asking for the risks to be defined at the appropriate level.

TYPES OF RISK ASSESSMENTS AND THEIR USES

Several types of risk assessments are used around the world. Following are a few of the more common examples, including their application and benefits for the implementation of a risk-based approach.

Inherent Risk Assessment (Gross Risks)
The inherent risk assessment analyzes the impact and likelihood — or frequency and severity — of risks identified as if there were no controls. In practice, this is often a challenging task for non-experts because it is hard to imagine the controls not in place. However, if the inherent risks are known, they are a strong indicator of where to put in the effort. The inherent risk assessment also states what the specific risk is — in case the control fails (i.e., the control is not effective). Therefore, if the inherent risk impact or severity is higher than a certain threshold (i.e., the materiality level), the underlying controls should be in scope. In other words, the inherent risk assessment is a good tool to use to implement a risk-based approach to compliance but might require risk training for the people conducting the risk assessment.

Residual Risk Assessment (Net Risks)
The residual risk assessment analyzes the risk with the controls in place, including the anticipated effectiveness of the related controls. This is not a control test as is required for Sarbanes-Oxley, but rather a limited assessment of the relevance of that control. These types of assessments are easier to conduct, and not surprisingly, are the ones most commonly used. This is because staff is asked to assess the exact situation they know, as opposed to a virtual situation they can only envision, as is the case in an inherent risk assessment. From a residual risk assessment, experts may conclude which risks are most vital, and therefore, which controls are relevant. This analysis is less thorough than the inherent risk assessment and the most value can be derived if risks are assessed at both an inherent and residual risk level as this combines all relevant information.

Scenario Analysis With Expected and Extreme Value
An assessment type often applied at the enterprise level is a scenario analysis where expected values for impact and likelihood are asked together with extreme values, like a worst and best case. These values can be used to determine which risks are truly relevant, which opportunities should be explored, and which controls should play a vital role.

Quantitative Versus Qualitative Risk Assessments
An important part in every risk assessment discussion is the question of whether quantitative or qualitative answers should be given. Obviously, the quantitative answers are the preference, provided the answers would be correct. The reality is that it is often extremely hard to give a well-augmented quantitative answer. Therefore, many organizations conduct qualitative assessments and translate this back into more quantitative answers in a validation round based on the input of many individuals.

IN THE END

Although there are many ways to implement a risk-based approach for compliance, the first step toward significantly reducing the number of controls and compliance costs in any company is choosing the risk assessment that is most appropriate. For all variants of using risk assessments to implement a risk-based approach to compliance, it is vital to consider the following points:

  • Agree with the external auditor on the methodology, the quantification, the rationale behind decisions taken, and the risks taken into account.
  • Use available best practice templates.
  • Leverage technology that will allow the re-use of existing compliance documentation to implement a risk-based approach to compliance without having to invest a second time in large risk documentation efforts.

And above all else, make sure that besides the appropriate governance, risk, and compliance solution (GRC) platform, the appropriate methodology is used.


Dr. Luc Brandts is chief technology officer of BWise, a provider of GRC solution platforms. Brandts has 18 years of technology and business management experience across numerous industries including financial services, government, manufacturing, health care, and telecommunications. He has been involved in projects implementing GRC technology to cover Sarbanes-Oxley, Basel II, ISO, IT governance, and other regulations.
Rate this article!
Extremely relevant    6    5    4    3    2    1    Not relevant
Extremely useful    6    5    4    3    2    1    Not useful

How has flextime work schedules impacted audit completion time for your agency?

AnswersPercent

Audits have been completed faster.

82%

There has been no change.

6%

Audits take longer to complete.

4%

My agency does not have a flextime poilcy.

8%

Vote!