By taking a one-size-fits-all approach to their testing, accountants apparently ignored the risk profiles specific to individual companies. “As a result, some auditors appeared to have expended more effort than was necessary in lower-risk areas,” the board stated, noting that “in some cases, a higher-risk area should have received more attention than it did.”
Now, the PCAOB is telling auditors to customize their internal-control attestations. As they pick up more experience in such audits, the board expects them “to focus on the particular risks” of each client’s control system.
Some think that the board should be even more specific and spell out “where the real pain points of cost and errors are,” in Daleo’s words. For example, the PCAOB has stated that external auditors may rely on the work of internal auditors and others rather than retracing previous steps. Instead, Daleo maintains that the board should say that auditors must rely on the work of others. By taking discretion out of auditors’ hands, the board would also relieve them of the temptation to test everything.
For some finance chiefs, a risk-based approach means more than just the ability to set priorities; it also helps determine marching orders for a company’s enterprise risk management program. Pitney Bowes, the Stamford, Connecticut-based mail and document-management company, is in the opening stages of an ERM effort that finance chief Bruce Nolop would like to see used as a model for Sarbox compliance.
Rather than focusing on maintaining a set number of mandated procedures, the ERM approach has forced Pitney-Bowes executives to regard the company risks from “a macro, shareholder-advantage perspective,” Nolop says. Working closely with the audit committee and the entire board of directors, managers began the process by asking employees from many different departments a question: What risks could have a material impact on the company?
The CFO finds it interesting that the biggest risks didn’t end up being financial ones. The most-often-cited threats include impairment of the company’s brand image and breeches of customers’ privacy. Nolop says that executives were already made aware of financial risks through the company’s routine business activities; for example, during efforts to obtain financing for customers, they learned a great deal about the effects of interest-rate fluctuations. Hedging and other mitigation techniques are already in place at the company for such exposures, he says.
In comparison to a “procedural” approach to regulatory compliance, which tends to treat risks as stemming from isolated business units, the ERM approach looks at the ripple effect throughout the entire company and beyond, according to Nolop. Concerning supply-chain risk, for instance, executives first consider what they would do if the company ran out of certain parts, then address how they’d respond if the parts suppliers ran out themselves.
Ironically, ERM can be a less efficient process than simple Sarbox compliance. For Sarbanes-Oxley — as CFOS know all too well — regulators and auditors have provided pages and pages of implementation guidance. On the other hand, says Nolop, an enterprisewide approach to risk “means you flounder a little bit to come up with the best processes and procedures. But in the end,” he adds, “you are able to go where the analysis takes you, and you come up with better understanding.”