What SOX 404 Doesn’t Do
This article was originally published in Accounting Today on Dec 28, 2011
Audits are great at looking back, but what about assessing risks?
It’s difficult to regulate good management practices, yet those in power – Congress, the Securities and Exchange Commission, and various self-governing standards bodies – are bound to continue to attempt to make good management practices the rule, rather than the exception.
To wit: After Enron faked out Wall and Main Streets, while auditor Andersen blithely stood by, Congress passed the Sarbanes-Oxley Act in 2002. The close-the-barn-door-after-the-horse-got-out legislation brought along with it, among other rules, the SOX 404 audit of a public company’s internal controls.
Section 404 of Sarbanes-Oxley requires the chief executive and the chief financial officer to certify that they have tested their internal controls and found them effective. External auditors had to continue their financial statement audits, but they also had to attest to the effectiveness of the company’s internal controls. The whole SOX legislation was about improving the integrity of financial statements after massive fraud at Enron, WorldCom and Qwest. Financial statements, by their nature, are records of historical events.
Then, in 2008, came the financial meltdown, which still hangs over our economy today. Large investment banks and insurance companies bought huge bundles of poorly underwritten home mortgages. This crisis wasn’t caused by unreliable financial statements, but by the banks and other institutional investors being unable to analyze their risks.
Besides the economic fallout, there were regulatory changes as well. The 2008 crash gave us the Dodd-Frank legislation, which is essentially Congress telling banks that they need to be better managers of risk, because who wants another fallout of the financial system? Dodd-Frank raised capital requirements and contains requirements for financial holding companies with more than $10 billion in assets, including creating specialized risk committees. For example, I’m a shareholder of Citigroup. In its 2010 annual report, there are 50 pages devoted to fostering a culture of “intelligent risk-taking.”
Not Necessarily Better
So that’s the world we live in today, a financial world that tried to take steps to improve things after the disasters already occurred. Does that mean today’s public companies, with their SOX 404 audits and financial controls, are better capitalized, better managed, and make more attractive investments than they did before? Unfortunately not.
The previously described overhauls of the financial reporting system are essentially backward-looking. What companies need is a better handle on their greatest risks. This includes better identification of risk, a way to rank the most serious risks and improved forecasting of the impacts of these “value killers.”
A clean SOX 404 audit carries only limited assurance that some level of financial reporting controls is in place and was effective at year-end. It doesn’t mean that the company didn’t make execution, planning or strategic mistakes, or that its management won’t continue to make them. That translates into a lot of work that has yet to be done to ensure a company’s best chance of success.
The vast majority of companies do not analyze and rank risk. For example, British Petroleum assessed catastrophic events that might occur and concluded that because of the safety measures in place, the likelihood of a catastrophe was negligible and did not carry a material economic impact. However, the impact of the oil spill in the Gulf of Mexico on the company was $40 billion.
Here’s another example: I serve on the board of a company that overestimated the amount of inventory it needed and had to write some of it off. The company had a nice clean SOX audit from a Big Four accounting firm, but, unfortunately, that had no influence on our inventory issue other than it being properly accounted for.
Another company for which I am a director has to contend with commodity prices as key components of their business. The company hedges against swings in prices for these commodities but recently hedged in the wrong direction, resulting in a materially negative impact on the bottom line. We’ve learned that by identifying and weighing the biggest risk, the company needs to improve its forecasting efforts. Therefore, we implemented risk controls as to the limits of its hedge positions.
Apple did the best it could to address its “key man” risk by appointing Tim Cook chief operating officer a couple years ago – and the company didn’t miss a beat in delivering the iPhone 4S after Tim Cook took over as chief executive.
As a board member, even though you may feel comfortable that your financial reporting and controls can be relied upon, that doesn’t mean your strategic and business risks are being handled appropriately. Dodd-Frank introduced some measure of risk management for banks, but there is little to guide the rest of corporate America.
On a positive note, the New York Stock Exchange advises its members that its boards’ audit committees are required to demonstrate annually that they’ve evaluated the company’s risks. Also, the SEC enhanced its proxy statement disclosure rules in 2010, setting the implicit assumption that the board plays some role in risk assessment and should tell the public about it.
One thing is clear: enterprise risk management is an emerging field that is not to be confused with a financial audit or clean SOX 404 opinion. It takes a systematic, holistic, disciplined process to identify the largest risks and their potential impact, as well as to devise strategies to avoid major risk.
All companies face risk and uncertainty: Forward-thinking, progressive management teams and their boards are implementing enterprise risk management processes to consistently deliver value in an uncertain and risky world.
Click here to read the full article.
December 28, 2011