Applying A Risk-Based Approach

Four top audit executives at large companies shared their thoughts Wednesday afternoon at Compliance Week 2007 on how their organizations embraced a more risk-based approach to auditing their internal controls for financial reporting.

Foremost on their minds: effective risk assessments, strong processes to certify risks and controls, and how to reduce the menial testing of controls that might not be truly relevant to the accuracy of financial statements.

Cunningham

Regulators have promoted the idea of a risk-based approach to audits of internal controls for two years, and recent new guidance from the Securities and Exchange Commission and the Public Company Accounting Oversight Board will give companies new ammunition to do precisely that. Still, said Colleen Cunningham, former president of Financial Executives International and moderator for the panel discussion, “Doing so, and convincing your auditors to do so, is harder than it sounds. There’s a lot of confusion out there.”

All of the speakers stressed the need to involve business unit managers in assessing the company’s risks. Mark Stauffer, senior vice president for auditing at the $81 billion Cardinal Health, said he always considered Cardinal’s Sarbanes-Oxley compliance team—which he heads—only a project management group. “We made a decision to very much engage management to find the risks,” he said. “They get much better educated about what the risks are, really, and what the controls are, really.”

Michael Zanoni, director of financial compliance at Boeing, phrased his company’s approach as aligning compliance responsibilities with specific business functions: “We really wanted to emphasize process ownership in functional areas.” Ideally, Zanoni said, having business unit executives participate in SOX compliance will help to determine what documentation is necessary for compliance.

Sub-certification Processes

Tracy DeMuth, manager for SOX compliance at Sun Microsystems, said her company’s business unit managers often were unclear on what an “inherent risk” to their business processes were. Her office then developed sample questions business unit executives could ask themselves (“How susceptible is the process to manipulation?”) that helped the executives support their risk assessments and their certifications that proper controls were in place. Sun’s divisional CFOs then certify those sub-certifications, and the company CEO and CFO use the divisional CFOs’ work to issue the final certifications in Sun’s financial statements.

At Cardinal, Stauffer said, the company historically had its managers sub-certify financial results, not internal controls over financial reporting. After SOX was passed the company then broadened that policy to include internal controls and also put managers through a six-hour training session to help them understand their SOX responsibilities. For Cardinal’s key processes, Stauffer said, the company requires sub-certification all the way down to the manager level.

Working With External Auditors

The panel speakers admitted that cooperation with their external auditors can be elusive, although all considered it a high priority to implementing a risk-based approach successfully. DeMuth says Sun’s external auditors are “overly cautious” about talking with the company, only saying what they do not like rather than what they would like to see.

Stauffer’s suggestion: “We tried to hear how they described things … and we tried to talk in that language” so auditors would understand what Cardinal was trying to do, even if they disagreed with company.

That communication with auditors can be especially challenging when the company decides it does want to accept some specific risk in its controls. Ken Young, vice president of internal audit at the retailer Circuit City, said his company has created a “risk acceptance document” so business unit managers can explain what the risk is and why they believe internal controls to oversee it are unnecessary.

Zanoni agreed that accepting a risk is a perfectly fine alternative to internal control—if that risk is assessed and documented wisely. “It's not just that someone says `Yes, this is appropriate,'” he said. “It's that it goes through a dialogue.”