After much criticism and debate over the best approach to regulating business, in December the Public Company Accounting Oversight Board proposed a new audit standard for Sarbanes-Oxley Section 404 implementation.Concurrently, the Securities and Exchange Commission introduced interpretive guidance for management's assessment of internal control. Both exposure drafts, which solicited feedback through February, promise change through a risk-based approach.
The changes seem like a good idea in theory, and the Institute of Management Accountants applauds the SEC and the PCAOB for making a move in the right direction. Upon taking a closer look at the drafts, however, they continue to be problematic: Businesses still have no practical guidance on how to implement a risk-based framework. Despite their best attempts, the SEC and the PCAOB would, in effect, be perpetuating a regulatory regime with high cost and massive inefficiency, without significantly improving investor protection.
Reading through hundreds of the PCAOB and SEC proposal pages, three questions come to mind:
* Exactly what are the characteristics of risk- and control-based approaches?
* Are they really fundamentally different?
* Are the new approaches proposed by the PCAOB and the SEC really risk-based by standards inherent in this global body of knowledge?
In considering the different approaches that the SEC and the PCAOB are proposing (risk versus control), it may be helpful to make a simple comparison in a more familiar context. A risk-based approach to home fire safety, for example, involves assessing the possible sources of fire, identifying all potential sources of fire, and learning as much as possible about the risks. This involves identifying root causes of failure as a first step in risk management. Extensive statistics are publicly available on the root causes of fire in the home. No such statistics are readily available on the root causes of SOX deficiencies. That is a flaw in the risk-based approach to SOX.
Meanwhile, a control-based approach to fire safety focuses on mitigation measures, which would include taking all imaginable precautions against any sort of fire, regardless of its root cause. From this rationale, smoke detectors and fire extinguishers would be placed in every room in the home, with an extensive plan for inspecting them regularly. Pure control-based approaches do not address the root cause of the risk; rather, they consider the risk of a control failing.
WHICH PRODUCES BETTER RESULTS?
Both risk- and control-based approaches seek to achieve the same goal with different approaches to implementation. Risk-based approaches require rigor to ensure that all risks to achieving the end objective are identified and analyzed, and then controls are put in place to mitigate or minimize the risk to an acceptable level of "tolerance." Control-based approaches, on the other hand, often over-emphasize the control (the smoke alarm in every room) versus starting with the risks (the presence of combustible materials or putting an extra alarm only where there is a higher risk of fire).
BALANCE, NOT BIAS
Both the new proposed audit standard and the proposed SEC interpretive guidance seem to imply a re-balancing between risk and controls (i.e., more of the former, less of the latter). In reality, both continue to emphasize controls over risks, and both gather far more information about controls versus risks. Neither the SEC nor the PCAOB proposals are risk-based by any global standard, and they remain too audit- and control-centric to be cost-effective. The root causes of Sarbanes-Oxley deficiencies must first be clearly understood through better risk assessment.
To help cool down the burning Sarbanes-Oxley compliance issues, as well as to prevent a fire in your home, balance, not bias, between risk (assessment) and controls (mitigation) is needed.
Paul A. Sharman, ACMA, is the president and chief executive of the Institute of Management Accountants in Montvale, N.J.
