Sarbanes-Oxley was the U.S. governments response to a decade of financial statement frauds that shook the financial community.
SOX was designed to prevent financial statement fraud in public companies. However, SOX forced management and their auditors to focus on the accuracy of financial statements and the appropriateness and effectiveness of controls affecting the presentation of the financial statements.
The creation of SOX provided a false sense of security to stakeholders and management because it was a reactive approach to old problems not focusing on how to proactively prevent future problems. For example, during the subprime debacle, the management of lending institutions focused more on completing the testing of controls around financial reporting rather than paying attention to the risks associated with whom they were lending to and how such loans were being originated.
Management needs to make more careful reviews of their organization to avoid loss. The financial crisis of the past two years should alter managements thinking and make risk management a top priority in business.
Organizations cannot afford to be reactive; rather, more emphasis needs to be put on projecting which risks can affect an organization and how management plans to mitigate losses and respond to risks as they occur. Management as well as the board of directors must carefully consider which risks affect their organization by understanding the internal and external factors surrounding their business. The focus must be on both external and internal risks to properly assess all the areas that may be impacted. Outside consultants can assist management in understanding such factors.
The first step to prevent your company from susceptibility to loss is an effective risk management program. The risk management program is not nearly as expensive as SOX compliance. If performed correctly, a risk management program will prevent an organization from being affected by business risks or, at the very least, allow management to become aware of the possible risks that may affect them and implement the appropriate controls and procedures to mitigate loss.
The risk management process should consider a wide range of risks that could affect an organization. The use of an outside consultant to assist management provides management with an independent tool that brings independent views and experiences, as well as streamlined processes, to aid them in the risk management process.
The following are a few of the many common risks affecting businesses today:
· Inadequate and incomplete financial information;
· Customers not being properly billed, with billing and purchasing susceptible to kickback arrangements or incomplete data used in billing;
· Improper review of credit limits;
· Inadequate computer security and data backup;
· Ineffective or nonexistent internal audit function;
· Susceptibility to override of internal controls;
· Inefficient revenue and collection processes;
· Inadequate assessment of market conditions;
· Inadequate integration of systems and system changes;
· Ineffective employee payroll and expense controls;
· Inadequate cash management; and,
· Regulatory compliance.
Identifying the various business risks affecting an organization is a preventative tool and is only the first step. It is important for management to rank which risks have the highest likelihood of affecting their organization. Because of the complexity of dealing with a plethora of business risks and the many questions surrounding them, it is helpful for management to retain the right consultants that can not only assist in the risk management process, but also in implementing processes that will enable their organization to avoid risk and respond effectively to various risks or issues that may arise. It is important that the processes are implemented by professionals who know the various questions that may arise in response to a business risk to mitigate further loss.
By taking these steps, a company can not only mitigate future risk, but effectively manage the costs associated with the various risks facing their business today. If management can identify risk and implement a proactive approach, then the business can ultimately become more profitable and efficient.
Josh Shilts, CPA, CFE, and Laurie Holtz, CPA, are senior advisors in the forensic accounting practice of MarcumRachlin.
