<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar/21791921?origin\x3dhttp://grcprofessor.blogspot.com', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Tuesday, February 24, 2009

The Next Generation of Risk Management

I've been silent on the blogosphere for quite a few months. In a number of lunch conversations and discussions with the graduate accounting students taking my GRC course at the University of Houston, I've been asked to compare and contrast Enterprise Risk Management and Governance, Risk, and Compliance. On more than one occassion, I am asked what is the difference between ERM and GRC.

First, let me say that Enterprise Risk Management is not Governance, Risk & Compliance; ERM <> GRC. ERM is a management process while GRC is a management system.

Secondly, ERM is a significant management process within a GRC management system. Risk management frameworks like COSO ERM do much to organize objectives, risks, responses, and monitoring activity, a framework does not execute the processes nor discern when the efforts require a resource allocation change. People embody the capabilities to evaluate the subtle nuances but can become overwhelmed, fatigued, even complacent about consistent approach and rigorous attention. Generally speaking, technology has a place in enablng a robust GRC system. Note, I did not say technology enables a robust ERM process. It can; however, I believe that is suboptimal. In fact, there are many seemingly periferal activities and systems that need "Governance" to aggregate, correlate, forecast, predict, report discrete "Risk" issues (key risk indicators which are the inverse of key performance indicators) that are in "Compliance" with mandatory boundaries (laws, regulations) or voluntary boundaries (policies, procedures). While technology is not a panacea (no Easy button), it certainly can enable the evolution and architecture of a GRC management system.

The following is a UHY International circular that addresses some of these issues.
http://www.uhy.com/media/PDFs/UHY%20International%20Business%20Issue%2018.pdf

Thursday, May 18, 2006

News flash: No Sarbanes-Oxley exemptions for smaller companies

As expected, the Securities and Exchange Commission has put out an announcement that smaller companies will not be exempted from the Section 404 rule designed to strengthen financial controls.What it will do instead is provide companies with better guidance...

After a long period of review and numerous discussions with interested parties, the SEC has decided that small company filers will not be exempt from SOX 404 compliance.

Read more

Friday, February 24, 2006

SEC's Moves On SOX: The Big Guns Come Out

Moves by a Securities And Exchange Commission advisory panel to exempt 80 per cent of companies from having their internal controls certified have come under fire from former SEC heavies, Paul Volcker and Arthur Levitt.In a letter they co-wrote...

It's refreshing to see that the people that held such high stations with influential companies and commissions continue to maintain their vigilance to protect the average investor. Men like Volcker, Levitt, Biggs, and Bogle, continue to echo the spirit of why the Sarbanes-Oxley was enacted in the first place. Without doubt, the cost of SOX compliance can be steep, but there is a lot of "institutional learning" about internal controls that has transpired over the past three years. Those efforts have flattened the learning curve for those who follow.

Read more

Thursday, February 23, 2006

Unified Compliance Summit

I'm on the scene of IT Compliance Institute's Unified Compliance Summit in Las Vegas. Overall, it is an impressive gathering of industry IT, audit, and compliance professionals sharing stories, better practices, and practical guidance. The instructors are practitioners, so the content has been relatively fresh.

Aside from the instructional tracks, I've been especially intrigued with ITCi's Unified Compliance Project. The project is an ambitious attempt to assess myriad compliance requirements various industries face to support a strategic approach to IT compliance. Tools produced by the project help crystallize the overwhelming need to gain an understanding of the overlapping requirements. Check it out.

The project inspires a broader vision of compliance management that non-IT managers may wish to collaborate. In my opinion, IT will be more successful with a unified compliance program if they can engage business units to invest the time to think similarly.

Tuesday, February 14, 2006

The End of SOX?

Is SOX legislation on the ropes? If you read the arguments of The Free Enterprise Fund you might think so. The FEF contends the Sarbanes-Oxley Act of 2002 is unconstitutional because of the manner in which the PCAOB has been empowered. Without knowing about the FEF's stand, I would say many public company managers would argue that the cost of the Act exceeds the benefits being reason enough to repeal the Act. On the other hand, citizens watching and reading excerpts from the Enron trial of Ken Lay and Jeff Skilling, may be thinking of due process and "justice". Accountants and Auditors, barreling through another 10K season, may be just wishing to catch their breath and stop second-guessing their professional judgment.

For over three years, public companies and public accounting firms have grappled with the vague passages of the Act and the wide degree of interpretation that have followed. Along the trail, there has been material weaknesses reported, numerous restatements, fraudulent practices rooted out, executive resignations, and shareholder lawsuits. Also along the trail you'll find process remediation, greater internal controls awareness, independent directors, and better transparency.

The scales are heavy on both sides of the equation. My observation is that the Act is slowly attaining the lofty goals of reassuring investor confidence in the U.S capital markets. The balance of cost and benefit will continue to be borne by all sides for a few more years.

A recent study of 404 costs by CRA International commissioned by the Big Four indicated that the cost of 404 would decrease markedly in year two largely due to reduction in control documentation efforts and a gradual flattening of the learning curve. Skepticism about costs continues for many large accelerated filers and may be shared by their respective auditors. I'd chalk this ambivalence up to the top-down, risk-based approach and reliance on others work that were major themes at the SEC roundtable in April of 2005.

While the implementation of section 404 has been clouded by overboard documentation and duplication of testing, I am optimistic that the balance sought by the many affected is taking a foothold. The consequences of not taking adequate time and effort to review ICOFR has a toll and will exact varying forms of discomfort to those constituents that ignore the principles of better corporate governance. If the spirit of the Act is not maintained, it would be akin to regressing to an unstructured, chaotic time where shareholders rely more on faith than good management. Invariably, production would marginalize back office processes and relegate financial reporting as a necessary evil. If the shoe drops for those companies that choose to trust without verifying, who will pay for the lapse of oversight?