“Enterprise risk management is an overall umbrella term,” says Ken Haffey, the partner in charge of Management Advisory Services at Skoda, Minotti & Co. “ERM goes into the areas of internal control reviews, quality assurance reviews and SAS 70 audits, just to name a few.”
ERM, Haffey notes, is relevant for companies in all industries and of all sizes. During an ERM review, a company’s areas of greatest material risk are targeted, and the focus is on maximizing efficiency and minimizing costs, both immediately and over time.
“The accounting firm, using professionals from a wide range of disciplines and backgrounds, sets up a system to provide reliable financial statement data and to enhance communication between the company’s functional areas,” says Haffey.
Smart Business talked to him about how ERM audits can help companies large and small.
Why have enterprise risk management programs become so popular so fast?
The federal government’s Sarbanes-Oxley Act (SOX) of 2002 has created all sorts of additional different attestation and reporting requirements. One of the reasons is that the customers of major corporations are demanding SOX compliance. Customers are saying, ‘We want a piece of paper that says you’re processing our information correctly.’
So businesses that had been resisting certain levels of risk management are finding that the world is changing.
Plus, a company’s position is strengthened when they’re selling their business. They can separate themselves from their competitors who may not be SOX compliant.
Because of those recent changes in law and philosophy, selling ERM services is not as tough as before.
What are the different types of ERM services?
First, SOX consulting. Accounting systems and procedures are reviewed and, if they are not SOX-compliant, they are made SOX-compliant.
An SAS 70 audit engagement is a risk assessment opinion from an independent service auditor, and it assures that a company is not eliminating or double-processing some accounting functions.
Also included in ERM are quality assurance reviews, which are more targeted to a specific functional or operational area than SAS 70 audits.
Finally, supplementary services and systems are examined, including processes and procedures that include better and stronger internal control policies.
When is an ERM review most needed?
Many organizations, in early stages of their life cycle, work and focus completely on revenue generation as they should. They never really establish a proper accounting and finance culture. Rather, accounting and finance are done on the cheap, because the company needs to pay salaries first.
By virtue of working through an ERM project, we can help companies identify areas where the right people should be put in place to perform the proper functions to make sure the right things happen.
Also, if a company is preparing itself to be acquired by a larger company that’s under SOX rules, they’re much better off to upgrade their systems and become SOX compliant. We’ve seen larger organizations back out of purchasing certain smaller organizations that are not close to being SOX compliant.
Is an ERM review costly?
I haven’t met one person who says anything other than, ‘Yes, but it was worth it because we shored up things that we knew we needed to shore up.’
Some say, ‘Yes, it’s a pain and yes, it’s costly, but it’s been beneficial.’
One of our clients did a cost/benefit analysis on the SOX project that we completed for them, and they were able to identify multiple instances where they had been missing revenue opportunities with some of their customers. Management was able to justify to the audit committee the cost of the SOX review. The client spent hundred of thousands of dollars, but it was all worthwhile, and it strengthened the organization.
As a business owner, you might be tempted to think that the accounting firm is reaching into your pocket one more time for one of these types of projects, but as an accounting professional, I would recommend it.
What are other benefits of an ERM review?
It creates peace of mind at the highest levels of management who now are required by law to sign off on the financial statements, making them personally responsible and for corporate audit committees. After an ERM, upper levels of management certainly have a comfort level that they didn’t have before.
KEN HAFFEY is the partner in charge of Management Advisory Services at Skoda, Minotti & Co. Reach him at mailto:firstname.lastname@example.org or (440) 449-6800.