The Sarbanes-Oxley Act of 2002 (SOX) was enacted on the heels of a number of accounting scandals and acts of corporate malfeasance to provide a variety of regulations for publicly traded companies. In addition, these external factors have driven an increased interest by regulators in Enterprise Risk Management (ERM) to effectively identify, assess and manage risk. Because both of these are risk-based initiatives and part of good corporate governance, we often get questions on exactly how they differ.
SOX vs. ERM
SOX was passed by Congress in 2002 to protect investors from fraudulent financial statements. The legislation is intended to strengthen corporate oversight and improve internal control over financial reporting (ICFR) to ensure appropriate disclosures and accuracy of financial reporting for shareholders. Compliance with SOX is mandatory for publicly traded companies, and violations of the rules can lead to penalties such as fines and imprisonment.
ERM, on the other hand, is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within the entity’s risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” You’re probably thinking, “Yes, I can look up definitions too. What exactly does that mean in the real world?”
ERM is identifying and managing the broad range of business risks that could prevent you from achieving your business objectives, while SOX is focused on internal controls over external financial reporting for publicly traded companies to provide shareholders peace of mind that your financial statements are complete and accurate.
ERM can help you identify risks and mitigating actions that may ensure your business meets its goals and objectives and to effectively deal with uncertainty. Many corporate collapses may have been foreseen and possibly averted through the use of ERM, whereas the cause of a collapse may have nothing to do with the accuracy of the financial statements.
We mention COSO with regard to both SOX and ERM. COSO is neither SOX nor ERM. COSO is a framework developed to assist management in implementing SOX or ERM. COSO’s basic thought process is to have good governance practices in place, define your objectives, identify the important risks, while actively controlling and monitoring these risks. COSO is both a framework and a process.
Comparing SOX to ERM using the COSO Framework
To give you a better idea of how the COSO framework would be related to SOX and ERM, let’s look at a model comparison below and talk about the visual differences. It is important to remember that as stated above, the basic COSO thought process is the same when applied to either SOX or ERM but the information presented in publications associated with each topic differs as discussed below. The SOX model below represents the portion of the COSO framework as it relates to ICFR.
External financial reporting is only a portion of a publicly traded company’s financial reporting objectives and financial reporting objectives are one section of the company’s overall objective set. On the left, above, you can see there is no “objective setting” layer as called for in the ERM model. The reason is that the external financial reporting objectives are already defined by the SEC as follows:
- To provide reasonable assurance regarding the reliability of financial reporting
- To design and maintain an effective system of internal controls over financial reporting
- To prevent or detect in a timely manner fraud that could materially affect the financial statements.
The task for SOX is to identify the risks that your company needs to control and monitor to ensure these objectives are met.
On the other hand, ERM requires a much broader application of the COSO framework. It looks at all the company’s objectives (strategic, operational, compliance and financial reporting). The financial reporting objectives in ERM include both internal and external financial reporting objectives. ERM is a comprehensive look at the company’s governance, objectives, risks, controls and monitoring systems. SOX is a sub set of ERM for a publicly traded company.
Additionally, with respect to SOX, there is not a strategic objective component since SOX is not a matter of business strategy but an element of complying with the law. In contrast, ERM includes a focus on the risks around a company’s strategy.
In ERM, the COSO framework has a layer for the identification of internal and external events effecting the achievement of the company’s objectives. Although the SOX model does not call out a separate event identification layer, it is necessary as part of your risk assessment process to identify and consider the internal and external events that could have an effect on external financial reporting.
In ERM, a company identifies and assesses a broad range of internal and external risks. In the risk response layer of the framework, there is a discussion of the four ways to respond to a risk. A company can avoid, accept, reduce or share a risk. While these four options are discussed in the ERM framework, the discussion for SOX is generally only about controlling the risks associated with external financial reporting.
SOX and ERM Working Together
In summary, both SOX and ERM are ongoing risk management initiatives. SOX is a subset of the financial reporting objectives for publicly traded companies. The SEC requires a public company to choose and follow an accepted internal control framework in the evaluation of its external financial reporting controls. COSO is an accepted framework and is followed by most publicly traded companies for the evaluation of ICFR. COSO is also one of the most accepted frameworks used for ERM programs.
Bill Dawson, CPA is a Principal and the service line leader for AC Lordi’s Risk & Compliance practice. He has a diverse background in accounting and reporting, tax, audit and business consulting with public and privately held domestic and multinational corporations. He served as VP of Internal Audit, and later as the VP of Corporate Income Tax for a $2+ billion specialty apparel retailer. He also has 18+ years of Big 4 experience with PricewaterhouseCoopers, including as an Audit Partner managing a portfolio of public and privately held consumer product, chemical manufacturing, aerospace and retail clients. Bill can be reached at firstname.lastname@example.org or 610-738-0100.