The Hindu Business Line : Healthy lack of risk appetite

THE Committee of Sponsoring Organisations (COSO), formed under the aegis of the Treadway Commission, has issued its draft Enterprise Risk Management Framework (ERMF). The final form should not be very much different from the draft.

The ERMF assumes importance since it is the benchmark recommended by the Sarbanes Oxley Act (SOX) for internal control and risk management.

The draft spells out the importance of the internal environment for risk management and recognises eight components of risk management — objective setting, event identification, risk assessment, risk response, control activities, information and communication and monitoring.

The framework details the roles and responsibilities of various units in devising an appropriate risk management framework.

Financial officers

The framework talks about the finance officers whose activities cut across all operating and business units.

They are involved in developing entity-wide budgets and plans, track and analyse performance from an operating, compliance and reporting perspective.

The financial officer plays an important part in preventing and detecting fraudulent reporting. The framework concludes that the chief financial officer should come to the table as an equal partner with the other functional heads. The management should not attempt to cripple his focus.

Internal auditors

The framework recognises that the Institute of Internal Auditors specify that the scope of internal auditing should encompass risk management and control systems which includes evaluating the reliability of reporting, reviewing the effectiveness and efficiency of operations, safeguarding assets and ensuring compliance with laws, regulations and contacts.

The framework quickly disclaims that the internal audit does not have primary responsibility for establishing or maintaining enterprise risk management. Internal auditors should assist both management and the audit committee by monitoring, examining, evaluating, reporting on and recommending improvements to the adequacy and effectiveness of management's risk management processes.

Since the scope of the internal auditors' function is generally free-for-all, they should be objective with regard to the activities they audit. This objectivity should be reflected by their position and authority within the entity. They can be said to be objective when not placed in a position of subordinating their judgement on audit matters. Protection for this lies in appropriate internal auditor staff assignments which should avoid potential and actual conflicts of interest and bias.

The framework recommends that staff assignments should be rotated periodically and internal auditors should not assume operating responsibilities.

Similarly, they should not be assigned to audit activities with which they are involved recently in prior operating assignments.

External auditors

External auditors provide management and the board of directors with a unique, independent and objective view that can contribute to an entity's achievement of its external financial reporting objectives. By expressing an opinion on the fairness of the financial statements in conformity with the generally accepted accounting principles, the external auditor raises the level of assurance.

The framework dismisses the views that an auditor who gives a report as pure as snow has concluded that internal control is tamper-proof or that he has conducted a thorough review of risks and controls to identify all or most significant weaknesses.

Putting the issue in perspective, the framework says that a financial statement audit helps recognise that while an entity can have ineffective risk management and ineffective internal control related to financial reporting, an auditor may still be able to issue an opinion that the financial statements are fairly presented. This is because he focuses his attention purely on the financial statements.

The auditor should gain sufficient knowledge of the internal control systems prevalent to plan the audit. During the course of their duties, the external auditor provides useful inputs to management to carry out their risk management related responsibilities by communicating audit findings, analytical information and recommendations for use.

With an eye on the requirements of SOX, the framework concludes that where law and regulation require an auditor to evaluate a company's assertions related to internal control over financial reporting, the scope for examination in their areas will be extensive. (Audit of Internal Control over Financial Reporting issued by the Public Company Accounting Oversight Board.)

Are we better?

Apart from a few cosmetic changes, the framework culls out a lot from the earlier 1994 version. Since this has been on the statute for a decade, it would be interesting to lead a discussion on risk management frameworks and their effectiveness in detecting frauds and material misstatements both in India and abroad.

A single trader brought down BCCI like a pack of cards. Management, internal and external auditors turned a blind eye towards the off-balance-sheet skulduggery that was happening at Enron. WorldCom collapsed because it preferred to treat revenue expenses as capital. A forged bank certificate opened the Pandoras box at Parmalat, which is now into receivership.

If we shift the focus to home turf, we find that Harshad Mehta, CRB Capital and Ketan Parekh focussed their greed on the stock market. Public sector banks in India have had to pay penalties and compensations for misdeeds committed abroad but have been able to come out with hardly a scratch. So, is our risk appetite better?

It needs no mention that abroad, whatever happens, happens big-time. So we have the near-monopoly of a Microsoft, the universal presence of a GE and international banks in every big city. When the likes of these transgress the rules and are caught, the brunt is too big to bear.

That is the reason why Dynegy was not permitted to take over Enron for a paltry sum. In India, it appears we are a bit more conservative in our risk appetite. We cannot compare an Infosys to a Microsoft but still the former is able to pay a few million dollars for a lawsuit without as much as batting an eyelid.

An error in the accounting treatment of a medical unit of a software company in India resulted in a restatement but was handled with aplomb.

It seems that although we are conservative and small by global standards, our risk appetite appears healthier. The COSO framework should probably conclude that, like in life, everything has limits. Crossing this is an invitation to the road to disaster.

(The author is a Hyderabad-based chartered accountant.)