Sarbanes-Oxley Act and FDICIA 36
An Enterprise Risk Assessment (ERA) is a streamlined and cost-effective risk management tool. At the other end of the spectrum, in terms of complexity and granularity, are the Sarbanes-Oxley Act (“SOX”) Section 404 requirements that public filers must meet and the FDICIA 36 requirements for larger institutions (full reporting starting at $1 billion assets), as regards controls over financial reporting risk. We have considerable experience with such reporting, both in the documentation and the testing phases.
Most SOX institutions adopt a COSO-type approach, which is also what is recommended for meeting FDICIA 36 requirements. Documentation of the internal controls to be tested requires first going through a risk assessment of the institution – a similar though more detailed exercise than an ERA. SOX and FDICIA both require analyzing specific risks at a disaggregated level, then identifying the controls (key controls, as well as back-up or compensating controls) over each risk. Rigorous documentation and validation requirements apply.
It can be expected that over time there will be rising demands for smaller, non-public institutions to be heading down this path – even without formal SOX or FDICIA reporting need. It will become a differentiator of well-managed, leading-edge players. And it will give management and the Board more comfort that the institution has positioned itself to minimize the likelihood of any given loss event and the amount that would be lost.