New York — The need to comply with Section 404 of the Sarbanes-Oxley Act (SOX) is only having a minimal effect on enterprise risk management (ERM), new research has found.
A study by New York-based Advisen Ltd. reveals that while some companies have thoroughly integrated the risk management function into Section 404 compliance, most have not.
In fact, only 45% of the respondents to the survey said that their company has, or plans to have, a formalized ERM program. What’s more, less than a quarter of those who answered in the affirmative said that compliance with SOX motivated the implementation of the ERM program. The results seemingly belie the promise that risk management process provides a ready-made framework for compiling information and monitoring compliance.
“In addition to the possibility that traditional risk management responsibilities may be interpreted to fall within the monitoring and reporting requirements of Section 404, risk management departments also may be called upon to take part in planning, implementing and administering a Section 404 compliance program,” the survey notes.
Despite this perceived overlap, the study records that only half the respondents felt that their risk management department was adequately involved in Section 404 compliance activities.
Source: Advisen Ltd.
