Sarbanes-Oxley Act and FDICIA 36
An ERA is a streamlined and cost-effective risk management tool. At the other end of the spectrum, in terms of complexity and granularity, are the Sarbanes-Oxley Act (“SOX”) requirements that public filers must meet and the FDICIA 36 requirements for larger institutions (starting at $500 million assets, ratcheting up at $1 billion), as regards controls over financial reporting risk. We have considerable experience with such reporting, both in the documentation and the testing phases.
Most SOX institutions adopt a COSO-type approach, which is also what the FDIC recommends for meeting FDICIA 36 requirements. Documentation of the internal controls to be tested requires first going through a risk assessment of the institution – a similar though more detailed exercise as compared to what’s described above for an ERA. SOX and FDICIA both require analyzing specific risks at a disaggregated level, then identifying the controls (key controls, plus back-up or compensating controls) over each risk. Rigorous documentation and validation requirements apply.
It can be expected that over time there will be rising demands for smaller, non-public institutions to be heading down this path. It will become a differentiator of well-managed, leading-edge players. And it will give management and the Board more comfort that the institution has positioned itself to minimize the likelihood of any given loss event and the amount that would be lost.