Connie Whitecotton, chief risk and compliance officer at $815 million Alfa Corp., remembers well the first year she took responsibility for the company’s Sarbanes-Oxley 404 audit. It was 2005, and the exercise ended up costing $1.3 million in audit fees–more than three times the auditor’s initial $400,000 estimate, and almost double what the job had cost in 2004. “I was outraged!” she recalls. Only a year later, however, she got the same job done for $825,000, and this year, she expects auditing hours to be slashed by 60%, bringing total 404 compliance costs for Alfa way down. Her secret was to shift from simply achieving compliance on 404 to a 404 audit based on the enterprise risk management (ERM) program she was implementing. In 2006, Whitecotton read an early draft of Auditing Standard 5 (AS5)–the corporate SOX-relief package from federal regulators–and she realized that the key to fending off pesky auditors was to have a buttoned-up approach to quantifying and prioritizing risks. “How can I argue to an auditor which risks are material unless I have something to back up the statements?” she says.
Enter LogicManager, with a platform that company CEO Steve Minsky says not only identifies risks, but also assesses whether each risk is material, evaluates which risks require action, determines how to mitigate risk and then monitors the process of mitigation. Ironically, Whitecotton was already using LogicManager for her ERM work, but she had thought that to automate her 404 work, she would have to look in the compliance space for a tool. “I knew I was going to have to eat some crow,” she laughs. “I had just sold my CFO and COO on the fact that I would need one system for my ERM and another for my SOX and here I was bringing in a whole new system to do both. It was worth it. How could I not roll my SOX into this?”