First, companies have to rejigger the way they assess risks–away from the checklist of controls in place and towards a prioritization of risks that matter. "Companies should be aggregating risks from the top down, but in practice they're aggregating them from the bottom up, and are mitigating against risks that aren't important," says John Hagerty, vice president at AMR Research Inc.

The top-down approach is exactly what the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) mandated when they replaced the documentation-oriented, compliance-based Auditing Standard 2 (AS2) with the more risk management-based AS5. The new rule, which took effect for larger companies with fiscal years that ended after Nov. 15, 2007, specifically calls for management-driven audits that reserve rigorous testing for higher-risk controls. Management, however, must be able to prove to auditors that risks are, or are not, material to move to this type of audit. "Unless management takes the bull by the horns and goes in and really assesses where the material risks are and takes the lead, companies are not going to see the advantage from AS5 for years," Whitecotton insists.

None of this is news to Arnie Hanish, chief accounting officer at Eli Lilly & Co. and a former member of the PCAOB's advisory group. "At Eli Lilly, we tackled 404 compliance from the outset with a risk assessment approach," he says. "That meant instead of looking at all the ways you could have a financial misstatement, we looked at only those where if something went wrong you could have a material misstatement." As a result, he says, Eli Lilly's post-404 audit costs rose by just 20%, where other companies were seeing theirs jump by 50% to 100%. The exercise also made Lilly more efficient and effective: Hanish reports that Eli Lilly was able to simplify and reduce the total number of "key processes" across the far-flung firm by as much as 25%. "AS5 has given companies a green light to do what we were doing, as well as to give auditors a degree of comfort with management's determination about which financial risks are material," Hanish concludes.

Something short of ERM can still allow managements to take advantage of AS5. Scott Mitchell, CEO of the Open Compliance & Ethics Group, an association representing risk and compliance officers that develops standards and guidance for governance, risk management and compliance, outlines three things managements need to focus on: "First, make sure the people you're working with–for example, your own internal audit shop–are competent, and that you can demonstrate that competency to your outside auditor. Second, be able to explain and justify the process you went through to reach your conclusions about which controls are material. For example, if you're trying to audit the ethical culture of the company, just talking to the five top executives won't cut it. You need to survey your employees in key departments. And finally, you need documentation for all your decisions about where the material risks are."

There are processes that a company can implement to get that documentation, but many experts recommend finding risk assessment software to facilitate the effort and ensure the company's ability to maintain real-time data to track current risk exposure. Yet, according to GRC consultant Anne Marchetti, a surprising number of companies balk at making a software purchase. "They'll say they don't think it's worth the cost, but to really take advantage of the changes in AS5, you need to be able to quantify and prioritize your risk and to convince the outside auditor of your approach." Any auditor, she argues, is going to "ask how you conducted your risk assessment and for the evidence to support your determination as to which controls they need to focus on."

Marchetti says that companies that are still resisting automating their financial risk assessment process may be making the same mistake individuals make in deciding whether to buy income tax software. "They are asking whether it's cost effective for the initial year," she says, "but they should be thinking longer term because once you set up your system, it makes everything easier year after year."

Costs can vary, she says. "Risk management software could cost you anywhere from $25,000 to $250,000, depending on the size of the company and the complexity of the operation, but regardless, it's not that expensive." And the payoff can be enormous, because "you're not just saving on auditors' fees. You're also saving on internal costs. There can be several layers of internal reports involved in the 404 compliance process, and if you don't have an automated system for that, it's an enormous amount of manpower."

Whether a company opts for an ERM approach, or just assesses where the material risks and key financial controls are for the 404 audit, in the end it comes down to a dialogue between management and the auditor. "It's simple enough," says David Hardesty, author of "Practical Guide to Corporate Governance and Accounting" and a consultant with Thomson Tax and Accounting. " If you've done a plausible risk assessment job and are able to document what you're saying, there's not much for the auditor to say. They may not even test some of your controls."

As an indication of how that new dialogue can work, Alfa Corp.'s Whitecotton says, "It's really a paradigm shift. In the past, before AS5, the auditor would say, 'That's a really risky investment, and we need to audit it,' and we couldn't argue. Now I can say, 'Yeah, but it's just $20 million in a $1-billion company, so it's just a hiccup. Why worry about it?' And they'll leave it alone."

Of course, not all auditors can be counted on to march willingly into this Promised Land, since it definitely should cut billables. "Auditors love SOX and Section 404. They staffed up to handle the job, and the auditing of internal controls over financial reporting has represented 70% of their auditing bills," observes Jerry Hutter, CEO of CFO Strategies and former auditor. In their defense, they are "the ones left standing in court if there's a material financial misstatement down the road."

AS5 is also still new, and there has not been much time for executives or auditors to get up to speed. "We had Price WaterhouseCoopers tell us it would take them two years just to teach their auditors how to handle AS5," says Alfa's Whitecotton. Her answer was to switch to another auditor.

"It definitely makes sense to use ERM as a framework to simplify expenses and focus on specific risks, and we're starting to see a lot of companies doing that," says Keith Webster, managing director at Dun & Bradstreet's Enterprise Risk and Compliance unit. "But my gut instinct is that every new regulation takes time to mature, and this one is going to be no different. That would mean the real benefit of AS5 could be years off." CFO Strategies' Hutter agrees. "The PCAOB won't be auditing the CPA firms' work under AS5 for another year, and that is the first time we'll really get all the issues figured out. Until then a lot will remain up in the air."