PCAOB policy statement -- a condemnation of auditing practices

Okay, so my new best friend is the Public Company Accounting Oversight Board.

This week they issued a new policy statement that set my heart aflame.

According to the document, auditors should

exercise judgment to tailor their audit plans to the risks facing individual audit clients, instead of using standardized "checklists" that may not reflect an allocation of audit work weighted toward high-risk areas (and weighted against unnecessary audit focus in low-risk areas)

Expanding upon this concept, the SEC noted in their staff statement that when a proprietary framework like COBIT is used

Because Section 404 is not a one-size-fits-all approach to assessing controls, it is not possible for us to provide a list of the exact general IT controls that should be included in an assessment for Section 404 purposes. However, the staff does not believe it necessary for purposes of Section 404 for management to assess all general IT controls, and especially not those that primarily pertain to the efficiency or effectiveness of the operations of the organization but are not relevant to financial reporting.

It's easy to see how we've devolved into a template, fill-in-the-box approach. SOX auditors are hired by the truckload, and the only way for an auditing firm to be confident in the results is to apply uniform standards across audits, and leave little to auditor judgment. However, the PCAOB unequivocally condemns this approach:

In our inspections, we will look for audits that suffer from poor planning and risk assessment, such as by using standardized checklists without appropriately tailoring the procedures to the circumstances or focusing the audit on areas that are unlikely to lead to the discovery of material weaknesses in internal control at the expense of adequately auditing high-risk areas. When we detect such shortcomings, we will demand improvements.

Rather, auditors need to

use a top-down approach that begins with company-level controls, to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting, and use the risk assessment required by the standard to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement

However, the one failing in this document is a complete lack of guidance on what a top-down risk asssessment should look like. Even COSO's ERM framework is too conceptual to be easily integrated into a corporate risk strategy, let alone auditing guidelines.

Although I'm thrilled that the PCAOB is raising issues with processes that are more about signatures and documentation than actually identifying and mitigating material weaknesses, they are committing a grave disservice by not pointing auditing firms to a viable alternative. Veiled threats are always fun

By focusing on the conduct of a high-quality audit as described above, we believe our inspections will promote efficiency without the need for us to get involved in auditors' billing practices.

but without additional guidance on how to develop a risk-based approach, auditing firms will file away the policy statement and continue with business as usual, waiting for some other firm to figure out how best to address the problem the PCAOB has posed.

It's funny, the longer I'm in this field, the more I feel that auditing firms could learn by studying what we've learned in the field of computer security when it comes to risk analysis. If we want to secure our financial statements, we need to ask, "secure from what?" "for how long?" There will ALWAYS be trusted parties and opportunities for fraud. Just as computer professionals need to constantly be aware of new threats, for auditors to be truly effective in uncovering fraud and abuse, they need a mindset change. Audits should be addressed in terms of threat models and enterprise risk evaluations, or corruption will continue unabated, and corporations will begin asking why they're spending ever-increasing funds on useless, time consuming exercises.

IIA Cost/Benefit Analysis

Nice cost/benefit analysis of what SOX 404 compliance actually brings to an organization. I find it particularly stunning that there still appears to be controversy over who should own IT controls.

The process owners are not “control experts,” but they are an integral part of the control system. Process owners also have an obligation to ensure that the processes under their control are efficient — and rightly, or wrongly, they often believe that “controls” create unnecessary work and slow down the underlying processes, or at a minimum add unnecessary overhead. Controllers (and auditors) are generally the control experts within the organization. However, they usually do not have the authority to mandate controls, and more important, they are not part of the system that ensures that employees are motivated to comply with control requirements or follow control procedures. That is management’s job.
......

What is surprising is the percentage of companies planning to have internal audit responsible for maintaining controls documentation (23%) or for overall ownership of the evaluation process (28%) — areas generally viewed as the clear responsibility of management: the controller, a compliance manager, and/or the business process owners.

If controls are not built into the organization's DNA, we can count on a corrupted control environment. If I as a manager don't know my controls like the back of my hand, I'm not going to recognize when the project of the week is putting them in jeopardy, or when my documentation needs to be modified.

Another point of the analysis was the uncertainty companies faced throughout 2004. Shoot, there's uncertainty now! The fact that auditing firms continue to look at SOX as a binary process -- an application is in scope or out of scope -- and all process controls of equal weight -- make no sense to an organization trying to take a holistic view of risk mitigation on financial reporting.

The one flaw I saw in this document was benefits were not quantified, where everyone knows what the costs are. If my benefits consist of a better control environment, WHY DO I CARE? Auditors and SOX control experts should spend more time communicating the inherent benefits of our activities, and keeping our eye on the bigger picture of making the company stronger through better availability, security, integrity and on and on....

It's good to be needed

It's finally becoming brutally apparent that we can't hide behind the nebulous ethics of "business decisions." Just as security isn't just the job of one poor ostracized soul in the IT department, the ethical decisions of a company don't only reside in the corner office. All that's being legislated is the lowest possible baseline of ethical behavior. If we are going to accept payment from a company for our brainpower, and we're not reporting and acting upon what we see, then we've failed our end of the bargain. Using the justification of "it's a gray area" is completely unacceptable -- what companies need to avoid is the mere appearance of impropriety. It's important for tone at the top, if nothing else. Employees need to see zero tolerance from above, to ensure the company isn't directly implicated when an employee commits fraud on his own.