About a month ago I mentioned a CIO who told me that her Sarbanes-Oxley IT auditor wouldn’t tell her which controls were necessary and which weren’t, and as a result she ended up putting in place more controls than she needed to. Over the last couple of months I’ve talked to a lot of CIOs who have had similar experiences. The reason seems to be a misunderstanding between auditors and the Public Company Accounting Oversight Board (PCAOB), the group established to oversee and give guidance to the auditors. Without getting bogged down in the minutia of auditing protocols, the problem seems to be that many auditors interpreted one of the PCAOB’s guidelines – auditing standard no. 2 – to mean that telling a client a particular control wasn’t really necessary to pass the IT audit would itself amount to a control violation. In April the SEC said that this was never its intention, but didn’t actually amend its previous guideline or release a new one.The good news for CIOs and public companies everywhere is that the clarification came yesterday (PCAOB Issues Guidance on Audits of Internal Control) and it directly addresses this complaint:“In particular, the staff questions and answers seek to correct the misimpression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that discourages auditors from exercising the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient. The Policy Statement expresses the Board’s view that, to properly plan and perform an effective audit under Auditing Standard No. 2, auditors should…engage in direct and timely communication with audit clients when those clients seek auditors’ views on accounting or internal control issues before those clients make their own decisions on such issues, implement internal control processes under consideration, or finalize financial reports.” You can read the full 14-page clarification here if you are so inclined. In the meantime, this statement means that CIOs who have yet to go through their Sarbanes-Oxley IT audit should be able to engage in a more direct back and forth with their auditors. Also, the statement also says that the PCAOB is disappointed that auditors have tended to use one-size fits all checklists during the audits as opposed to lists based on a company’s specific risk profile. So if your auditor is seems to be basing the audit on a general checklist print out aforementioned clarification and hand it to him. Related content brandpost Hybrid working: the new workplace normal IT leaders discuss how a more broadly dispersed workforce impacts device deployment, connectivity, and the employee experience, even as more workers return to the office. By Michael Krieger May 31, 2023 5 mins Remote Work opinion Can you spot the hidden theme of CSO’s Future of Cybersecurity summit? By Beth Kormanik May 31, 2023 2 mins Events Cybercrime Artificial Intelligence case study How IT leaders use EV tech to fuel the transport revolution in Kenya Many African nations are starting to invest in electric vehicle (EV) transportation as a means to broaden access and help keep pace with global environmental initiatives. In Kenya, strides are being made despite industry and tech leaders grappling to By Vincent Matinde May 31, 2023 5 mins CIO CTO Emerging Technology feature How CIOs distill the most sought-after data skills From back-end engineers to data scientists and line-of-business experts, here’s the in-demand talent that all organizations need to turn a glut of information into game-changing insight. By Mark Samuels May 31, 2023 8 mins IT Skills Data Center IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe