About a month ago I mentioned a CIO who told me that her Sarbanes-Oxley IT auditor wouldn\u2019t tell her which controls were necessary and which weren\u2019t, and as a result she ended up putting in place more controls than she needed to. Over the last couple of months I\u2019ve talked to a lot of CIOs who have had similar experiences. The reason seems to be a misunderstanding between auditors and the Public Company Accounting Oversight Board (PCAOB), the group established to oversee and give guidance to the auditors. Without getting bogged down in the minutia of auditing protocols, the problem seems to be that many auditors interpreted one of the PCAOB\u2019s guidelines \u2013 auditing standard no. 2 \u2013 to mean that telling a client a particular control wasn\u2019t really necessary to pass the IT audit would itself amount to a control violation. In April the SEC said that this was never its intention, but didn\u2019t actually amend its previous guideline or release a new one.The good news for CIOs and public companies everywhere is that the clarification came yesterday (PCAOB Issues Guidance on Audits of Internal Control)\u00a0 and it directly addresses this complaint:\u201cIn particular, the staff questions and answers seek to correct the misimpression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that discourages auditors from exercising the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient. The Policy Statement expresses the Board\u2019s view that, to properly plan and perform an effective audit under Auditing Standard No. 2, auditors should...engage in direct and timely communication with audit clients when those clients seek auditors\u2019 views on accounting or internal control issues before those clients make their own decisions on such issues, implement internal control processes under consideration, or finalize financial reports.\u201d \n\nYou can read the full 14-page clarification\u00a0here if you are so inclined. In the meantime, this statement means that CIOs who have yet to go through their Sarbanes-Oxley IT audit should be able to engage in a more direct back and forth with their auditors. Also, the statement also says that the PCAOB is disappointed that auditors have tended to use one-size fits all checklists during the audits as opposed to lists based on a company\u2019s specific risk profile. So if your auditor is seems to be basing the audit on a general checklist print out aforementioned clarification and hand it to him.