About a month ago I mentioned a CIO who told me that her Sarbanes-Oxley IT auditor wouldn’t tell her which controls were necessary and which weren’t, and as a result she ended up putting in place more controls than she needed to. Over the last couple of months I’ve talked to a lot of CIOs who have had similar experiences. The reason seems to be a misunderstanding between auditors and the Public Company Accounting Oversight Board (PCAOB), the group established to oversee and give guidance to the auditors. Without getting bogged down in the minutia of auditing protocols, the problem seems to be that many auditors interpreted one of the PCAOB’s guidelines – auditing standard no. 2 – to mean that telling a client a particular control wasn’t really necessary to pass the IT audit would itself amount to a control violation. In April the SEC said that this was never its intention, but didn’t actually amend its previous guideline or release a new one.
The good news for CIOs and public companies everywhere is that the clarification came yesterday (PCAOB Issues Guidance on Audits of Internal Control) and it directly addresses this complaint:
“In particular, the staff questions and answers seek to correct the misimpression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that discourages auditors from exercising the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient. The Policy Statement expresses the Board’s view that, to properly plan and perform an effective audit under Auditing Standard No. 2, auditors should…engage in direct and timely communication with audit clients when those clients seek auditors’ views on accounting or internal control issues before those clients make their own decisions on such issues, implement internal control processes under consideration, or finalize financial reports.”
You can read the full 14-page clarification here if you are so inclined.
In the meantime, this statement means that CIOs who have yet to go through their Sarbanes-Oxley IT audit should be able to engage in a more direct back and forth with their auditors. Also, the statement also says that the PCAOB is disappointed that auditors have tended to use one-size fits all checklists during the audits as opposed to lists based on a company’s specific risk profile. So if your auditor is seems to be basing the audit on a general checklist print out aforementioned clarification and hand it to him.