Wounded by its failure to blow the whistle on accounting shenanigans at companies like Enron and WorldCom in 2001 and 2002, the auditing industry now stands to reap a windfall from the very problem it helped create.The remedy the government devised to prevent future malfeasance in corporate accounting, the Sarbanes-Oxley Act of 2002, will raise the cost of corporate audits an expected 25 percent to 130 percent depending on the size, complexity and degree of decentralization of the company being audited. And the Big Four accounting firms (Deloitte & Touche, KPMG, PricewaterhouseCoopers and Ernst & Young) will garner even greater profits (estimates are all over the map, but they dwarf the auditing fees) from consulting on how to do Sarbox compliance. The catch phrase for this burgeoning line of work is “enterprise risk management.” (Translation: Sarbanes-Oxley is only the beginning of your governance problems.)
But your auditor can’t build the controls for you. In an effort to end the conflicts of interest that brought down Arthur Andersen when it both consulted with and audited Enron, the Securities and Exchange Commission has scratched a faint line in the sand between auditing and consulting. “Basically, you’re not supposed to audit your own work,” says Jim DeLoach, managing director at Protiviti, a company that consults on compliance.
But since every major company wants a Big Four stamp of approval on its Sarbox controls to help ensure a clean audit, if a Big Four firm isn’t auditing you, it will probably be consulting with you, thereby virtually doubling the amount of business to be had.
Confusion could double too. The firm your company is paying to do the auditing may not approve of the way another firm designed the controls. To avoid that, auditors are allowed to advise their clients during the design process on whether theconsultants are on the right track. But that doesn’t guarantee that the auditors and consultants will agree in the end. “You could have disagreement over what should be included in scope under the law and what shouldn’t,” says Lynn Edelson, U.S. leader for systems and process assurance at PricewaterhouseCoopers.
The SEC, however, isn’t going to wait while the various parties sort it out. Everybody needs a Sarbox-compliant audit by the middle of 2005 or CEOs and CFOs could be looking at jail time. “The definition between an A and an F grade isn’t clear yet,” says a source who asked not to be identified. “We won’t know until we have some cases in the court system.” Either way, the auditors and consultants will have their meters running.
Auditors say that Sarbanes-Oxley simply legislates that they do what they used to do as a matter of course: honest, thorough audits. Sometime during the go-go ’90s, audits became a commodity, with companies shopping the (then) Big Five for the cheapest price. The auditors obliged, turning what used to be a thorough test of a company’s financial controls into something less. “It was the relatively lax regulation climate that put so much [downward] pressure on audit fees,” says John Parkinson, a former consultant and chief technologist for the North American region of consulting company Capgemini. “No question, companies paid as little as possible to get a 10-K. The accounting firms went along because they had no choice. They’re rubbing their hands in glee now because they are doing the job they should have been doing.”
And getting paid double for it.