What to Do About Sarbox Auditing?

Lora Bentley

"Those who can't do, audit," the old joke goes. And, says The Seattle Post-Intelligencer's Andrea James, they "make gobs of money."


A report from AMR Research indicates that Sarbanes-Oxley compliance spending will reach $32 billion next year -- the majority of which is allocated to outside consultants. AMR vice president John Hagerty notes, "If there's a clear winner here, it's the auditors themselves."


And though one might think that competition between firms for big Sarbox audit contracts would be fierce, Sarbanes-Oxley prevents audit firms from performing internal compliance consulting for the companies they audit. As such, those companies often hire one firm for consulting and and another to do the audit.


In essence, the two audit firms share clients. And audit consultant Christopher Fox warns that such client sharing smacks of conflict of interest, according to the Post-Intelligencer:

You've got to ask the question: Should they even be doing that? Is there a conflict of interest?... The problem is, if you're not careful, both sides get in bed with each other. The same people deliver the same teams from engagement to engagement. After a while you get to know each other.

Moreover, when the two firms disagree -- on the interpretation of Sarbanes-Oxley section 404, for instance -- they bill the clients for the time spent resolving their differences. But because they are so concerned about their reputations, the story says, they very seldom air those disputes in public. So the clients pay a lot of money, and the industry practices that raise eyebrows continue.


As equity analyst Brett Horn puts it in the Post-Intelligencer piece:

It's sort of ironic that it's the accounting firms -- they dropped the ball -- and they end up being the primary beneficiaries of this... The real question is, "Does Sarbanes really materially help to stop those situations?"

The lack of an answer to Horn's question suggests that Sarbox does not.


So on one hand, we could have consultants and auditors from the same firm who are unwilling to step on each others' toes. This, of course, would render the audit worthless, which is why Sarbox prohibits it. On the other, we have teams from different firms who may have worked together so often that they, too, are unwilling to step on each others' toes.


Interestingly, though, I haven't seen any stories or interviews that suggest a better solution given the lack of diversity in the industry. Even though it could raise questions, the latter option is the lesser of two evils, and it goes further toward preventing the abuses that Sarbox was intended to stop.

Add Comment      Leave a comment on this blog post
Jul 25, 2007 7:27 AM Andrea James Andrea James  says:
Hi there!Great synopsis of the story. Your conclusion seems to be dead on: There's no easy solution.Cheers,Andrea JamesBusiness Reporter Reply
Aug 2, 2007 1:50 AM Joe Joe  says:
This is what I have seen in the IT auditing industry. Public accounting firms are afraid of losing business. So when the customer complains about having to write policies and procedures, implement basic security, documenting, etc..., the internal auditors get with the external auditors to see what workarounds they can do to please the customer. They then lower their standards and the customers soon realize the more they complain, the more they don't have to do what they should be doing. This is fine with the public accounting companies, the more issues they have the more money they make. Another big problem is public accounting companies trying to make hybrid financial/IT auditors out of financial auditors. These hybrid auditors have an extremely poor knowlege of IT and their IT audits barely scratch the surface of what an IT department should be doing. They are also easily fooled by the IT staff. The wool is pulled over their eyes very easily. This is even the case in the big 4. Another problem that I see is companies not holding public accounting firms accountable for overcharging and incompentance. Maybe if they fire one company the next will be exactly alike or maybe even worse, who knows. Reply
Aug 2, 2007 2:26 AM Carla Ross Carla Ross  says:
I don't think the accountants dropped the ball, I think the business executives dropped the ball. I agree it's just like lawyers, accountants protect each other and the profession, the problem with the accountants/auditors is they are rule makers/advisors not enforcers and they can not force someone (business executives) to act honorably, however, congress can and did by requiring a lot of busy work that has nothing to do with stopping crime. I say blame your congressman (and the SEC) who was trying to save face (SOX) because they missed the whole mess in the first place.Carla R. Ross Reply
Aug 2, 2007 2:37 AM Richard Richard  says:
As an auditor myself, I am more than willing to admit that I'm one of the winners from SOX enactment. My skills and experience are in demand, and my compensation reflects that. But to infer anything from this (other than that market demands still work) is unwarranted and unfair. I am unaware of any collusion amongst audit firms sharing a client, although I will admit that the possibility has always been there. I am, however, aware of numerous studies that show that audit fees are reduced by retaining an audit firm over several years. Audit fees are also reduced, as Joe noted, from collaberation (not collusuion) between internal and external audit. The goal is to determine the most cost effective controls that will help the public invest without fear of financial misstatements. And SOX seems to be doing just that. We all know that passing a law doesn't mean that everyone will obey it, so part of the audit work -- internal and external -- is to actively look for fraud. Auditors are finding it, and culprits are being fired or prosecuted. Reply
Aug 3, 2007 6:53 AM Michael Michael  says:
It really seems to me that compliance results in alot of lost resources and is counter productive. It's a pain and while I am sure there must be a better way I don't really know what that would be. Reply
Aug 3, 2007 12:06 PM Jyothi Khantamaneni Jyothi Khantamaneni  says:
This is a great story and brings out some very interesting ways in which independence can be curtailed in a professional firm. Having said that, I agree with Richard that the conclusion that there is a collusion appears unfair. The possibility of fraud exists with or without SOX, and I believe that PCAOB rules are attempting to curtail loss of independence. This sure beats the earlier norms where one firm was allowed to render several services to their clients.As a due diligence consultant, I come across several companies that are required to implement SOX and have noticed that their levels of independence and the quality of financial reporting are way higher in the post SOX era - as a result of having two independant professional firms rendereing services. Reply
Aug 6, 2007 9:43 AM Paul Paul  says:
As an auditor and compliance consultant with over 25 years of internal and external, financial and IT audit experience, I appreciate the comments made by Carla, Richard and Jyothi.What I see is not necessarily the wholesale failure of a profession, but rather the failure of a specific firm (Andersen) and the failure, in general, of the leadership of American companies (including the big accounting firms) to use only "ethical business practices". However, please consider this they are not the only "guilty parties". The US public has, for decades, wanted less regulation and has proved that through its selection of congressmen and Senators. Successive Republican administrations slashed the budgets of the regulatory agencies (remember the Savings and Loan crisis?) and naturally, oversight of "troubled" or "complex" industries was less effective.Add to that the "CEO Worship" mentality in which the US press glorifies CEOs as celebrities. Blame also the shareholders who allow CEOs to earn exorbitant salaries based upon short term profit targets or equity prices.Mix all this together and it was only a matter of time before the Enron-WorldCom-Adelphia-Tyco scandals would arise.I have watched, with dismay, the steady erosion of IT controls from the early 90s through 2001. Management did not seem to care about data security or integrity.So it is with a certain feeling of Schadenfreude that I now watch companies install the controls over their financial accounting systems that they neglected to implement nearly a decade below.Just as Winston Churchill stated, "democracy is the worst system of governance except all those other systems which have been tried from time to time." I would have to say that SOX is the worst system of corporate governance except for all the other systems we have tried before. Most independent observers will readily support the statement: "Internal controls have improved under SOX." The primary issue has been the costs, not the goal. With the new AS5, compliance costs should go down.But SOX will never stop a corrupt C** executive from defrauding the public or his (or her) company. It will only make it more difficult to do so and will only make it hurt more when the fraud is discovered. Reply
Aug 8, 2007 2:13 AM Om Ahuja Om Ahuja  says:
The problem with SOX is unlike ISO 27001, there are no suggestions on what necessary steps or complainces are mandatory for implementation and the necessary model to monitor & measure them. Hence its very difficult for any company to independently evaluate itself to arrive at a specific measurement which is comparable across the board. This area of ambiguity is exploited to the fullest by the Big Public accounting firms as mentioned in the article (Hand in glove relationships). Any smart auditor or consultant who argues with thier greviences is set aside because the CFO only cares to have a good report at any cost. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.