"Those who can't do, audit," the old joke goes. And, says The Seattle Post-Intelligencer's Andrea James, they "make gobs of money."
A report from AMR Research indicates that Sarbanes-Oxley compliance spending will reach $32 billion next year -- the majority of which is allocated to outside consultants. AMR vice president John Hagerty notes, "If there's a clear winner here, it's the auditors themselves."
And though one might think that competition between firms for big Sarbox audit contracts would be fierce, Sarbanes-Oxley prevents audit firms from performing internal compliance consulting for the companies they audit. As such, those companies often hire one firm for consulting and and another to do the audit.
In essence, the two audit firms share clients. And audit consultant Christopher Fox warns that such client sharing smacks of conflict of interest, according to the Post-Intelligencer:
You've got to ask the question: Should they even be doing that? Is there a conflict of interest?... The problem is, if you're not careful, both sides get in bed with each other. The same people deliver the same teams from engagement to engagement. After a while you get to know each other.
Moreover, when the two firms disagree -- on the interpretation of Sarbanes-Oxley section 404, for instance -- they bill the clients for the time spent resolving their differences. But because they are so concerned about their reputations, the story says, they very seldom air those disputes in public. So the clients pay a lot of money, and the industry practices that raise eyebrows continue.
As equity analyst Brett Horn puts it in the Post-Intelligencer piece:
It's sort of ironic that it's the accounting firms -- they dropped the ball -- and they end up being the primary beneficiaries of this... The real question is, "Does Sarbanes really materially help to stop those situations?"
The lack of an answer to Horn's question suggests that Sarbox does not.
So on one hand, we could have consultants and auditors from the same firm who are unwilling to step on each others' toes. This, of course, would render the audit worthless, which is why Sarbox prohibits it. On the other, we have teams from different firms who may have worked together so often that they, too, are unwilling to step on each others' toes.
Interestingly, though, I haven't seen any stories or interviews that suggest a better solution given the lack of diversity in the industry. Even though it could raise questions, the latter option is the lesser of two evils, and it goes further toward preventing the abuses that Sarbox was intended to stop.