Who Will Audit the Auditors?

When your accounting firm sets up software to help monitor your internal controls, are you implementing solutions -- or risk?
Craig SchneiderJuly 14, 2003

The hottest software for corporate managers these days might be too hot to handle.

Just ask Scott A. Taub, the deputy chief accountant for the Securities and Exchange Commission. He recently issued a caveat emptor for software marketed by accounting firms to help clients track and evaluate internal controls under Section 404 of the Sarbanes-Oxley Act.

Such applications, he said during a recent meeting, may breach auditor independence rules if accounting firms are helping to set up the control systems they later evaluate. Noted Taub, “Companies and their auditors need to be mindful of those requirements.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Several of the Big Four accounting firms, as well as technology companies and consultants, have designed or are designing software intended to help finance managers comply with Section 404 or the Act as a whole. Those managers are being bombarded with choices, but at least they can be thankful that the ultimate responsibility of judging auditor independence falls squarely on the audit committee.

It appears that the SEC has good reason to issue a reminder about where the domain of external auditors ends and where that of management begins. “We have heard concerns about the extent of work that auditors might be asked or might want to do,” stated Taub, regarding “assisting management in documenting controls and in developing tests of those controls so that management can make its assertion [about their effectiveness].”

Bruce Rosen, partner in charge of assurance services at Eisner LLP, raises similar concerns. He believes that some of his peers in the accounting industry are “living dangerously” by offering services above and beyond software.

“It’s very clear that company auditors at best can provide some low-level assistance — a staff person to do some of the documentation — but that’s probably the extent of it,” says Rosen. “And I know several of the firms are taking a different approach, meaning they’re willing to do the whole project.”

Gary Barton, senior audit manager at J.C. Penney, counters that major accounting firms are setting strict boundaries. “Right now I’m not seeing where there could be a conflict,” says Barton. The retailer — pending the approval of its audit committee — has decided to use software from its external auditor, KPMG, to help it comply with Section 404. Among the guidelines, notes Barton: KPMG can’t be involved in documentation or in the first testing that internal audit will do.

KPMG’s comfort with its proprietary software during tests of J.C. Penney’s internal controls, adds Barton, reassured managers when they chose KPMG over other vendors. “Hopefully they’re familiar with their own software and understand it,” he says.

John Hagerty, vice president of research at AMR Research, agrees that external auditors and clients are stepping carefully around independence issues. “The auditors are all very cautious on what they can and cannot do, and it is one of the first things they talk about” when the subject turns to separation of duties, says Hagerty. “The line between audit client and consulting client is very well drawn.”

According to a recent AMR study, over 61 percent of companies are enlisting help from an external auditor/risk management consultant — namely the Big Four — to define, analyze, and improve best practices for managing internal controls.

“Conflicts don’t seem to be a problem area today,” adds Hagerty. “But the mood of the buyer [the client] is one of caution as well. So if they think it even smells remotely like conflict, they’re putting the brakes on.”

AMR estimates that Fortune 1000 companies will spend up to $2.5 billion this year on work related to Sarbanes-Oxley compliance. But a few critics say that for some businesses, upgrading technology may not be worth the expense. “Most of the software packages are overkill” for middle-market companies, says Rosen, who notes that their primary benefit is as a tool for gathering documents. “When you cut though it all,” he says, “it’s not a magic elixir that you buy the software, push a button, and the work is done for you. You still need to go through and make the same assessments.”

Anthony Sirica, BDO Seidman’s national director of risk consulting and advisory services and a former audit partner, agrees: “It’s nuts-and-bolts internal controls work that companies and accounting firms used to do 10 to 15 years ago.” Nonetheless, BDO Seidman has aligned itself with several companies offering software that helps with Section 404, so the accounting firm can provide its clients with a menu of choices.

Such alliances are becoming quite common. PeopleSoft has partnered with risk consulting and internal audit firm Protiviti. (and, reportedly, Ernst & Young). Oracle’s Internal Controls Manager is a collaboration with the risk assurance practice at PricewaterhouseCoopers. SAP says it is currently working with accounting and auditing professionals to extend its current offering and to design more tools. Documentum, which offers content management and collaboration software, has partnered with BearingPoint, formerly KPMG Consulting. Others companies with offerings in the offing include Steelpoint Technologies, FileNet, and OpenText.

Some accounting firms, it has been suggested, are advocating this software not so their clients can better comply with Sarbanes-Oxley, but only so the firms themselves can use the software to assist in their attestation. In that case, says Taub, “there should not be anything — so long as it is limited to that — that would be a problem.”

Eisner LLP’s Rosen nonetheless suggests that companies sidestep the independence issue altogether. “Given what the SEC says in its release, if I was an audit committee member, there isn’t a prayer that I’d use my own audit firm to do it,” says Rosen. “How many times do you need to be hit in the head to realize it hurts? At some point you just get knocked out.”