Independence of the External Auditors 100



  • Currently our external auditors (the actual team performing the year-end financial audit), not the consulting side of the same company is ‘assisting’ management in the control design phase of our SOX project. During this phase, the external auditors will be meeting with management to review the control matrixes. They will also be identifying gaps (gap analysis) and reviewing the remediation plans (not ‘approving’). I’ve read PCAOB #2 and feel that this is a violation of the independence rule because I feel that the auditors are acting ‘as employees of the company’ by performing the gap analysis and ‘reviewing’ the remediation plans.
    Also, the external auditors are providing us with their flowcharts as a starting point for our management to document their processes. I feel that this is ‘auditing its own work’ because they will be coming back at the end of the year to review their own documentation, in essence, but with edits�.
    Does anyone agree with me that this is a violation or do you think it’s ok? I’d appreciate any feedback.



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Our external auditors will not share with us any process / control documentation that they have previously prepared. That is based on a directive from their home office. They fear that this could be an independence issue.
    I do believe that you should be in communication with them throughout the course of this project so that you have no surprises at the end of the year. I do see a possible issue if you are relying on your external auditors to ‘approve’ what you are doing as this may indicate a lack of management competency. Remember, management is totally responsible for the documentation and assessment of controls and must make all design decisions (although, management can bring in outside experts to help documenta and test, just not your external auditor).
    I share your concerns.



  • I agree that it somewhat sounds suspicious. On Top of that it’s not an elegant thing to do either. I see the risk mainly at your external auditors side. They’re risking the mandat.
    But as long as they ‘only’ reviewing what you did and giving comments or pointing out defeciencies. You and they’re fine.
    What they definetly should not do is defining some of the processes or controls. Doing documentation in terms of being a ‘pencil’ is ok.
    A final comment: There should be some approval of your audit committe. That should have been given before the external auditor has started his work.



  • Hi
    External Auditors do not want to endorse or influence your audit work, flows, processes,findings, test plans, or recommendations.
    With Auditor independence in mind, first hand I learnt from 2 of Big-4 that they have clear manadate not to endorse, approve any of internal audit work.
    However thru walway converations, smoking clubs, we do exchange information and there has to be an ‘INFORMAl’ way of getting their nod to Narratives ( To ensure that you inluded key controls), Test Plans ( To ensure that you have included key controls in testing, have included adequate Sampling).
    Madhav Vedula
    Sr.Audit Consultant
    267-972-4692



  • I think this is a touchy subject that can be very subjective. One thing is VERY clear though, your external auditors SHOULD have a separate engagement letter or contract for the work they are performing in regards to the Sarbox consulting. This engagement letter/contract SHOULD have been improved by your audit committee. Lacking audit committee approval, I’d consider this a serious issue.
    There’s a very good Q and A issued by PCAOB from June that specifically addresses independence.



  • I totally agree with that one.



  • I think they are stepping WAY over the line in providing you with their documentation on which to base your own . I would suspect that could get them censured by the PCAOB.
    As far as giving you the wink-nudge on your own remediation plans, they’d be foolish to put it on paper…someone else mentioned hallway conversations and smoking clubs–that’s where I get my nods from our externals as well. They won’t even email an answer to anything that vaguely smells like them approving something we’re doing.
    Out of curiosity, is your external firm big 4 or not? No need to provide a specific name, but I have had chats with all the big 4, especially our externals, and can’t imagine any of them doing that.
    Ben



  • Going back to the original question I am wont to be a contrarian here.
    During this phase, the external auditors will be meeting with management to review the control matrixes. They will also be identifying gaps (gap analysis) and reviewing the remediation plans (not ‘approving’).
    I do not see too much wrong with this, the auditors need to do this to discharge their own duties and should share with you any deficiencies (or gaps) that they find.
    They will only have stepped over the line if they give you some sort of positive assurance i.e. ‘these are fine except for’ or ‘correct the following and it will be OK’
    On the first charge I find your auditor NOT GUILTY 😉
    Also, the external auditors are providing us with their flowcharts as a starting point for our management to document their processes. I feel that this is ’ auditing its own work ’ because they will be coming back at the end of the year to review their own documentation, in essence, but ?with edits?.
    Does anyone agree with me that this is a violation or do you think it’s ok? I’d appreciate any feedback
    Again one could argue that this is still OK. The flowchart is not the totality of your process documentation (or should not be) it is merely a simplified pictorial representation of the key steps.
    Also, it should have been shared with you, whether done pre-SOX or not, anyway for validation (i.e. ‘Have we captured this properly?’). What audiotrs should not share with you is their risk assessment and their determination of key controls. They should not provide you with any other working papers either e.g. results of testing key controls.
    Again I think this is a probable NOT GUILTY.


Log in to reply