Feeling Cheated 1099



  • We have just successfully passed our first audit of IT General Computer Controls for SOX 404. I had the responsibility of compliance project manager for my company’s European locations (Italy, France, UK and Netherlands). This was a real challenge considering the culture differences in each country, but none the less, thanks to sheer hard graft on the part of all concerned, we managed to develop and implement all the necessary policies,procedures and controls.
    We engaged an IT audit company to perform our internal testing and then our actual SOX IT audit was performed by external auditors (one of the big 4). Sorry to drone on but I need to give you some background and to emphasise the amount of effort we put in because quite frankly I am really disappointed in the degree of testing that was carried out in both the internal and external testing.
    The the audit consultants performimg the internal testing had glowing C.V.'s with references to back them up yet their knowledge of IT was low, their knowledge of SOX was low and so subsequently their testing inadequate. All they had to do was follow the test scripts that we had created for them and they had some difficulty doing this which meant initially the testing was not consistent across all locations. It was with some difficulty and a considerable amount of effort on our part that we eventually got the depth of testing we required.
    Then came the actual audit from our external auditors, at each location we were sent very very junior auditors with very little IT knowledge, and in most cases none at all. The testing for the most part consisted of reviewing the results/evidence of the internal tests. We could have told/showed the auditors almost anything and they would have had to accept it because they were so inexperienced.
    OK, we passed the audit, and we now think we are in good shape so our internal testing next year (in theory) will be based around what we have in place now. But what if next year we are sent experienced auditors who do have IT knowledge and they determine that in fact the controls we have in place are less than adequate…are you getting my point?
    Luckily for our company, myself and a colleague, having recently completed an audit course specifically aimed SOX compliance testing, will be performing the internal testing thus ensuring we cover all angles to ensure no deficiencies exist.
    Anyway, top and bottom of it is, I feel very disappointed that the audit companies are getting training for their junior auditors at our expense and in return, although we have the SOX compliance stamp of approval, I have not got the peace of mind I expected.
    Has anyone else experienced this??



  • I can understand your disappointment. Some of my clients last year felt it was anti-climatic, especially given all the hard work and the expense of it. There have been many articles written about nobody knew what they were doing in year 1 of SOX including the external auditing firms. There is probably still some of that occuring still today.
    The the audit consultants performimg the internal testing had glowing C.V.'s with references to back them up yet their knowledge of IT was low, their knowledge of SOX was low and so subsequently their testing inadequate. All they had to do was follow the test scripts that we had created for them and they had some difficulty doing this which meant initially the testing was not consistent across all locations. It was with some difficulty and a considerable amount of effort on our part that we eventually got the depth of testing we required.
    I know several companies this year under pressure to cut costs for SOX compliance. Internal Audit Management has reduced the number of key controls they are testing and have had detailed test scripts written, which are almost idiot proof. They have hired junior folks to conduct the testing on purpose. They feel that it is cheaper. Some of the management folks in internal audit are against hiring better qualified and experienced people to conduct testing because these folks are more expensive and they tend to analyze things (probably ask the right questions) too much for what is required for SOX (this is management’s perception not mine). Management felt that if you have a good test script then a junior person should be able to obtain the evidence, evaluate whether the control is operating effectively, and write up the results.
    At the end of the day, I don’t have a lot of confidence with this approach because some serious issues could have been overlooked. I’ve found in testing that a lot of these things are interrelated. You may get a passing grade on one script; however later on while testing some other scripts you discover some hidden things that pop up that could lead to a deficiency on the script that previously recieved a passing grade.
    Lack of IT knowledge makes it difficult to communicate with IT folks and ask the right questions.
    Knowledge of a client’s IT environment is also important to doing a through job testing the IT general computing controls. Otherwise you will just follow the test script exactly and not find things. I have returned to a client that I did testing for last year. I know more about their environment this time around and have found a lot more things that their policies and procedures are not covering. Some are little things they didn’t know about and others are deficiencies (some are the same ones as last year). Folks are sharing more info this time around because they are comfortable with my knowledge of their environment. We can get the issues on the table early and they can decide how they can be addressed. Sometimes they even ask for help to remediate.
    Be grateful you passed the audit.
    Please continue with your diligence and rigor because some day more experienced external auditors will show up. When they do show up you will be ready.



  • What course did you take ?
    My experience was very similiar to yours and yes I have the same fear that you have for the second year if we get more experienced auditors. I’m the SOX PM for my company, I’m also concerned that Management may not realise what is truley required and what we still need to do after the sad effort that the externals put into the IT side of the audit.



  • … Be grateful you passed the audit. … Please continue with your diligence and rigor because some day more experienced external auditors will show up. When they do show up you will be ready.
    Excellent advice - If you passed the audit from a general perspective, but yet have more fine tuning ahead, the following will help:

    1. Be in a continuous improvement mode for SOX compliancy
    2. Make sure your management and senior management recognizes the need for further fine tuning or you could fail depending on the level of evaluations conducted and the knowledge base of the auditors.


  • We are currently undergoing our 2nd year SOX audit, and your concerns are somewhat justified. We have different people this year, and they seem to be a bit more versed in IT and are going more in depth and delving into new areas this year that they never questioned last year. They have found one deficiency so far but will classify it as remediated (and we may argue with them about it because there is another control that should compensate for it). Other than that, nothing critical has arisen, but yes, be ready for a more informed approach on your 2nd time around.



  • We are currently undergoing our 2nd year SOX audit, and your concerns are somewhat justified. We have different people this year, and they seem to be a bit more versed in IT and are going more in depth and delving into new areas this year that they never questioned last year. They have found one deficiency so far but will classify it as remediated (and we may argue with them about it because there is another control that should compensate for it). Other than that, nothing critical has arisen, but yes, be ready for a more informed approach on your 2nd time around.
    And expect this not only for IT processes.
    Auditors were on a huge learning curve for SOx and had huge resource issues on top. Some of their work was superficial in Year 1 - it will be more insightful in year 2



  • I can speak on this from experience. We passed our 1st year audit with no major issues. However the second year was much different. It really does depend on your external auditors and what their backgrounds are. I agree with the others that you have to stay on top of everything and keep in a continual process improvement mode. Otherwise it will catch up with you.
    We have tightend up our controls once again and are in preparation mode for Sarbanes 06.
    Best of luck to you.
    Ellen



  • Ellen shares a good point on this, as companies passing in their 1st year could be under more scrutiney this year and beyond.
    I’m thinking that last year might have been more of a learning experience for both companies and auditors to come up to speed.
    Both sides have been learning about and adjusting to SOX 404 and other requirements.
    Thus, I’m speculating that the audit compliancy checklists and evaluations are more thorough than last year – even if you use the same audit firm.



  • Please note that auditors were expected to be lenient in the first year due to the infancy of stringent AS2.


Log in to reply