report on findings from Walkthrough 1669

  • We have recently received our first walktrough report from KPMG on one of our sox processes.
    During the process, there were a number of areas which were mis-interprested by KPMG, and which, upon clarification, they appeared to be happy with the approach taken.
    They also discussed the prior year Management Letter with us, and we clarified where the risk associated was minimal, or where the issue had since been remdiated.
    The problem is, that on receipt of their deficiencies and issues log, they appear to have ignored ALL of the clarifications that were provided to them and documented their mis-interpretations as issues.
    In addition where a transaction has not occured during the year, they have documented this as an issue, because they were unable to walkthorugh the process for such a transaction ( which would normally be insignificant and rare for us anyway). They also through in all issues identified in the 2005 Management Letter, even where the items had been remediated.
    My understanding of the process was that if it is year 1 for Sox, that issues noted on the prior year financial Statment Management letter were not applicable. I was also of the impression, that where clarification of a misinterpretation was supplied to them ( esp, if supporting documentation is available), that such items would be reported on their internal work papers, but that they should not be reported to the Client in written report format as a control deficiency or issue…
    Am I wrong to have assumed this? I am really annoyed with our KPMG audit Manager for having verbally accepted items and then reported otherwise to my Director.

  • It seems to me that you need to have a further discussion with your KPMG audit manager to understand why they reported as deficiencies items that you stated were corrected or where you feel that they mis-interpreted something.
    Areas where there were issues in the prior year will be carried in their internal reports as issues until they have the opportunity to retest them. They should have attempted to retest all of these areas this year in order to clear what they could from their list.
    We had similar issues with our auditors last year in having several insignificant items on their list of deficiencies. These stayed on the list as we did not have sufficient time during the YE close to discuss and clear some of the issues. Our testing and our auditor’s testing is scheduled to be completed much earlier this year so that we can have those conversations prior to a final report.

  • Thanks Kymike.
    I would have though that last year’s Managment Letter points would be reviewed as part of the financial statement audit as we are an FPI and this, therefore is our first year of compliance.
    In a previous life, I was an external auditor for Sox myself, so I find their tactics surprising.
    Will definitely arrange to sit down and make our case with them.

  • Hi - YES … I can relate to this as I’ve worked with external Audit firms as well as internal auditors throughout my 30 year IT career.
    Am I wrong to have assumed this?
    No - However, there are always ‘lessons learned’ 🙂 The key tactic next time is to formally document your meeting to your manager and the lead auditor for all of your responses to the issues Secondly, assume every audit point will be presented to management ‘as is’ , even if you have the best explainations possible.
    I am really annoyed with our KPMG audit Manager for having verbally accepted items and then reported otherwise to my Director.
    In some respects this may seem to appear as though the auditor is unethical, but I’ve learned otherwise that it’s more of the ‘nature of the beast’ 😉
    Over the years, I learned that external auditors are paid to render a service. I’ve had the exact same scenarios, where I though we had good IT controls in place as we discussed findings to the auditors. Even though they somewhat agreed, they still presented the findings to management (without explainations of current controls).
    I’m suspecting some reasons many auditors share ‘less relevant’ findings or even fully ‘solved issued’ might be in the points below:

    1. They accept your explaination fully and may agree somewhat with the way you are controlling the audit exposure. However, they still may believe the control is better solved otherwise .
    2. Most auditors I’ve worked with will leave out any mitigating controls, workarounds, or best practices you may have related to the audit point. Indeed, their job is to find weaknesses in controls, but as a constructive comment, it would be beneficial to share ‘the rest of the story’.
    3. In providing a service, I’ve seen some auditors who are out to ‘score points’ and are eager to look under every rock, nook, or cranny for something that could be better controlled. In most cases an audit firm will not want to go away empty handed without anything to present to Senior Management, as it might look like they didn’t do their job. That’s their job role, plus it’s human nature for folks to want to do a good job. I have a lot of respect for audit professionals and there are a wide range of styles and personalities like any other profession.

    Finally, I’d recommend writing your own formal response (email is fine) to your Director in response to all audit points. I would briefly document point-by-point how the current controls operate. You might include that they were discussed with the external audit team, but I’d probably not copy the auditors directly. Also, I’ve always done this in a professional and even courteous manner as it’s a sharing of your perspective of controls.
    The director is then empowered to assess both sides fairly. If needed current controls can be enhanced. If it’s felt that the external auditors didn’t present their findings as accurately as they should, then they can be counciled from a services rendered context 🙂

Log in to reply