CPA SOX Audit Report changed by Internal Auditor 3023



  • Question: Is it a common or accepted practice for a CPA firm to have it’s field reports and findings amended by the client?
    During a SOX audit review with KPMG it was discovered that the KPMG field report was amended two months later to include an unsubstantiated control issue provided by the client’s internal SOX auditor.
    Question: Is it a common or accepted practice for a CPA firm to have it’s field reports and findings amended or changed by the client? The reader of the report would have no idea that the findings originated from different sources. The Audit Report makes no reference that it was amended to include hear say findings from the client’s internal SOX auditor. The Audit report clearly identifies that the findings were developed from field work between specific dates and identifies only the KPMG field auditors who conducted the audit. The end report has additional unsubstantiated findings from the client’s internal auditor.
    Is there any industry standard for SOX audit regulations that requires that the CPA firm’s report be exclusive? independent? and not include here say information from other sources?



  • In our work with KPMG, it is their practice to include in their report any SOX deficiency findings noted by our internal testers (peers, internal audit, etc.). Having said that, it would be wise on the part of KPMG to discuss with the client any internal findings reported to them in order to validate the findings as well as to alert the client that there are control gaps that needs to be remediated.


Log in to reply