SOx and ERPs – Where Are The IT Auditors?
Given all the issues we’re seeing with botched Deloitte ERP implementations that result in Sarbanes-Oxley issues, at LAUSD, Levis, and others, I have to ask, “Where are the IT auditors?”
To PwC’s credit, they seem to have brought the hammer down on their audit client Levi Strauss at least after their shipping was held up a week and their results this past quarter compared to last quarter dropped 98%. Better late than never….If it was really the fault of the SAP implementation that their profits suffered.
But it looks like, in any event, there are issues with this implementation and they are big.
It should finally be time for corporations and their auditors, internal and external, to be able to focus more on IT and the role of ERPs in ensuring the integrity of financial reporting controls as required by SOx. Most large, modern companies are, after all, run by ERPs, or at least a number of automated systems both new and legacy, connected by band aids, string, duct tape, manual processes, lots of uncontrolled spreadsheets and fingers crossed whenever anything significantly changes.
Instead, because of the pressure on the Big 4 to reduce audit fees and SOx related fees, in particular via Auditing Standard 5, the Big 4 is laying off auditors, and IT auditors in particular. Firms are feeling pressure from their clients to charge less, which may or may not translate into less work immediately. But fees on external audits are going down. Don’t take my word for it. Compliance Week says so. However, Compliance Week would like to believe, as Chris Cox smiles down on us all, that it’s because of Auditing Standard 5.
Sarbanes-Oxley testing is both a component of the external audit and a service sold by the Big 4 separately either under internal audit co-sourcing agreements or as a separate Sarbanes-Oxley internal assistance program. One interesting variation that developed as the pressure started to build on Sarbanes-Oxley projects two years ago is the performance fee. Sometimes the Big 4 has promised cost-saving process improvements form SOx work, meant to offset the resentment that high fees for SOx assistance engendered. As part of a consulting engagement, a Big 4 firm promises process improvements from SOX documentation and testing activities of a certain dollar amount or if not found, a discounted fee equivalent to the promised savings.
The hard part is setting up the metrics and measuring the savings sufficient to satisfy the client so they won’t deduct the money anyway from their invoice before paying. But when done well, it’s a great thing. I won’t go into now the conflict presented by a supposedly competent and objective, independent, internal Sarbanes-Oxley tester (co-sourced from the non-auditor Big 4 firm) being pressured by their managers and partners to redesign a process that they are testing as management’s proxy and then retesting and approving the same process that they have redesigned. All so that their firm does not have to discount fees to the client… That’s a post for another day or something for the PCAOB to look into.
Nevertheless, even well documented savings will still result in clients taking the implied discount anyway. Once you say you can lower your fees, clients will never pay more for the same thing.
In addition to grudgingly accepting haircuts from their clients, when fees for external audits and outside consulting on Sarbanes Oxley go down, where are they getting cut?
On the IT side.
It’s unfortunate, since as we have seen, companies have not stopped having problems with IT controls. In fact, in banks and trading companies, weaknesses with IT controls are an epidemic. When it comes to implementing ERPs like SAP, poor controls over the use of these applications will have a financial impact, as Levis and SocGen showed us.
Why aren’t the Big 4 pushing the IT audit component more?
Well, during all of this Sarbanes-Oxley bonanza, they have never had enough IT audit staff and now they have less. So they can’t do the work as well as they’d like even if they should.
And then there are the internal firm political issues.
The Big 4 client partner in charge of either a big company financial audit or a Sarbanes-Oxley assistance engagement most often comes from the financial side. The Big 4 partners responsible for the Risk Advisory or IT audit and security component of external audits or SOx support engagements are leading specialist practices, still most often most closely aligned with the audit practice, and act as supplements to the larger financial piece. The IT Audit partners get revenue credit for as many people as they have on someone else’s engagement but the financial audit partners are calling the shots. The IT external audit engagement would never be sold separately. IT audit co-sourcing or SOx assistance for solely IT audit is engaged separately only on special occasions.
Now that companies are putting pressure on their auditors to reduce fees, client relationship partners on the financial side of the house are cutting staff on the audit engagements in the areas that hurt them the least, IT audit. The total fee to the client can be reduced, but the revenue and margin to a financial partner in charge of the engagement can stay the same or maybe even increase if he cuts some of those pain in the ass, expensive IT audit and security folks from the engagement.
It’s called leverage, baby.
Which is a shame. The biggest “bang for the buck” or “bang-up avoidance” that can come from good Sarbanes-Oxley work is improved IT controls. When a company and their auditors do focus on IT controls, as is being done in one of the most notorious recent bankrupt companies that also happens to be an SAP customer, you can get great results. Companies can reap process improvement cost savings that can pay dividends for a long time down the road by implementing SAP and other ERPs as intended, with all the controls configurations thoroughly addressed. In addition, tight automated controls means less testing of manual documents at Sarbanes-Oxley and internal audit time, even under the worst circumstances.
Here’s two examples:
Testing three way match – When ERPs like SAP are configured properly for automated three way match, not only do companies see staff reallocations and reductions in previously manually intensive functions like Accounts Payable, but they also see expedited testing at SOx time. Testers do not have to pull a sample of receiving, invoice, and PO documents and make sure payment rules were followed and exceptions approved. They only have to test configuration and, if the automated controls can be depended on, are able to bypass time and money intensive document sampling.
Testing approval workflows for journal vouchers – If a company has special approvals needed for journal entries hitting certain accounts or when they exceed a certain dollar amount, manual testing includes identifying those entries via transaction reports, finding a sample, and testing paper copies of journal vouchers for handwritten approvals against an approval hierarchy chart. When configurations for proper approval workflows are established in ERPs like SAP and tested as effective, this time and money consuming detail testing can be bypassed.
Moral of the story – If a company can depend on their automated ERP controls, they will save a lot of money and headache, with or without SOx.
Francine,
As usual, you seem to hit the nail right on the head. The quality IT “auditors” have so much more to offer than just audit assistance. They can offer implementation assistance, and other process improvement help, as you mentioned in your article. What blows me away, again as you mentioned, are the IT Audit partners who seem to totally miss these opportunities. I think the problem is that they are so intertwined into the “audit” mentality, that they either don’t understand, or don’t know how to sell, “consulting” services. I understand that both EY and KPMG are attempting to build “advisory” practices catering to CIO needs, however both are still very early on in their developments. As for Deloitte and PWC, I guess time will tell what happens to their IT Auditors…
@Anonymous Thanks for reminding me to make the point even more emphatically.
IT audit and security professionals have a role at all points on the timeline for a major systems implementation:
1)Pre-implementation project plan and budget review to make sure controls priorities are established upfront and controls are given the appropriate amount of time and money.
2)In flight project reviews – Checkpoint reviews to make sure projects are running on time, on budget and issues and changes have been documented. This review, in particular, can make sure that controls are not shortchanged if time and budget gets squeezed due to other problems.
3)Pre-go-live controls review – Make sure everything that needs to get done has been done before go-live.
4)Post-implementation controls reviews – Make sure, in more detail, that what needed to get done before go live was done, and any remaining tasks are on a list and prioritized for next phases. In addition, any issues or problems are also on a list and there is an appropriate plan and process to continue to resolve them, even after the integrator goes home.
5)Runaway project reviews – Assessing where a project has gone off course, documenting gaps in expected results and actual results, and establishing the revised project plan, prioritized, to get gaps filled, in particular with regard to controls
McKenna Partners is able and willing to assist in any or all of these types of projects, in particular if they have a cross-border impact (Hello Levis!).
Advertisement over.
Your position on the internal fight for revenue as a reason for reduced IT Audit hours is spot on. That in addition to AS5 are resulting in significant reduction in total hours for the IT Audit group (SPA) in PwC. Just in the last few weeks, changes to the SPA practice have been announced. Those individuals in SPA with significant experience in ERP, IA, or general IT consulting, were moved from SPA to Advisory. 60 or so Partners, Senior Managers and Managers moved. This appears to be a move to align SPA more closely with the Accountants while better developing the consulting mindset of others in Advisory. Over the years, SPA has gotten more and more aligned with the financial audit. Eventually the line between Auditor and IT Auditor will get blurred even more.
-IJustWorkHere
@I JUst Work Here Thanks for the update on PwC SPA. Unfortunately, since PwC Advisory is choking, the switch probably won’t do anyone much good. That practice needs more than just an influx of former IT Auditors and partners who’ve never learned (or seen form anyone in senior management currently at PwC Advisory) how to be real consultants.
Good post. I work in the compliance space for Oracle Apps and see the same thing. Beyond reducing scope, I also see that IT auditors still are not at a level of expertise in the individual apps to properly assess risks and/or help companies design proper controls. You can request a white paper I have written recently on sub-material fraud risk at http://www.oubpb.com.
Unfortunately, companies are all too reliant on the Big 4 for IT controls and miss some of the greatest areas of risks. Another white paper that may be of interest would be the one called “Accessing the Oracle Apps Database w/o a Database login.” This paper addresses the risks of SQL forms, one of the greatest under-discovered security risks in Oracle Apps.
My two cents…
@Jeffrey T. hare Thanks so much for your comment and the resources. Get in touch off line. I want to learn more and I love to know CPA, CISA, CIAs that are working for the GRC vendors. How refreshing!