Tuesday, December 06, 2005

New PCAOB Report on SOX 404 and Internal Controls Reporting Issues: That's the way to do it. You get yer gitar on the MTV. Company controls first, then individual controls. Oh.

From Compliance Week:

Here also, the link to the PCAOB report: http://www.pcaobus.org/Rules/Docket_014/2005-11-30_Release_2005-023.pdf

"According to a new report by the Public Company Accounting Oversight Board, audits performed in the post-Sarbanes-Oxley world "were often not as effective or efficient" as the Board intended. As a result, the PCAOB has reiterated the guidance it released back in May, stating auditors should plan internal control audits with a more top-down, risk-based approach."

Some quotes from the PCAOB report:

"The Board expects that auditors will tailor their procedures to focus on the particular risks facing audit client's systems of internal control as they gain more experience in auditing internal control."

Whoa, Jim. Does this mean that auditors are only now learning what auditing internal controls mean?

"Some auditors performed inefficient, sometimes ineffective, walkthroughs of major classes of transactions because they used different transactions to test each control separately rather than walking a single transaction through the entire process."

Whew. Does this mean auditing of data throughout its life-cycle? Checking to see that something hasn't been altered or changed along the way to its being audited?

"In addition, some auditors did not ask sufficiently probing questions of the company's personnel to gain a complete understanding of the transaction process."

My, my. It's not enough to ask whether ye olde blue light blinketh, that everything is mucho authentico, and to ascertain, yea and verily, that the wizard in charge of information management and security understands the queries being asked of him/her?

"Making such inquiries assists the auditor in identifying any points at which a necessary control is missing or inadequate."

Hmmm. Lessee. If the IT person doesn't understand the policy behind compliance and transparency, how can he s/he be expected to "assist" in describing the elephant to the auditor? Perhaps this is the central reason for the "top down" approach. At least those at the top of the transactional pyramid are expected to have a clue about the interdependence of policy, process and compliance.

"In the future, the Board expects auditors, in most cases, to simplify their walkthroughs by following a single transaction"

Which to me, means do not listen to cries of "pay no attention to the man behind the curtain," i.e., Mr/Ms Auditor, do not allow yourself to be sidetracked and diverted from your investigation of a single transactional process by sideshows thrown up to deflect attention. Not easy, I surmise.

The rest of the release is also quite informative.