SOx and ERPs – Where Are The IT Auditors?By Francine • Jul 29th, 2008 • Category: Pure Content, The Big 4 And Consulting
To PwC’s credit, they seem to have brought the hammer down on their audit client Levi Strauss at least after their shipping was held up a week and their results this past quarter compared to last quarter dropped 98%. Better late than never….If it was really the fault of the SAP implementation that their profits suffered.
But it looks like, in any event, there are issues with this implementation and they are big.
It should finally be time for corporations and their auditors, internal and external, to be able to focus more on IT and the role of ERPs in ensuring the integrity of financial reporting controls as required by SOx. Most large, modern companies are, after all, run by ERPs, or at least a number of automated systems both new and legacy, connected by band aids, string, duct tape, manual processes, lots of uncontrolled spreadsheets and fingers crossed whenever anything significantly changes.
Instead, because of the pressure on the Big 4 to reduce audit fees and SOx related fees, in particular via Auditing Standard 5, the Big 4 is laying off auditors, and IT auditors in particular. Firms are feeling pressure from their clients to charge less, which may or may not translate into less work immediately. But fees on external audits are going down. Don’t take my word for it. Compliance Week says so. However, Compliance Week would like to believe, as Chris Cox smiles down on us all, that it’s because of Auditing Standard 5.
Sarbanes-Oxley testing is both a component of the external audit and a service sold by the Big 4 separately either under internal audit co-sourcing agreements or as a separate Sarbanes-Oxley internal assistance program. One interesting variation that developed as the pressure started to build on Sarbanes-Oxley projects two years ago is the performance fee. Sometimes the Big 4 has promised cost-saving process improvements form SOx work, meant to offset the resentment that high fees for SOx assistance engendered. As part of a consulting engagement, a Big 4 firm promises process improvements from SOX documentation and testing activities of a certain dollar amount or if not found, a discounted fee equivalent to the promised savings.
The hard part is setting up the metrics and measuring the savings sufficient to satisfy the client so they won’t deduct the money anyway from their invoice before paying. But when done well, it’s a great thing. I won’t go into now the conflict presented by a supposedly competent and objective, independent, internal Sarbanes-Oxley tester (co-sourced from the non-auditor Big 4 firm) being pressured by their managers and partners to redesign a process that they are testing as management’s proxy and then retesting and approving the same process that they have redesigned. All so that their firm does not have to discount fees to the client… That’s a post for another day or something for the PCAOB to look into.
Nevertheless, even well documented savings will still result in clients taking the implied discount anyway. Once you say you can lower your fees, clients will never pay more for the same thing.
In addition to grudgingly accepting haircuts from their clients, when fees for external audits and outside consulting on Sarbanes Oxley go down, where are they getting cut?
On the IT side.
It’s unfortunate, since as we have seen, companies have not stopped having problems with IT controls. In fact, in banks and trading companies, weaknesses with IT controls are an epidemic. When it comes to implementing ERPs like SAP, poor controls over the use of these applications will have a financial impact, as Levis and SocGen showed us.
Why aren’t the Big 4 pushing the IT audit component more?
Well, during all of this Sarbanes-Oxley bonanza, they have never had enough IT audit staff and now they have less. So they can’t do the work as well as they’d like even if they should.
And then there are the internal firm political issues.
The Big 4 client partner in charge of either a big company financial audit or a Sarbanes-Oxley assistance engagement most often comes from the financial side. The Big 4 partners responsible for the Risk Advisory or IT audit and security component of external audits or SOx support engagements are leading specialist practices, still most often most closely aligned with the audit practice, and act as supplements to the larger financial piece. The IT Audit partners get revenue credit for as many people as they have on someone else’s engagement but the financial audit partners are calling the shots. The IT external audit engagement would never be sold separately. IT audit co-sourcing or SOx assistance for solely IT audit is engaged separately only on special occasions.
Now that companies are putting pressure on their auditors to reduce fees, client relationship partners on the financial side of the house are cutting staff on the audit engagements in the areas that hurt them the least, IT audit. The total fee to the client can be reduced, but the revenue and margin to a financial partner in charge of the engagement can stay the same or maybe even increase if he cuts some of those pain in the ass, expensive IT audit and security folks from the engagement.
It’s called leverage, baby.
Which is a shame. The biggest “bang for the buck” or “bang-up avoidance” that can come from good Sarbanes-Oxley work is improved IT controls. When a company and their auditors do focus on IT controls, as is being done in one of the most notorious recent bankrupt companies that also happens to be an SAP customer, you can get great results. Companies can reap process improvement cost savings that can pay dividends for a long time down the road by implementing SAP and other ERPs as intended, with all the controls configurations thoroughly addressed. In addition, tight automated controls means less testing of manual documents at Sarbanes-Oxley and internal audit time, even under the worst circumstances.
Here’s two examples:
Testing three way match – When ERPs like SAP are configured properly for automated three way match, not only do companies see staff reallocations and reductions in previously manually intensive functions like Accounts Payable, but they also see expedited testing at SOx time. Testers do not have to pull a sample of receiving, invoice, and PO documents and make sure payment rules were followed and exceptions approved. They only have to test configuration and, if the automated controls can be depended on, are able to bypass time and money intensive document sampling.
Testing approval workflows for journal vouchers – If a company has special approvals needed for journal entries hitting certain accounts or when they exceed a certain dollar amount, manual testing includes identifying those entries via transaction reports, finding a sample, and testing paper copies of journal vouchers for handwritten approvals against an approval hierarchy chart. When configurations for proper approval workflows are established in ERPs like SAP and tested as effective, this time and money consuming detail testing can be bypassed.
Moral of the story – If a company can depend on their automated ERP controls, they will save a lot of money and headache, with or without SOx.