April 12, 2005
The clear majority of our time and our auditors time is spent on detailed control activities. The tone at the top and entity level controls are the ones that will really prevent intentionally misstated financial statements and the rules result in some time being spent on these, but not the majority. The control activities seem to help more in preventing unintentional financial statement misstatement or immaterial fraud by employees by asset misappropriation.
Excessive testing, retesting and auditor testing are clearly a waste of resources. Either allow the external auditor to place more reliance on our internal audit work, or vice versa, currently it is very duplicative. Meanwhile, the external auditors get rich without adding any value or taking on more risk. Allow for sampling of critical controls as we do not need 100 per cent testing
The definitions of significant deficiency, more than a remote likely and more than inconsequential are too vague and leave too much to the individual interpretation of the audit managers and partners. This independent interpretation by the audit firms leads to an unrealistic threshold in identifying a deficiency as significant or in identifying a significant deficiency as a material weakness. As a result too much focus has been put on items that are not material to the companys financial statements. Costs to the company would be reduced with a more clearly defined classification of deficiencies that minimizes the amount of interpretation being left to the individual manager/partner.
The companies control structure should be built around company specific risks versus general industry risks. The audit firms reliance on a benchmark of industry specific risks versus a thorough risk assessment conducted by the company has lead to companies being over controlled. As a result many of the controls hinder operational efficiency, while adding no additional assurance against material misstatement. The audit firms should focus more on the companies upfront risk assessment to better understand the controls structure put in place to identify company specific risks.
It appears that the Big 4 are the interpreters of the Auditing Standards. Not only is the interpretation left to the Audit firms but also within the firms themselves there is much interpretation left to the individual engagement partners. These interpretations cause the firms to exert more effort and correspondingly increase their fees. More of the interpretation should be coming from the PCAOB versus the Audit Firms.
There should be more focus on fraud specific risks and controls by the audit firms. As a result investor confidence should improve as auditors and companies would be more highly educated on how to prevent and detect fraud while, at the same time the regulatory cost for companies would go down as less time would be spent on controls that are not preventing material misstatement risk.
The major Information Technology providers need to step up and help address the major gaps that systems have related to internal controls. If we are to control our costs we need to automate as much as possible and there is a distinct lack of products and technology available in the market.