March 3, 2005
My experience with 404 has been as an internal auditor and a management process owner.
Some mechanism has to be created to ensure that external auditors read and implement the standard as it is worded. The auditors are currently taking a very narrow view of the standard and developing firmwide risk profiles that are not defended by the standard. In addition, auditors are using databases of controls to tell management what should/should not be in place. This is dangerous to the intent of the standard and a very costly approach.
The standard simply requires management to identify significant accounts and disclosures, relevent assertions to those accounts and disclosures and controls that mitigate those assertions called key/significant controls. Within this process, management has the ability to rank the significance of the controls to test or not to test.
What I have seen from external auditors who work for 2 different national firms is a general lack of understanding related to the standard and implementation. This results in excessive hours/fees and undue duress placed upon management to perform activities not deemed to be significant. However, auditors are forcing these controls on mangagement with this concept of design flaws.
This is very judgemental and should have more definition around it. For example, how many controls do you need to make the valuation assertion around derivatives? I am not sure that having 20 controls is designed any better than having 5 key controls.
In addition, auditors now are interpreting financial accounting standards more strictly. This is a big risk for the company management. Management has no choice but to follow the auditors interpretation that in the end may or may not be correct.
How does this affect the required certifications?