I read the news today……
It wasn’t quite as mysterious as an old Beatles song, but it certainly jolted my day…
Wall Street Journal reports that an ex-Partner at KPMG has been convicted of trying to “corrupt the PCAOB’s inspections process”. He was fraudulently finding out which audits the oversight body was going to review, so they could “cheat the system.”
Why does this matter? Let me put this into perspective – it was a busy day for those who watch audit firms: https://qz.com/1705744/big-four-accounting-firms-are-bungling-a-third-of-us-audits
Yes, you do read it correctly. The same governing body, PCAOB, analyzed the audits done by the big 4 firms, and assessed that 31% of them were “bungled”. However, since 2003, only 18 of these “bungled” cases led to action against the firms by PCAOB, leading to a total of $6.5m in fines. The comparable British watchdog (the FRC) issued fines to auditors of $40m just last year. As a person born in Britain living in the US, I am not going to comment on whether the audit firms are worse in Britain, or the enforcers work harder, or whether it is just a crazier country. With the state of Brexit right now, there is an easy answer to that question.
I am not going to enter into a “knock the auditors” debate. I know many excellent professionals who work for the big 4 and I work with many auditors every week; most are diligent and very competent.
But I do want to explore what these two news articles mean for users of ERP systems worldwide.
The role of the external auditor is a very important one in the modern business world. The PCAOB was put in place after the collapse of Worldcom and Enron in 2003. As can happen, the legislation that was created was a bit overblown and not prescriptive enough. SOX, as it became known, was a large piece of legislation, but it worked. It bolstered confidence in the financial reporting of publicly traded businesses in the US. And the “big 5” became “the big 4”, with Arthur Andersen paying the price for the “bungled” audits that led up to this crisis.
In the current political climate, there are many calls for these types of “red tape” to be removed. But SOX was enacted for a reason; to stop people from falsely manipulating the financial status of the business, and thus defrauding stockholders. Take this legislation away and I can 100% guarantee you that these frauds will return, eventually. There is a case for reducing some of the provisions in the legislation but take care what you wish for. Fraud is everywhere, if you allow it.
The role of external auditors today is a critical one, and the security audit is something we need to embrace. But surely, rather than compliance and audit costs rising endlessly, efficiency MUST increase over a period of time.
The security audit usually takes place alongside the financial audit, but both types of audit have one significant issue; a lack of automation. This is true on both the corporate side and the auditor side. Now there are tools to enable even small companies to automate the core issues, but people simply don’t use them.
The security auditor preaches Internal Controls, and these are crucial to a well-functioning business; they are the means to stop internal processes from going awry. Internal Controls make everything go smoothly, whether it is provisioning access to the ERP system, risk assessment, or basic governance. Many eyes glaze over when I mention these things, but they are extremely crucial to business success. But you need to automate them!
The other issue that drives me crazy is how difficult companies find it to implement Segregation of Duties (SoD) controls. SoD is the main means of preventing fraud on a company’s systems, which should be very important to all CIOs since there is a 1 in 2 chance of internal fraud on your systems this year. SoD is critical, but you need to automate it to make it work.
I am not proposing that we should feel sorry for the beleaguered audit firms. They need to learn the lessons that they preach, they need to automate audits, this is how you decrease costs (on both sides). And strangely enough this is how you increase quality.
The day in the life of the person who manages the ERP system is a complex one. It’s a pain when the auditors ask for information that you can’t easily extract. But they’re asking for a good reason. They want to help make sure the system is safe – what you need to do is automate these processes.
Find out how to audit an Oracle ERP system with an hour’s effort or come and see us on booth 534 at Oracle OpenWorld this week.