April 28, 2006
In my professional opinion, external audit firms are interpreting PCAOB and SEC (Statement No. 2, staff QA) over-zealously. This is driven by the fact that there is no incentive from a risk or economic perspective to do otherwise. Indeed the risk is in the other direction, since they fear litigation only from "not doing too much" and not from "over doing it." I will provide two examples of interpretations that highlight my point:
1) The auditor must assess management's Assessment. An SEC QA explicitly states that management's identified controls can and even should be different from the auditor's. It goes on to say that the auditor should not test to see if management's testing was at least as extensive as the auditor's. I have witnessed CPA firms who simply reject that QA, and call it "firm policy" to thoroughly test and assess management's assessment, specifically by measuring its extent (and what specific controls are tested) against that of their own audit.
2) Certain portions of Statement No. 2 are abused and used as an excuse for the auditor to have a "free pass" to audit and test whatever controls they want to. These portions include references to Safeguarding of assets, as well as multiple instances of the phrase "... effect the firm's financial statements." Safeguarding of assets is being twisted to include operational risks. For example, the auditor will test to see how well the company collects its receivables, or if sales discounts are excessive- even when the situation would in no way cause a misstatement in the financial statements. Quite literally, the auditor is drawing a difference in the terms "effect the financial statements" and "misstate the financial statements." Pretty much everything, including use of the company coffee machine will "effect" the financial statement. It is the intention of the governing bodies to have auditors assess controls that would mitigate risks that could misstate the financial statements.
Please understand that Partners of major audit firms (Big 4) will not concede to my last sentence. They insist that their audit should not be focused on more than just misstatement, thus letting them wander into operational and compliance risk, which costs the company, shareholders and society.