January 22, 2007
-proposed rule 33-8762 -
I am the lead on the IT SOx team at my company (in Canada) and have concerns around the fact that the proposal appears to expect that Management will reduce the amount of work (testing) completed to ensure internal controls are working effectively and to increase the external auditors' scope of work to be sufficient to comment on our control framework (design and operational effectiveness) and thereby facilitate our attestation process.
My experiences, both as an external auditor and now as part of the internal control structure of my company, leads me to believe that this will not result in a better control system but may result in us turning back the clock. The staffing issues that the external / public audit firms have been experiencing has resulted in them stretching their staff over multiple clients over the same small windows of time. The external audit team normally consists of one person with some experience and a couple of juniors that are being trained. For control work? With a very small team and multiple systems and infrastructures to evaluate - is it really considered feasible that the external audit team will:
1) have the knowledge and experience over the large diverse audit areas, have the breadth and depth of knowledge to cover multiple platforms?
2) have the time and budget to truly dig into the systems, versus perform the regular General Controls review?
2) retain the audit staff on a year to year basis so that the client specific knowledge and SOx related experience will not be lost? Or will the audit be continuously staffed with auditors that are green?
3) have the time to fully investigate potential issues to ensure that they are true issues prior to reporting them?
The question is: Will we get really be getting extra bang our bucks????
Which would our investors truly prefer:
SOx testing being completed by external public accountants who utilise junior staff to complete testing, OR
SOx testing being completed by accredited and experienced internal staff, with a depth of company knowledge and experience to bring to the work being completed?
True, the work that has been completed to date within our organization has been time-consuming, sometimes painful, a lot of learnings and streamlining, but as a Chartered Accountant, I can confidently state that the IT areas in which we audited internally are well documented and well controlled. Not only that, SOx is no longer really an "annual" event but is now a control process that is becoming imbedded within our organization's operations. Isn't that what we were trying to achieve? Not just attestation?