The hottest software for corporate managers these days might be too hot to handle.
Just ask Scott A. Taub, the deputy chief accountant for the Securities and Exchange Commission. He recently issued a caveat emptor for software marketed by accounting firms to help clients track and evaluate internal controls under Section 404 of the Sarbanes-Oxley Act.
Such applications, he said during a recent meeting, may breach auditor independence rules if accounting firms are helping to set up the control systems they later evaluate. Noted Taub, “Companies and their auditors need to be mindful of those requirements.”
Several of the Big Four accounting firms, as well as technology companies and consultants, have designed or are designing software intended to help finance managers comply with Section 404 or the Act as a whole. Those managers are being bombarded with choices, but at least they can be thankful that the ultimate responsibility of judging auditor independence falls squarely on the audit committee.
It appears that the SEC has good reason to issue a reminder about where the domain of external auditors ends and where that of management begins. “We have heard concerns about the extent of work that auditors might be asked or might want to do,” stated Taub, regarding “assisting management in documenting controls and in developing tests of those controls so that management can make its assertion [about their effectiveness].”
Bruce Rosen, partner in charge of assurance services at Eisner LLP, raises similar concerns. He believes that some of his peers in the accounting industry are “living dangerously” by offering services above and beyond software.
“It’s very clear that company auditors at best can provide some low-level assistance — a staff person to do some of the documentation — but that’s probably the extent of it,” says Rosen. “And I know several of the firms are taking a different approach, meaning they’re willing to do the whole project.”
Gary Barton, senior audit manager at J.C. Penney, counters that major accounting firms are setting strict boundaries. “Right now I’m not seeing where there could be a conflict,” says Barton. The retailer — pending the approval of its audit committee — has decided to use software from its external auditor, KPMG, to help it comply with Section 404. Among the guidelines, notes Barton: KPMG can’t be involved in documentation or in the first testing that internal audit will do.
KPMG’s comfort with its proprietary software during tests of J.C. Penney’s internal controls, adds Barton, reassured managers when they chose KPMG over other vendors. “Hopefully they’re familiar with their own software and understand it,” he says.
John Hagerty, vice president of research at AMR Research, agrees that external auditors and clients are stepping carefully around independence issues. “The auditors are all very cautious on what they can and cannot do, and it is one of the first things they talk about” when the subject turns to separation of duties, says Hagerty. “The line between audit client and consulting client is very well drawn.”