Archive

Posts Tagged ‘IT Audit’

Auditing Career: Dealing with Mentally Unstable Managers

Sigmund Freud, founder of psychoanalysis, smok...

Image via Wikipedia

The subject of “mental stability” is a mine field that has kept Psychologists and Psychiatrists busy since Sigmund Freud first proposed to make the study of human behavior into a hard science.    Today, the meaning  of mental stability is still not well defined in the social sciences, so it is extremely difficult for those of us outside of those fields to discuss it, define it or pass judgment on it.   However, like pornography, a  lack of mental stability in people, specially in the workplace, is something most of us recognize when we see it.   As auditors, many of us have had to deal with mentally unstable people at different times and  at different levels of the corporate world, including those at executive levels tasked with making significant decisions for their organizations.   The effects of mental illness often cause serious negative impacts on the departments and the people the sick individuals interact with.   But, because mental illness is still a taboo subject in corporate America, these people remain in their high level posts “undiscovered” for years.   As auditors we often hear about managers who constantly change their minds or have difficulties making up their minds for the simplest of things, or directors who have sleeping  disorders and call their staff’s at 3:00 AM to criticize their peers or  to brainstorm strategies without end.    Or, the abusive vice-president who obtains pleasure from humiliating her staff in public, insults minorities with “indirect” comments and makes disgusting facial contortions when talking to junior employees.  And, one I personally remember… the supervisor who  reprimands his team for following the very procedures and policies he instituted a few months earlier.    When the person with these types of  instabilities is your boss, you have a problem.

I’ve written this article as a result of a discussion I recently held with a Psychologist who specializes in Organizational Psychology, and she pointed out to my amazement, that in corporate America it is better to be an alcoholic or drug addict than to have a mental disorder.   In 2010, most personnel departments address employee and executive level addictions with a variety of solutions such as 12 step programs,  psychotherapy, etc., but mental illness, because of the difficulty in “proving it” carries legal issues that scares the average personnel manager, and so it is awkwardly “ignored.”   This process of ignoring the destructive behaviors of  mentally unstable managers or executives often includes an “unofficial” gag around direct discussions on the behaviors of the individual,  instead “politically correct” comments like, “you have to be extremely patient to work with Mike,” or “Helen is a little eccentric,” or “Herbert is impulsive and a little abrasive” are heard.  At the end of the day folks like Mike, Helen and Herbert terrorize their staffs, ignore business controls, make a mockery of policies and procedures and create an atmosphere of tension that often damages a respectful and cooperative work environment.   Worse than that, these individuals almost always chase away good talent and bring about unnecessary risk exposures to the entire company.    All of these things have indirect impacts on the work of auditors.    I am going to use the “How many controls are enough” example below, to bring the point home.

One of the most common questions asked of auditors is “how many controls do we really need?”  The question is often a legitimate one, but it can also hide a myriad of other  issues that have little to do with risk management, compliance and audit.   Variations of the too many or too few question sometimes come  from low level staffers looking to “reduce unnecessary work,” but at other times you hear it from business managers, before Risk Assessment work begins, explaining that “given the fact that we know what our weaknesses are, and we have good controls already, why should we bother evaluating controls and looking for new ones?”  At other times you hear the classic given by over zealous project managers, “we only have 10 minutes to discuss each control, so lets get this over with quickly.”   Then there is the direct comment:  “This is all a waste of time and I don’t give a %$#@ about  you, controls or the audit department.”  Most of these excuses or arguments are not presented by mentally unstable people, but some are.   When used by mentally unstable people, watch out because all hell breaks lose, and you find yourself in a swamp full of snakes.

Dealing with these challenges is an art most auditors need to perfect.   How indeed should these questions be answered, especially to people who do not understand the basics of controls, compliance and risks we auditors carry in our heads.   How can all these complex legalistic requirements be translated for people who do not care to understand them, or have no intellectual ability or lack the attention span to “get it” within the short periods of time allotted to the process?   These are our normal challenges with “normal” people.   The challenges when dealing with mentally unstable managers may be insurmountable.   Clearly conveying the message in a professional manner doesn’t cut it.  Preparing nice PowerPoint presentations doesn’t cut it.  Speaking in a low tone when they are screaming and insulting you doesn’t cut it.   What my Psychologist friend pointed out is that  these folks are sick, and not misbehaving or involved in temporary tantrums.   As untreated sick people, they often can not control what they are doing.  If you do not accept this fact, you will hit your head against the wall trying to interact  with them in ways that work for normal folks, but do not for the mentally unstable.   You must also understand that these events are not your fault since most mental disorders start early in a person’s life, way before you had the unfortunate luck of stepping in the person’s path.

My Psychologist friend jokingly suggested that auditors receive training  on how to interact with people suffering with  Attention Deficit Disorders, bipolar disorders and in group dynamics in the corporate environment.    A company’s culture is a very complex organism.   Even the smallest places have complicated political and social layers (silos) that have nothing to do with the official roles and functions performed by individuals and shown in organizational charts.    Decisions in organizations, anyone who is observant will confirm, are not always made based on logic, business reasoning, policies, controls, and/or the need to comply with external regulations.  They are often made based on fear, anger, sexual attraction, insecurity, jealousy, greed, hate, prejudices and confusion.    Because of these things, it is easy for mentally unstable people to “hide” in the open.   In many organizations these behaviors are sheltered because those at the top benefit from that sort of culture.    For example, a manager who regularly works 8:00 AM to 9:00 PM (without asking for extra compensation), keeps to himself,  does not take well to change, drives his staff like cattle, but surpasses his quotas, may be highly “appreciated” by his superiors.   In these types of organizations calls to perform, comply with and produce results based on COSO, CobiT, As-5, PCAOB, SOX, ITIL, etc… are ignored, stone walled, analyzed to death or “adjusted” to the point of non-recognition.    So, answering the “why do we need these controls?” question can be tricky if you happen to be in the wrong organization or before an unstable manager.   Reaching an “understanding” on the need for a dozen or less controls can drag-on for twelve to eighteen months, or more, easily.  Usually, the conclusion of these torturous wasteful exercises is reached via discussions or negotiations that have little to do with the compliance, legal or operational issues originally brought to the table.

Most accountants, auditors, lawyers and IT folks I know have no training on dealings with folks with mental health problems in the workplace.   I do not know of anyone who can say they  would know how to deal with either mentally unstable managers (those whom they report to) or mental instability in those they audit.   Our capitalist system proposes that business people function in a balanced manner because the marketplace acts as an invisible counter-weight to bad or irrational decisions and bad behaviors.     By some miracle the “marketplace” is self policing, self healing and a good arbitrator of even mental health.    The marketplace is supposed to distribute higher profits to those who play by this rule.   This neat picture of social and economic behaviors however is flawed.   It assumes that all human beings are primarily motivated and controlled by money.   Because of this simplistic view, even the smallest of our corporate organizations can be inhabited by well dressed and impressive looking people with serious mental illnesses.   Given the epidemic levels of untreated Attention Deficit Disorders, Personality disorders and bipolar disorders in our society, why is it taboo to conclude that these are also at epidemic levels in corporate America?   During the hiring process, when most mental disorders can be identified, most organizations do not ask if the candidate has had a history of mental illness, and current law does not obligate the candidate to disclose the information.

So, what do you do when you determine, based on the “pornography” (when you see it you know it) test, that your boss is mentally unstable?   The answer given by my Psychologist friend is simple and direct.   The answer is to look for another job as soon as possible, especially if you determine that the organization turns a blind eye to the problem.   Many mental disorders are not curable, even though, they are treatable if the person obtains long term consistent help, medications and therapy.   Given the manner in which our society works, and our corporations are structured, working under a mentally unstable person is a no win situation.   Any organization that maintains a person of authority ignoring his/her signs of mental illness is not a healthy organization and may have  other serious problems hidden just under the surface.   The responsibility of an auditor is to deal with reality in a transparent manner, trying to report risks that may impact stockholder value, assisting management with control’s and solutions for better performance and detecting potential fraudulent acts.   When those who manage the audit function, compliance or risk management are mentally unstable, the integrity and reliability of those functions can be in question.

What do you do when you determine, based on the “pornography” (when you see it you know it) test, that someone you are auditing is mentally unstable?   The answer depends on whether the mental instability is known in the organization or not.   If it’s known, but there is an “unofficial” gag situation, where the personnel department  and other managers ignore it, you have a challenge at hand.   As an auditor, you have discovered a risk to the organization, you probably also have evidence that the person may be ignoring policies and procedures, is abusive to staff and may have even tampered with audit samples.   However, he has held the job for 15 years and each year he gets his bonus and good reviews.   His boss of 15 years, a man related to the CFO and a major share holder said the guy is “colorful” but “OK.”  To help you make the decision, here are a few queries you should answer:

  • What is the likelihood that you are the only auditor during the last 15 years to find these irregularities?
  • Why would the inner circle consider this unstable person “OK” and take the risks associated with his illness?
  • What do other auditors know about the situation, and what do they say?
  • What is the company “culture” like, regarding others who ignore and break company policies and procedures?
  • Is HR aware and concerned about the problems with the manager and his staff.
  • Are there previous audit reports citing the manager, his department or any compliance issues linked to him?
  • Are there others in the company with similar conditions?
  • Has your superior expressed concern over how you may report the findings, without giving you adequate reasons for the concerns?
  • Are the issues, risks and failures discovered by the auditor been in effect for a long time, in a way that knowledge of them have been an “open secret” requiring that multiple individuals “play along” in order not to make waves?
  • Has there been an insinuation, a gossip or small talk to the effect that the auditors should not pursue issues with the individual in question because of his “connections” in the company?

These ten questions should give you a sense of where things are regarding the mentally unstable individual, his social connections in the company, the corporate, legal and business culture that nourished him for 15 years, and how you may best proceed.    If the answers to these questions lead you to believe that the organization has been aware of the problem, you may be better off working elsewhere.    If  multi-billion dollar organizations are reluctant to address these issues and resolve them, you need to carefully think about how you can maintain your professionalism and ethics as an auditor, and that may only be achieved by going elsewhere.   When the organization is ready to address the issues at hand, or when it is forced to by the legal system, you can read about it in the newspapers.   But, an inquisitive person may ask, “in this situation, don’t you have an obligation to report this information to your superiors?”    The answer is “Yes.”  But, if they already know about it and want you to keep your mouth shut, what can you do?   If you stay in the job, you  are in essence taking part in a conspiracy and cover-up little different than those that  occur during a financial fraud, and if it blows up, you will have as the auditor, to answer some hard questions as to what you knew and when you knew it.   Most interestingly, will be how you answer the “why did you not report it” question.

If your queries on the other hand lead you to conclude that you have a new finding, and the mentally unstable person’s condition is unknown to others in audit, HR and/or legal, you should, in consultation with the Chief Audit Officer or audit Director, find a strategy to address the issue and report it according to said strategy.   If the company has a policy for addressing mental health issues, you should consult it and incorporate its guidelines in your approach and documentation.    This process will likely not be smooth and easy.   Imagine if your findings lead to a psychiatric determination that the CFO has bipolar disorder.   Can this finding become a “material weakness” from a SOX perspective?   It can be argued that the symptoms of bi-polar disorder in the CFO can negatively impact financial reporting!   How would you write this up in the 10k and what would constitute an acceptable “remediation?”   Can the board call for the removal of the CFO because of this?   When do the lawyers step in?

To be fair to all.   Not all organizations deal with mental illness problems in a bad manner.   Many organizations have invested money, time and have trained their HR and legal departments in ways to address this serious challenge.   But, to do so everyone has to admit to the problem and an entire new set of corporate policies and guidelines need to be adopted on how to fairly address mental illness in the workplace.    As auditors, you will likely see more and more of these situations as the problem in the general population gains media attention and more people are diagnosed with these disorders.   It is also important to note that those who suffer from mental disorders, although sometimes disruptive, conflict prone or unpredictable in the work environment, should not be stigmatized or abused because of their illnesses.    The mentally unstable deserve professional treatment for their sake and for the sake of those around them.   Without it, they pose risks that will not go away by simply ignoring them.

As always, I will welcome reader comments on the subject, especially if they are based on real life work experiences.    Thanks for reading!

Enhanced by Zemanta
Advertisements

Enterprise Security: Cheating on Your IT Security Audits

Darknet
Image by Computer Science Geek via Flickr

I recently read a good article regarding IT Security Audits which I thought many readers would be interested in.   Cheating on IT Audits by IT staffs is not unheard of to most of us in the auditing business.   However, it is a taboo subject that rarely gets any media attention and few ever discuss in public.   When ever we Auditors perform an audit, all the information provided to us is accurate, never doctored, performed within the time frame or scope of the audit and properly authorized by management (if you believe this you may be on drugs).  Cheating on audits, on purpose or out of ignorance is common, and this is one of the reasons we have to verify the authenticity and relevancy of  the samples and evidence provided to us before we can accept them.

The article points out that 20% of the 151 IT Security professionals recently polled at a major InfoSecurity conference admitted to cheating on IT Security Audits of firewalls.   Although, this sounds like a high figure and I have never investigated this in any formal way, I will venture to say that in the “field” the number is probably higher than 20%.   Here is an excerpt from the eWeek Security Watch article, which you can read in its entirety by clicking the link at the bottom of the post:

“An audit isn’t worth much if the people doing it are cutting corners. Unfortunately, a survey by the folks at Tufin Technologies suggests many IT pros may be doing exactly that.

The survey, which was conducted at the InfoSecurity Europe 2009 Conference in April, took opinions from 151 IT security pros. The aim was to determine companies’ approach to firewall auditing and management.

What Tufin turned up was that 20 percent of the respondents admitted they or a colleague had cheated on an audit to get it passed. The company did not ask specifically how they cheated, citing time constraints. But if applied generally, it could be there are many networks operating a false sense of their own security posture.

Going deeper, 9 percent of the respondents admitted that they never bother to check and audit their firewalls at all….”

To continue reading this interesting story, please click the link below:

What do you think.   Am I stretching it here by thinking that the real figure may be higher than 20% ?   Leave a comment (anonymously if you like).

Enhanced by Zemanta

A Painful Lack of Security Jobs

Beautiful Day at the Golden Gate Bridge - Día ...
Image by worldsurfer via Flickr

I just read this excellent article from SCO Security and Risks magazine online, regarding the state of the job market for top level IT Security professionals, and I decided to share it with you because my sense is that we have been experiencing a similar situation in the IT Audit field.

The economic downturn has forced many companies to cut corners, and get rid of many folks at senior management levels (including many CISO’s and IT Audit Directors), creating serious hardships for a layer of individuals who are by all standards, the most qualified, best certified and experienced in the industry.    These individuals are not finding work because they are poorly qualified, but because companies no longer want to, or can not, pay them for having reached these high levels of expertise and professionalism.   The typical company in today’s environment is looking to hire a lower level (lower paid) “Analyst” with mid-level technical skills over a well seasoned IT Security professional.    From my discussions with peers in IT Audit, the same is happening with folks holding multiple certifications, CISA-CFE- CISSP or CISA- CBCP-ARP, which would have been insane or close to impossible just two years ago.   This sort of thing is happening all over the country as the article points out, and will have long term negative impacts on both companies and the individuals experiencing these hardships.   Below is an excerpt from the SCO Security and Risks magazine article, which you can read in its entirety by clicking the link at the bottom of the post:

“An IT security pro’s personal tale of a long and bloody job hunt and what it says about the industry’s current state of affairs.

We can blame it all on this dastardly economy, but even in good periods, qualified individuals find it difficult to land a job as an executive.

Just recently, I applied for a job as a director of information security. The position reported directly to the company’s hiring manager (CIO). It was widely advertised at the company so many of my friends and colleagues knew who the hiring manager was. I had already contacted the CIO directly — and had subsequently been introduced to him and recommended by other CIOs who knew him well, so the hiring manager immediately e-mailed me to say to contact the HR director for an initial phone interview and to call him later that same day.

Both interviews went extremely well, with conversations lasting well over an hour. We covered their challenges that I could address and gravitated to small talk on our past experiences. We clicked and had long, enjoyable conversations. The CIO said he would bring me in for a face-to-face meeting the following week once he had a chance to interview other candidates.

Deep down I was overly cautious, having been burned in the past, as I explained to another candidate who had applied. I said, “It would appear to you I’m a natural shoe-in or on the CIO’s short list by knowing so many people and from the work I do. But it is getting to the point that it no longer matters who and what you know, not even if you’re a close friend of the hiring manager.”

Being well-known in the industry and the local IT community, I knew who these other candidates were, and we shared much information. It is a small world.

In the weeks that passed, I sent the CIO two follow-up e-mails, I also e-mailed the HR director in California. All three were met with silence. I also left the CIO two voice mail messages — one on his office line, the other on his personal cell phone — and neither was returned. After three weeks, I received a phone call from the HR director telling me the CIO was unsure about the position. He was contemplating diminishing the role to a lesser grade and I was, of course, overqualified, and so were the other candidates…..”

To continue reading this interesting story, please click the link below:

What do you think?  Are you a high level person experiencing something similar in today’s economy.  Please share by leaving a “Comment.”

Enhanced by Zemanta

Auditing Career: How to Focus on High Value Skills

Bracken House - London
Image by Remko van Dokkum via Flickr

Recently, I received an email from a young auditor, asking that I advice him on how to focus his resources in a way that will yield the most valuable skills for the future.  Especially in a future where IT Audit and Financial Audit are meshing.  Below is the email, with his name changed to protect his privacy:

“Hello Joel,

I have a question for you. I have a business background having done Chartered Accountancy and then also did CISA. I also worked in the Enterprise Risk Services in Deloitte. The field of IT Audit requires an understanding of the business processes as well as the technical knowledge of ERP, OS and other applications. Since one cannot be an expert in both (business & technical), how can one achieve a balance between the two and know which skills will be most valuable in the future.

Regards,

Mr. H. Dalad Wasi”

This is, in my opinion one of the most important questions auditors should be asking themselves today. Gone are the days when auditors could rely on a static set of skills and practices to succeed in their careers. And, gone are the days when most auditors, internal and external, had the good fortune of having job security to the point where they could, over a period of many years, fine tune company specific “routines” that allowed them to remain in their company’s insular (and sometimes provincial) cultures, where bad habits and bad practices went unnoticed and unchecked for decades. As a result of Globalization and market realities, survival for most auditors now depends on their abilities to re-educate themselves quickly and in gaining a strong foundation in the internationally accepted frameworks promoted by organizations like IIA, ISACA, ISO, IRCA and the AICPA. After gaining the basic certifications issued by these organizations, my focus would be as follows:

1) Prepare to change the focus of your career several times over the next 5 or 10 years, in order to adjust to rapid changes in the economy and as technology forces change the society in general. What I’m saying here is that 10 years ago there was no Sarbanes-Oxley and IT Auditors where still focused on AS-400’s, EDI networks and the Internet was still not well defined as a viable e-commerce platform. Most auditors 10 years ago still worked in a manual environment, and those using spreadsheets where considered highly advanced. Imagine an auditor today not “accepting” work on Sarbanes-Oxley, or not having upgraded his technical skills beyond the AS-400. They would be out of work. In a nutshell, to stay employable the auditor must be able to dynamically accept and understand the tools, processes, political realities, economics, new practices and limitations adopted by the general society, the auditing field and specifically the business world, as they progress through time. Some folks call this “having an open mind to change.”

2) Accept that the meaning of “Auditor” is in flux, and in the process of being redefined. It is my opinion that today the best auditors are those who unofficially wear about 4 hats at the same time. The first hat is the traditional hat worn by the typical CIA or CISA, which is focused on control frameworks and controls testing. Then the risk management hat, which is for auditors a “light version” of the work done by the PRM or ARM folks; dealing with formal risk assessments, reporting and analyzing impacts at the operational and IT levels. Then there is the compliance hat, which auditors can not avoid since they are the ones testing the controls that either pass or fail compliance. So, they often have to perform some sort of unofficial duties helping the compliance officers, or when there is no compliance officer, leading the compliance / remediation efforts in some fashion. The fourth hat worn by most auditors is the Governance hat. In the past, this hat was a small one, but now its gaining in size. Both corporate and IT governance have experienced fast changes since Sarbanes-Oxley was passed, stockholders became more demanding (in last 10 years) and internationally accepted frameworks have been accepted as legal and operational practices. The need for governance advisers by boards and the “C” levels, have allowed many auditors to fulfill this role given their traditional work with rules and regulations, policies and procedures. Next to corporate lawyers, auditors are the best positioned to work in the governance area. In my opinion, auditors who master these four areas are currently in high demand and will be so for a long time.

3) The IT challenge. My opinion is that IT Auditors need to get their CIA certifications and financial auditors need to get their CISA’s. This will take time for most people, but its not un-duable, specially for intelligent folks that are good at test taking. Most auditors by natural selection, are good at taking tests! Why do I feel this way? Remember we are talking about things that will make you most valuable for the future, and with the US economy shrinking, outsourcing, foreign competition and shorter employment cycles for most professionals, those who have the most diversity of skills and qualifications are better off than those who do not. If you look at the CIA material, a good two sections parallel with the CISA material. Study and get it done, period.

4) If you are a new CISA, I recommend that you focus your energies on two or three IT domains (IT Security, DR, SDLC) which you will make your “forte” for the next two to three years.  Included in there should be strong knowledge of an ERP system like Oracle.  Also, make sure you learn and become confortable with CobiT 4.1.  If you are a new CIA, I recommend that you focus your energies on learning the IFRS and you position yourself as an expert in that area.  Also, learn the COSO framework and get a good grip on risk assessments and the ACL analytics package.

The email from H. Dalad Wasi also asks how one can maintain a balance between IT and Financial auditing (since he is balancing the two). He is right in that few people can be masters of both. My answer is that one tends to gravitate for that which gives you the most satisfaction and where you find the greatest recognition and compensation from a social, financial, political and family perspective. If you are a nerd dressed up as a auditor, this will influence how you make this decision. But, if you’re an auditor forcing yourself to understand TCP/IP and router tables, this will also influence your decision. When I say that auditors should be both IT and financial auditors, I do not call for supermen or superwomen who are complete experts in each domain. Strong expertise in one domain and working knowledge in the other is sufficient to give you the competitive advantage needed.

This was intended to be a short reply, but it grew into something bigger. I also suspect I’ve missed some key issues, but for now this is my advice and I hope it was helpful to H. Dalad Wasi and others reading it.

If readers have ideas or suggestions for Mr. Wasi, please feel free to leave them here in the “Comments” so we can all contribute.

Enhanced by Zemanta

The Effect of SOX Section 404

Street Photography, Centro, Madrid, España
Image by publikaccion.es via Flickr

Another excellent article from Harvard Law School. Below is an excerpt. There is no doubt that SOX has increased the cost of doing business and the article explains this in great detail.

“Posted by Jim Naughton, co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Monday September 21, 2009 at 9:24 am

(Editors note: This post comes to us from Peter Iliev of Pennsylvania State University.)

In my paper, The Effect of SOX Section 404: Costs, Earnings Quality and Stock Prices, which was recently accepted for publication in the Journal of Finance, I investigate the costs, the benefits, and the overall value impact of SOX Section 404. This provision requires that managers report on the effectiveness of the controls that monitor the internal financial reporting systems, and an outside auditor attests to the managements assessment of company controls.

Section 404 and its practical application have been under intense attack from business groups and lawmakers who generally view compliance as overly burdensome. Despite calls for a small company exemption, the SEC only gave a five month extension to small companies compliance. This exemption provides an ideal quasi-experiment for this study. Specifically, I use a regression discontinuity design that compares the companies that were just above the rule cutoff and had to file the report to companies that were just below the cutoff and did not have to file the report. This is a good quasi-natural experiment because the exact cutoff is not related to firm fundamentals. In addition, one must consider whether firms actively manipulated their public float to escape compliance. This paper uses the public float rule in 2002 to predict (instrument) the actual compliance in 2004. Firms with a public float over $75 million in 2002 had to comply with Section 404 in 2004. However, in 2002 firms had no information about the way Section 404 would be implemented. Therefore, companies did not know that this threshold would be used to define 2004 compliance and were less likely to actively avoid having a public float above $75 million.

The big advantage of the regression discontinuity design is that it can isolate the effects of SOX Section 404 compliance from the effects of the changing business climate (and any contemporaneous event) that would have affected all firms. The disadvantage of this approach is that it can look at small firms only. It is possible that the effect of Section 404 compliance is different for larger firms and hence the results do not to generalize to, for example, Fortune 500 type firms. However, small firms are interesting in themselves. First, there are, of course, more small firms than large firms. Second, the big complaint about Section 404 (and SOX compliance in general) has been that small firms pay disproportionately high costs because of the fixed cost nature of compliance. Third, small firms are likely to suffer more from asymmetric information and low reporting quality, and they could benefit most from the new regulation.

I investigate the audit fees as a direct measure of the costs of Section 404, the changes in reporting behavior proxied by firm accruals, and the stock returns around SOX related announcements as a measure of the net benefits of compliance. I find that the attestation of the managements report (MR) by outside auditors imposed significant costs for small firms. Filing an MR in 2004 increased audit fees by 98%, or $697,890. With a median firm market size of $110.9 million in 2004 and negative average earnings, this is not a small amount……”

Continue reading by clicking the link below:

Shared via AddThis

The three guys in the photo above are dealing with serious issues while strolling home from work in Madrid’s financial district.   The guy on the right is saying:  Look Pepe, when I get home my wife will have Chorizos in garlic sauce and olive bread with a nice red wine waiting for me, and I will be as happy as a Merino sheep.   The guy in the center is saying:  Chorizos….. what a cheap bastard you are, eating Chorizos as a main meal!   And, the guy on the left doesn’t care about any of this stuff and is instead wondering if his mistress is sleeping with other men.   The life of these financial executives is truly stressful!

Enhanced by Zemanta

Auditor Liability and Client Acceptance Decisions

Quiet Contemplation
Image by judepics via Flickr

Excellent article from Harvard Law School on the possible impacts on the market if the current auditor liability schemes where changed. It will likely have significant impacts on the way external auditors and the Big Four do business. Below is an excerpt:

“The audit profession has long argued that excessively burdensome legal liability imposed on auditors hinders capital formation by increasing the likelihood that audit firms will reject potential clients, particularly high risk firms, leaving such firms with limited access to capital markets. However, in equilibrium, a change in the legal environment will also have an impact on the audit fee, as the entrepreneur can compensate the auditor for the increased risk since it allows him to raise capital from investors at lower cost. Thus, the equilibrium implications of increased auditor liability on client rejection rates are not as obvious as implied by the audit professions arguments.”

Continue reading by clicking the link below:

Shared via AddThis

Enhanced by Zemanta