Burke Files, in the latest of his series of regular columns examines the common misconception that auditors and CPAs are a seal of approval on the financial state of a business and it's compliance.
I am frustrated with two forms of over reach by the accounting profession. One is the public and many professionals view auditors and CPAs as some sort of Good House Keeping seal of approval on the financial state of a business and that the business is somehow more compliant. The second is the accounting professions creep into areas they do not belong, in particular any work on SAS 70 k/n/a SOC 1, 2 and 3 reports.
Audited financial statements are not guarantees against fraud.
The audit opinion is intended to provide reasonable assurance that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements.
Does it say, “guarantee”? No, it does not. Does it say the auditors checked each and every expenditure to insure it is both accurate and non-fraudulent? No, it does not. The audit addresses the financial reporting framework and tests of the reporting framework are applied. If the numbers being fed into the system are gamed and gamed well, as we have seen time and time again, the audit will not catch the phony numbers, and this is OK. The courts have rarely held accounting firms liable for losses that occurred from these all too familiar management frauds. Accounting firms have been held liable when their errors are either blatant or they are complicit in a conspiracy of chicanery. Audited financials are not a guarantee against fraud and the public and the professionals ought to get that through their/our heads and adjust our expectations and practices.
In case you forgot audited financial statements are not a guarantee against fraud, let these cases remind you of the value of audited financial statements; Xerox and KPMG 1997-2000, World Com/MCI, Tyco International, Phar-Mor, Lernout & Hauspie, Health South, Clearstream Affairs, Bristol Myers Squibb, Bre-X and Parmalet.
CPAs have Zero tradecraft in Security
While the (Service Organization Control) SOC 1 report is mainly concerned with examining controls over financial reporting, the SOC 2 and SOC 3 reports focus more on the pre-defined, standardized benchmarks for controls related to security, processing integrity, confidentiality, or privacy of the data center’s system and information. SOC 2 examines the details of data center testing and operational effectiveness. (Old form was a SAS 70 Audit)
SSAE 16 audit was established to verify data center operational and security excellence.
I got it, the accounting professional wants to make the world a better place and sees a need for these types of audits/assurances. However, based upon the appalling data breaches by companies who possessed SAS 70, SSAE 16 and SOC 2 and 3 audits report assurances - they do not yet have a handle on either security or the security of data processing centers. I have no problem with CPA’s not being either a licensed security professional or an expert on data centers. I do have a problem with them declaring themselves experts and issuing opinions and thus assurances on security.
The security of a data center is a very big thing and involves many tests and questions that only a data security expert will possess the tradecraft to properly ask and seek solid answers to those questions. For example, a data center was located in a building on a property adjacent to a refinery. When the refinery blew up so did the data center. This event was nowhere on the SAS 70 list of issues. And while it was a very secure datacenter when standing, when blown up - it did not function and the data center’s business continuity plans were insufficient to the task.
These types of audits and assurances are matters for the talents for accredited credentialed security professionals such as CPP a Certified Protection Professional conferred by American Society for Industrial Security (ASIS) as well as a CISSP a Certified Information Systems Security Professional and or a Systems Security Certified Practitioner (SSCP) conferred by The International Information Systems Security Certification Consortium ((ISC)²) - these are professionals saturated in the deeds and knowledge of their profession.
In case you forgot, let these cases remind you of the value of SAS 70, SOC 2&3 and SASE 16 audits; Accendo, Global Payments, Affinity Health Plan, Discover Card, AvMed, Inc, Emory Health Care and Health Net, Inc.
Security of data of firms providing core functions to public companies are real needs that need to be addressed by real professionals providing authoritative audits and assurances. The APPROPRIATE credentialed professionals are not CPAs. CPAs do themselves a disfavour when they pretend to know security for buildings, computers systems and or data centers. People actually rely and make choices based upon these audits performed by CPAs when the CPA profession clearly cannot deliver a creditable end product. Their mere familiarity with the issues and a desire to do good is demonstrably insufficient. Thus, it appears to me to be nothing but an exercise in credential creep by the accounting profession to bill more hours, that in the end will generate more litigation, litigation that the accounting firms will loose and rightly so.
In the end - we still must do our homework ourselves. While it is necessary to rely on the insights and knowledge of experts, audits do not address fraud and CPAs have no credentials in physical security, computer networks or data centers.
Just because one has a Doctorate in Economics does not mean that one should apply for privileges at a hospital.
L. Burke Files Burke Files has been involved in finance since 1982 and in international finance since 1986. He has also served as the Director of Corporate Finance for an investment banking company; President of a business and venture capital consulting firm; and a commodities specialist trading gold, silver, and foreign currencies 24 hours a day. In the past, Mr Files has served as a member of the Governor's Board on Solid Waste Management; as an advisor to the Governor's Board on Economic Planning and Development; and as a former Commissioner of the City of Tempe Transportation Commission. Mr Files has also received a Commission and a Medal of Merit from the President of the United States. He has written extensively and been quoted in many publications. He is a frequently quoted source for articles regarding financial investigation and due diligence. Among the publications in which he has been quoted are: Chief Executive Officer, The American Southwest Quarterly, Offshore Journal, Cayman Today, Aegis e-Journal, John Cooke Fraud Report, El Cosario, European Business, NPR Market Watch, Bloomberg, USA Today and Associated Press. In addition to numerous published articles, Mr. Files is the author of many articles and several books including Due Diligence for the Financial Professional and Money and Budgets