Do either of these scenarios sound familiar?

  • You hired a Big Four audit firm to assist with fixing some internal control deficiencies. It cost an absurd amount of money and they provided you with narratives and process flows that were never implemented. Your team is left without a plan and the resources to roll it out. This results in a significant deficiency or material weakness around internal controls.
  • Your company recently went public and spent a lot of time and money hiring an audit firm to assist with 404 compliance. After three months, your controller asks for an update. The audit firm has created some inaccurate policy/process narratives and hasn’t started a risk assessment or built controls documentation. Your audit committee isn’t happy.

Both of these scenarios are true stories. In each case, we have helped our client determine the root causes of deficiencies and implement the appropriate process solutions.

Those who come from the Big Four or another audit firm are familiar with the following audit process:

  1. Risk assessment and walk through: Identify and categorize risks (mostly using PCAOB guidance and previous audit results). Walk through the process and identify any other risks.
  2. Testing Plan: Identify sample sizes, timing, and test scripts.
  3. Test: Test the trial balance and internal controls.
  4. Results: Review with four levels of management and then offer an opinion.

This tried and true testing process allows the audit team to catch any significant errors or fraud. Auditors are trained to work long hours, know what’s needed, and find significant deficiencies. However, they should not recommend changes or corrections, as this could create a serious conflict of interest. If they do, they would be met with the wrath of the PCAOB (the auditors’ auditor) and the Department of Justice!

This process is ingrained in the minds of external auditors, and problems can arise if they join the industry or an advisory group. Many can break this mindset as they take on positions in industry. Yet for those who never leave audit, the find-the-problem mentality doesn’t morph into fix-the-problem.

Taking it even further, many audit and consulting firms employ the SALY method: Same As Last Year. This is a practice where the firm just repurposes deliverables from previous years or clients. This leads to deliverables that aren’t tailored to your needs or processes.

The Audit Mindset

Audit firms impact in the following ways when assisting clients with their internal controls framework:

  • Audit firms will work with Internal Audit and Internal Controls to identify risks and control deficiencies
  • Audit firms struggle with recommendations and don’t tend to possess the knowledge to make processes more efficient
  • Audit firms don’t have change management experience and struggle with process owner and end user communications
  • Audit firms employ the SALY method—no personalized touch

Don’t hire an audit firm with the expectation they will change/improve business processes.

Auditors have an ingrained methodology that works great for analyzing risk, but they miss out on a crucial piece of recommending and implementing changes. Even though more and more audit firms are getting involved in controls rollout, there’s still a huge gap in their process and change management experience.

The Trenegy Mindset

Trenegy performs the critical tasks of remediating controls weaknesses with process solutions.

Trenegy is a management consulting firm that understands your business processes, systems, compliance requirements, and the proper way to roll out change while improving efficiencies.

Start typing and press Enter to search

Get a free copy of Trenegy's 2019 "State of The ERP"

Controls framework