Comments: Audits III: we don't know enough even to know what we don't know

Here is an exercise, useful in understanding auditing. You will need a sheet of paper, and a trash can with a metal or hard plastic bottom. Now, close your eyes and crumple the paper into a ball-- feel the paper crumple and listen to the sound... Now, open your eyes, and toss it into the trash. CRUMPLE.... PLONK. That's the sound of the audit manager discarding the audit findings of junior auditors.

Perhaps you will understand what's happening faster than most junior auditors do. The purpose of financial statements is not disclosure. It is to maintain the greatest possible secrecy and autonomy of movement by principals in the firm.

Posted by SecretSquirrel at March 1, 2009 01:59 PM

I think that people forget the simple idea of "you get what you pay for". You and I do not pay for the audit the principles of the organisation eing audited do.

Now I'm not saying that auditors are "on the take" but there must be considerable presure from the seniors in an audit firm to keep a "good name" on the books. Such presure would be difficult for a junior in an audit organisation to resist.

However I read a news story that even when a group of auditors are apointed by Congress they still find little of worth. This is based on the team tasked with Fredie Mac and Fannie May organisations.

It begs the question as to why a 100 or so "indipendent" auditors missed the shananigins of the principles of the two organisations...

I think it would not be unreasonable to sugest that audit as a process carried out in the way it currently is, is mainly a waste of time and resources .

Which gives rise to the question "how do we get greater oversight without disclosing information that would cause a "competative disadvantage" for those under going the process.

Posted by Clive Robinson at March 7, 2009 11:58 PM

Actually I have to agree with that last comment. I have been a professional IT regulatory auditor for the better part of the last decade working both the corporate sector (SOX/HIPAA/PCI DSS/ISO 27002) and government (FISMA/DITSCAP/DIACAP/NIST SP 800-57/NERC CIP). While not auditor frameworks per se, you definitely audit against them given business regulatory and government legal requirements.

The basic problem of auditing is you are a paid investigatory whistleblower. As an internal corporate auditor (which I will also define as external auditors hired by the company being audited) you are always hamstrung by business needs. If you truly audit and present your findings in a unfavorable way your external auditing firm will lose business (costing you your job after it becomes a pattern). If you present them internally you will lose your job for airing dirty laundry; while you will rarely be outright fired you will get railroaded.

In the government sector it's even worse. Agency heads (SES's, Flag grade military officers, directors) have overall unquestioned authority and are highly politically in nature. Audits are often conducted 4 or 5 levels removed and running the results up the food chain is a quick way to get reassigned and/or kill your career permanently as bureaucrats have a long memory. It also doesn't help that everybody between you and the head has a valid professional career growth opportunity by stopping you to protect the head (who will write them favorable reviews). Once you hit the agency head level they have zero motivation to act given most issues, even if illegal, are reflective upon their duties hence they would have to acknowledge fault which isn't going to happen. Given that the GOA and various IG's have insufficient authority to act (or political will as there is little to gain in prosecuting your boss because even if they loss their job you won't get it, their lackey will), the only thing heads have to fear are congressional investigations and we all know how rare that is.

I long ago decided the only way to make audit work is to give them the authority to fire and relieve individuals on the spot without retribution (to include C levels and heads) but equally acknowledge this is unrealistic (prone for unethical abuse) as audit doesn't drive business or the government. Given this will always be an unresolvable issue means audit will always fail except when being used offensively by the folk paying the auditor and/or defensively to satisfy liability needs by shifting it onto the auditor. You still needs audits as it keeps the sheeple in line but it will never detect (or at least report as I am sure Madoff's auditors were well aware of what was going on) Madoff's, Enron's, and Coast Guard Deepwaters until it is too late.

I have hundreds of real worlds examples of illicit behavior but as an auditor, just like with whistleblowers, unless you are willing to lose your job, future employment prospectives, and your family over something that ultimate will have no impact (even if a congressional hearing happened, when was the last time you seen a agency head go to jail for violating federal law .. they simply get early retired) you will always been ineffective so you just deal with it, do the best you can, and if this bothers you, find a new career.

Posted by Peter at April 6, 2009 03:39 PM

And this is where we come to the party that up until now hasn’t received its fair share of scrutiny: PricewaterhouseCoopers, which as MF Global’s auditor was supposed to be the first-response regulator.

A week after I wrote in my BankThink column that the relationship between PwC and MF Global was too cozy for my taste, the regulators are catching up. Late Thursday, Bloomberg reported that regulators had subpoenaed PwC for “information on the segregation of assets belonging to clients.”

The CFTC’s action against PwC probably came as a result of a shocking CME Group announcement late Wednesday: "It now appears that the firm [MF Global] made … transfers of customer segregated funds in a manner that may have been designed to avoid detection." These transfers, CME Group said, appeared to have taken place after its audit team showed up last week at MF Global to take a look and found everything to be in order.

CME Group couldn’t have been hoodwinked like that if PwC had been doing its job all along. You can't circumvent controls unless there are none or there are holes. It was PwC’s job to review controls and the adequacy of policies and procedures to support them.

Since MF Global is a broker-dealer and a Futures Commission Merchant, PwC’s job went well beyond a standard audit. The auditor for a firm like this must annually review the procedures for safeguarding customer and firm assets in accordance with the Commodity Exchange Act. The annual audit must include a review of a firm’s practices and procedures for computing the amounts that, by law, have to be set aside in clients’ accounts each day. MF Global also had to send regulators an annual supplemental report from PwC. This report would describe any material inadequacies existing since the date of the previous audit and any corrective action taken or proposed.

Posted by Auditor PwC Should Have Been on Top of MF Global at September 25, 2016 03:42 AM
Post a comment

Remember personal info?

Hit Preview to see your comment.
MT::App::Comments=HASH(0x5640c2395cb0) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.