Another Elephant in the Room: “Institutional Bias” in the External Audit Community

Another Elephant in the Room: “Institutional Bias” in the External Audit Community

Last week I wrote a blog talking about how the System Implementation industry is biased against a “Complete and Secure” implementation.  This week I’d like to address another elephant in the room – institutional bias in the External Audit community.

We are living in 2020 – the passage of Sarbanes Oxley was in 2002.  We are 18 years into the implementation of the requirements mandated by Congress.  There are still significant gaps in the procedures that External Auditors use to audit their clients.

My perspective is that many External Audit partners are afraid of bringing new risks to their clients because of the fear of losing their clients and because they don’t want to have to explain to the PCAOB why they hadn’t addressed the risk in prior years’ audits.

I will give two examples to support my position.  The first example is common to all ERP systems.  Around 2006, the PCAOB introduced the requirement to perform lookback analysis when a user has privileged access.  Our experience is that nearly all organizations have users with privileged access yet very few organizations have implemented lookback procedures.

Another example is specific to Oracle E-Business Suite, the second most commonly used ERP system.  Oracle E-Business Suite has over 70 application security objects that can enter and execute SQL statements, run OS scripts, or perform SQL injection.  This is a significant fraud risk that could be material.  I first did a webinar in 2008 on this topic and blogged about it a couple of years ago.  Here is the blog:

These two issues are examples of risks that should be a part of the external audit scope, yet we’ve never seen the SQL injection object risk included in the scope of an external audit and have rarely seen lookback procedures required where privileged access has been identified.


Jeff Hare

Jeff Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors. His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience. Jeff has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience. Jeff is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA). Please follow us on LinkedIn and Youtube.

No Comments

Post A Comment