Last week I wrote a blog talking about how the System Implementation industry is biased against a “Complete and Secure” implementation.  This week I’d like to address another elephant in the room – institutional bias in the External Audit community.

We are living in 2020 – the passage of Sarbanes Oxley was in 2002.  We are 18 years into the implementation of the requirements mandated by Congress.  There are still significant gaps in the procedures that External Auditors use to audit their clients.

My perspective is that many External Audit partners are afraid of bringing new risks to their clients because of the fear of losing their clients and because they don’t want to have to explain to the PCAOB why they hadn’t addressed the risk in prior years’ audits.

I will give two examples to support my position.  The first example is common to all ERP systems.  Around 2006, the PCAOB introduced the requirement to perform lookback analysis when a user has privileged access.  Our experience is that nearly all organizations have users with privileged access yet very few organizations have implemented lookback procedures.

Another example is specific to Oracle E-Business Suite, the second most commonly used ERP system.  Oracle E-Business Suite has over 70 application security objects that can enter and execute SQL statements, run OS scripts, or perform SQL injection.  This is a significant fraud risk that could be material.  I first did a webinar in 2008 on this topic and blogged about it a couple of years ago.  Here is the blog: https://www.erpra.net/privileged-user-controls-sql-injection/.

These two issues are examples of risks that should be a part of the external audit scope, yet we’ve never seen the SQL injection object risk included in the scope of an external audit and have rarely seen lookback procedures required where privileged access has been identified.