Although not specifically reflecting EHS auditing professionals, the PCAOB conducted a study to review how well third party auditors did in complying with Auditing Standard No. 5 during 2008, the standard’s first full year of effectiveness. Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (“Auditing Standard No. 5”), was promulgated in response to the Sarbanes-Oxley legislation and is intended to address the practice of independent financial/accounting auditing professionals.
One of the main areas of PCOAB’s review of AS5 was how well auditors focused their efforts on the most important audit components, based on their identification/understanding of the risks posed. CFO Magazine said about the study that the PCAOB found
cases in which auditors didn’t identify variability in risk levels at a company’s different locations. Also, some audits did not consider how deficient controls could affect their risk evaluations.
Financial auditing has been highly regulated and scrutinized for many years – certainly much more so in the past 5 years. Yet even in light of that, financial auditors appear to need support and guidance in applying the concept of “risk” and the failure of risk controls.
The results of this study provoke thought for EHS auditors – how well versed are we on the concept of “risk” and the failure of risk controls?