The Financial Times reports that big four audit firms license audit work into their own audit client’s environments maybe a potential breach of UK industry best practice .
The article is based on research by software license consultancy Cerno.
Audit firms KPMG, EY, Deloitte and PWC are performing high value software audit work for their own statutory audit clients.
My view is that the big four audit firms could also be accused of having too many fingers in too many pies, performing statutory audits, performing software audits for software publishers, providing audit defence services, providing SAM managed services, managing strategic alliances with SAM tools, the list goes on.
Their flimsy and somewhat unprofessional response is to claim that “chinese walls” exist between different types of work. Yet it is common for customers to be audited for several different software publishers using the same audit firm.
To explain the research further, we’ll hear from Robin Fry from Cerno:
“The big audit firms are risking conflicts of interest by taking on mandates from the major software vendors – Microsoft, SAP, IBM – to search out evidence for legal claims against their own clients. The software license reviews which create the ‘Effective License Position’ inevitably result in claims for under-licensing.
However, many of these software license reviews are contaminated by conflicts from the auditor: a survey of public bodies carried out by Cerno discloses that KPMG and EY have, in the past, worked for Microsoft and SAP in establishing the evidence for under-licensing claims against bodies for which they are also the statutory auditors.
This raises issues as to independence, objectivity, conflict and regulatory breaches. There is a risk that PricewaterhouseCoopers and Deloitte are similarly conflicted and the Financial Reporting Council has been asked to investigate. The matter has also been raised with the Competitions and Markets Authority which launched its investigation into the audit sector last month.
As ITAM’s/CCL’s own research has exposed, the claims often result in highly confrontational disputes which, although rarely litigated, are overlaid with the possibility of litigation for contract breach or infringement of copyright. The prospect of the auditor acting, effectively, for both parties is an obvious and unacceptable conflict where the ensuing vendor claims are often subject to interpretation and uncomfortable negotiation.
Cerno has made 10 recommendations for audit firms to avoid these significant conflicts of interest. However, much evidence is missing and Cerno and ITAM are today launching their ‘No Conflict’ campaign.
If CIOs or organisations have been subject to a software audit with the vendor using any of KPMG, EY (Ernst & Young), Deloitte or PWC (PricewaterhouseCoopers) then they should check whether the relevant firm was also their statutory auditor .
Whilst the Financial Reporting council investigates this further, we are calling for evidence of any software audit where the auditor has also been the statutory auditor for the corporate or public body.
We need to collate this evidence so please send any information as to software audits, where the software vendor’s review partner was/is also acting as statutory auditor to the target customer, in confidence to email@example.com
THE REPORT ‘Sleeping with the Enemy’ is at www.cerno-ps.com.
Kudos to Cerno for shining light on this practice, sunlight is the best disinfectant.
About Martin Thompson
Martin is also author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management.
On a voluntary basis Martin a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
Learn more about him here and connect with him on Twitter or LinkedIn.