One of the first things I learned when I crossed over to the auditing world from being an IT professional was that I needed to maintain my independence in fact and appearance. As I audited my clients, I was to be objective, and always remember who I am really working for - the organization's stakeholders. When process owners and management would challenge my findings, and pressure me to suppress them, I was comforted in knowing that I was ultimately working for the benefit of stakeholders who are interested in me doing my best as an auditor even if it upsets management in the process.
I was, however, tempted many times to cut corners and not do a thorough job because I would get paid either way. When I did a thorough job and uncovered weaknesses in an organization's processes, I was rewarded with grief from management. When everything checked out and there were no issues, management was happy. So my daily challenge was to fight the urge to do a mediocre job and give management a pass. I knew that if I compromised my independence, I would not be representing the stakeholders interest, but management's interest. I would have compromised my independence for a paycheck because when it comes to outcomes of audits, there is a conflict of interest between management and stakeholders.
Last week I was shocked to learn that there are CPA firms providing Type 2 SOC reports for under $10,000. I discussed this with several of my CPA firm partners and learned that SAS 70 reports (the predecessor of SOC reports) sometimes went for around $5,000. That is what prompted my fake press release about $1,999 SSAE 16 reports from Ruse, Feaster, Coopers. If CPA firms can do it for $5,000, then why not $1,999? Why not throw in an free iPad 3 to the first 100 clients that sign up? I had a record number of visits to my blog as a result by the way.
So what are the circumstances that enable a sub $10,000 SOC report to exist? How can one CPA firm charge so much less than another one? Here's my verdict as a non-authoritative by-stander:
- When management gets to choose the CPA firm they use to obtain their SOC report, they are naturally motivated to use the lowest cost provider that will provide them an unqualified opinion.
- In a tough and competitive market, CPA firms are motivated to provide management a cost sufficient to obtain the SOC engagement, and still fulfill the minimum requirements set by the AICPA to pass their peer reviews.
- For whatever reason, stakeholders are not paying close enough attention to see if the CPA firms providing this cheap risk assurance did a thorough job of auditing management to mitigate their risk.
It is my analysis that in running after greater market share, CPA firms providing cheap risk assurance have neglected stakeholders, and have cut corners giving in to the temptations I described earlier. Management is happy, and stakeholders are none the wiser. This has created the current climate in the risk assurance market that promotes a race to the bottom to see who can provide the cheapest risk assurance.