Sometimes, auditors are responsible for a serious risk continuing.
At Business Objects, I attended an audit committee (I was the VP, Internal Audit) when the two EY partners reported that their testing of internal controls had identified a serious weakness. They believed it was a “significant deficiency”, less severe than a material weakness that would have required assessing the system of internal control over financial reporting as ineffective. But it was sufficiently serious that it had to be disclosed to the audit committee.
Their report was met with silence from the board members, the CFO, and the Corporate Controller. I looked at the last two and we shared a look of surprise.
After getting a nodded “ok” from the audit committee chair, I turned to the two partners.
This is how the conversation went.
“Thank you for letting us know. Am I correct? Is the main risk here one of fraud?”
The partners hesitated.
“Yes, I believe that it is correct.”
“When did your team identify the control weakness?”
“A little over two months ago.”
“When did you inform management? I didn’t know and I don’t think either the CFO or Corporate Controller was aware of this until now.”
“I instructed the audit manager to tell local management about it yesterday.”
“It took you more than two months to…