The parent never said that companies are scared of auditors, merely that companies have developed processes that auditors have signed off on, and they become scared (I guess a better term might be "resistant") to change those processes because it's time and effort (aka money) to get those new processes approved (which might require some back and forth and iteration). This is absolutely true, and I don't find anything in the parent's post that's inconsistent with that.

From what I've heard from people at my company who deal with auditors, there's no fear or antagonistic relationship; both sides want a positive outcome (which shouldn't be surprising at all). But the cost of the audits and the cost to develop compliant process is real, and I wouldn't blame a private company for eschewing public markets to avoid having to deal with that, especially if they have enough access to private capital.

A more realistic framing would be to say that the auditors having accepted something gives a middle manager an excuse to not have to do something when you ask.

But here’s the thing; any company over a certain size is going to have internal compliance. Because that’s just good business; you want to know if money is walking out the back door.

Parent companies are still going to audit their subordinates; they don’t want the risk. Banks audit private companies before giving them loans. Investment bankers and private equity do the same. These auditors publish standards. So good internal controls processes will still be necessary, just for different reasons. If you want access to funding and resources, you had better be compliant.

>> both sides want a positive outcome (which shouldn't be surprising at all)

Well, it is suprising to me. In my country, when there is some audit by government agency, be it tax office, or stock market regulators the usual approach is that auditors won't rest until they find something against the company, some reason to fine it.

I think that auditors simply consider their time wasted if their come back to their office empty handed (i.e. without fining the audited company).

There are many cases where tax office made a company go bankrupt by first charging it with some crime, then blocking its accounts, then fining it. After few years of lawsuits company wins, court finds them innocent and orders refund of all the fines, but by the time this happens it is already too late: company is long bankrupt.

So I think you are lucky to live in a country where auditors are this friendly :)

I think the parent is talking about periodic internal audits i.e. conducted routinely but you are referring to forensic audits which are conducted occassionally when there is suspicion of wrongdoing (e.g. manipulated tax returns, inflated contracts etc).

> You literally can ask, why in the world do we do crazy procedures X/Y/Z? Because the auditors accepted it and we are too scared to change it.

I interpret it as the parent saying that they're afraid of making changes because they're afraid that the auditors won't sign off on it. "Scared" is a funny word to use when they could have called it a "pain in the ass", etc.

Fear of pain, hassle, loss, or discomfort is still fear. "Scared" is a perfectly acceptable word to use when someone decides not to do something they should do because they don't want to take a risk.

>There are plenty of regulations that many companies need to go through that are less onerous than SOX.

For example?

The simple act of complying with GAAP is much more onerous than SOX. Any finance person worth their salt can navigate SOX easily. Only inexperienced finance people have problems with SOX, but then again, similar things can be said about inexperience programmers as well.

I'm afraid this illustrates how poorly informed you are - you clearly are not an accountant with significant experience (just saying). This goes doubly so of your wife - if this is her level of understanding that is very worrisome - the idea that she is licensed with this attitude is scary - it's what you don't know that can bite you.

Some facts for those that may read the above and get the wrong idea. EVERY major big four firm and their clients and all other major players have had great difficulty in this area. It's super painful because the question is not - are the numbers right - which pretty much everyone in accounting would understand putting efforts towards, but a very meta (and wide) question on systems getting to the numbers (with turns out to be subjective).

What's crazy is I can step back from this type of thing and without even going into a company spot lots of issues likely illustrating poor control or even worthy of enforcement action (actual enforcement) from the outside. Seriously, go to a consumer complaint website - if you see a ton of the same complaint it's worth a look.

This is why CFPB was such a powerful idea. Yes - they overreached slightly but 90%+ great work - and very focused on bad actors which was wonderful to everyone trying to do right thing. Absolutely should have kept going with that idea.

Just a flavor... pay close attention to words like all and every which open up each item to huge scope - the auditor here picked a random month to test a system and actually went in person to a meeting where reconciliations were performed. Now repeat this 100x for each client. Every firm out there doing audits has had issues like this (many).

These are the MOST experienced people - so I laugh when I hear that "only inexperienced people" have problems.

KPMG:

A.1. Issuer A

In this audit, the Firm failed to obtain sufficient appropriate audit evidence to support its opinions on the financial statements and on the effectiveness of ICFR.

The Firm identified this manual control and certain other manual review and reconciliation controls as compensating controls, but failed to sufficiently test these controls. Specifically —

o To test the review and approval of changes to the financially significant applications, the Firm tested a sample of changes to determine whether they had been appropriately approved. The Firm's testing was not sufficient as ... its sample was limited to changes made in only one month (the third month before year end) and the Firm failed to consider whether this month was representative of changes made throughout the year.

o To test the manual review and reconciliation controls, the Firm obtained certain monthly operating review reports and reconciliations and attended certain monthly management meetings where the reports and reconciliations were discussed. The Firm's testing was not sufficient, as (a) it did not test controls over the completeness and accuracy of the data in the reports, and (b) it failed to test whether these controls identified all of the relevant issues for investigation and, if so, whether such issues were appropriately investigated and resolved.