WEBVTT 00:00:06.300 --> 00:00:09.000 Leah is the new audit engagement partner for Estatewood, 00:00:09.000 --> 00:00:13.470 a private audit client. Christian, a managing director 00:00:13.470 --> 00:00:16.890 in advisory previously provided permissible gap analysis 00:00:16.890 --> 00:00:20.520 services to Estatewood, aimed to kickstart a desired upgrade 00:00:20.520 --> 00:00:24.150 of their Enterprise Resource Planning system. In response to 00:00:24.150 --> 00:00:27.750 KPMG’s high-level observations and recommendations, 00:00:27.750 --> 00:00:30.810 Estatewood requested assistance to address deficiencies 00:00:30.810 --> 00:00:33.480 noted in their current financial information system. 00:00:33.480 --> 00:00:37.320 Christian, excited to win more work with the client, reached 00:00:37.320 --> 00:00:39.540 out to Leah about possible service options. 00:00:39.540 --> 00:00:42.690 Christian: In speaking with Estatewood, I think we’re in 00:00:42.690 --> 00:00:44.970 a good position to provide design and implementation 00:00:44.970 --> 00:00:47.700 services to address those deficiencies in their financial 00:00:47.700 --> 00:00:50.100 information system that we spoke about. 00:00:50.100 --> 00:00:53.280 Leah: Hmmm ….Because that system will be subject to our audit, 00:00:53.280 --> 00:00:56.940 those services would be impermissible. We can still support 00:00:56.940 --> 00:00:58.230 them though in finding a solution. 00:00:58.230 --> 00:00:59.860 Christian: How so? 00:00:59.860 --> 00:01:02.040 Leah: Well, your team can review some commercial off-the-shelf, 00:01:02.040 --> 00:01:05.670 “COTS” options and provide the pros and cons of each. 00:01:05.670 --> 00:01:08.280 Estatewood can then decide if one of the options would work for them. 00:01:08.280 --> 00:01:10.790 Christian: Don’t you think that scope is a little too high 00:01:10.790 --> 00:01:11.930 level for their needs? 00:01:11.930 --> 00:01:14.900 Leah: Once Estatewood chooses a commercial off-the-shelf 00:01:14.900 --> 00:01:18.110 software, we can configure and install it to fit their needs. 00:01:18.110 --> 00:01:21.860 Christian: Okay, I think that’s a viable solution. We’ll 00:01:21.860 --> 00:01:24.910 need to customize it a bit to fully address deficiencies. 00:01:24.910 --> 00:01:27.930 Leah: We can only configure the software; customizing would 00:01:27.930 --> 00:01:28.960 not be permissible. 00:01:28.960 --> 00:01:30.830 Christian: Most of the configuration should be pretty 00:01:30.830 --> 00:01:33.920 standard, so it’s not a big deal if we slightly customize 00:01:33.920 --> 00:01:36.950 the software in this case. Leah determines that to make an 00:01:36.950 --> 00:01:39.830 informed decision around the permissibility of the proposed 00:01:39.830 --> 00:01:43.250 services, she needs to collect information and connect with 00:01:43.250 --> 00:01:47.090 the Independence Group. After receiving their guidance, she 00:01:47.090 --> 00:01:50.180 decides to reframe the discussion with Christian to focus 00:01:50.180 --> 00:01:53.240 the scope of the engagement on what is permissible and in 00:01:53.240 --> 00:01:56.240 the best interest of both Estatewood and KPMG. 00:01:56.240 --> 00:01:59.390 Leah: With the right safeguards in place, there’s a lot we 00:01:59.390 --> 00:02:02.420 can do for private audit clients like Estatewood. But we 00:02:02.420 --> 00:02:05.450 need to be mindful of where the guardrails are. The 00:02:05.450 --> 00:02:08.300 difference between configuration and customization of a 00:02:08.300 --> 00:02:11.780 commercial off-the-shelf solution defines whether or not 00:02:11.780 --> 00:02:13.550 this work would be permissible. 00:02:13.550 --> 00:02:14.360 Christian: How so? 00:02:14.360 --> 00:02:17.750 Leah: Customizing the COTS software, which would entail 00:02:17.750 --> 00:02:20.900 writing any code that isn’t already incorporated into the 00:02:20.900 --> 00:02:24.380 financial system or is outside its original functionality 00:02:24.380 --> 00:02:27.290 would result in providing impermissible design and 00:02:27.290 --> 00:02:30.770 implementation services of a financial information system. 00:02:30.770 --> 00:02:31.760 Christian: That makes sense. 00:02:31.760 --> 00:02:35.360 Leah: I’m glad because customization, even if it was only 00:02:35.360 --> 00:02:39.380 minimal, would result in an independence violation. If that 00:02:39.380 --> 00:02:42.590 occurred, Those Charged With Governance might lose trust in 00:02:42.590 --> 00:02:46.460 KPMG’s ability to maintain our independence and we could 00:02:46.460 --> 00:02:50.330 lose not only future advisory work but our audit work. 00:02:50.330 --> 00:02:53.450 Estatewood could be required to find an alternative audit 00:02:53.450 --> 00:02:54.170 service provider. 00:02:54.170 --> 00:02:57.870 Christian: So, I guess a little bit of customization would 00:02:57.870 --> 00:03:02.040 be a big deal! I’m just concerned that Estatewood’s needs 00:03:02.040 --> 00:03:04.770 may be too specific for this type of rigid solution. 00:03:04.770 --> 00:03:08.040 Leah: Well, in discussing this with Independence, they 00:03:08.040 --> 00:03:11.340 illustrated many different ways a system can be configured 00:03:11.340 --> 00:03:12.270 to benefit the client. 00:03:12.270 --> 00:03:15.510 Christian: You make a good point. I guess I was so focused 00:03:15.510 --> 00:03:19.170 on the design aspect of the proposed service that I didn’t 00:03:19.170 --> 00:03:21.870 think of all of the configuration capabilities already baked 00:03:21.870 --> 00:03:22.740 into the software. 00:03:23.740 --> 00:03:25.980 Leah: That’s great to hear. If you’re in line with this 00:03:25.980 --> 00:03:28.890 solution, I would be okay with you submitting this proposal 00:03:28.890 --> 00:03:32.310 to Estatewood. Just be aware that as you move through the 00:03:32.310 --> 00:03:35.670 engagement, you must always act based on the configuration 00:03:35.670 --> 00:03:38.310 decisions of Estatewood management and not our 00:03:38.310 --> 00:03:41.670 determinations. They must make all the management decisions, 00:03:41.670 --> 00:03:42.840 reviews, and approvals. 00:03:42.840 --> 00:03:45.750 Christian: Understood. So they will have to assume all 00:03:45.750 --> 00:03:47.370 management responsibilities, correct? 00:03:47.370 --> 00:03:50.430 Leah: Yes, they’ll also need to designate an individual to 00:03:50.430 --> 00:03:53.940 oversee the service, evaluate the adequacy of the service 00:03:53.940 --> 00:03:57.420 results and accept responsibility for the results. 00:03:57.420 --> 00:03:59.730 Christian: Okay, so that’s how we safeguard against the 00:03:59.730 --> 00:04:01.350 threat of performing a management function? 00:04:01.350 --> 00:04:04.707 Leah: Well, those are general requirements. To safeguard 00:04:04.707 --> 00:04:08.201 against that threat, your team should maintain documentation, 00:04:08.201 --> 00:04:11.524 such as meeting minutes and emails, to illustrate that you 00:04:11.524 --> 00:04:15.018 implemented configuration in response to decisions made by 00:04:15.018 --> 00:04:18.340 Estatewood, and adhered to the general requirements. I can 00:04:18.340 --> 00:04:21.662 also review deliverables before the team provides them to 00:04:21.662 --> 00:04:22.350 the client. 00:04:22.350 --> 00:04:24.893 Christian: That makes sense. We can do that. I’ll also 00:04:24.893 --> 00:04:27.480 schedule status updates with you throughout the engagement. 00:04:27.480 --> 00:04:30.411 Leah: Great! We’ll need to loop in Estatewood management 00:04:30.411 --> 00:04:33.495 and Those Charged With Governance to be sure they understand 00:04:33.495 --> 00:04:36.528 the independence considerations. After that, if you document 00:04:36.528 --> 00:04:39.308 the possible threats and safeguards within your 00:04:39.308 --> 00:04:42.341 Sentinel request and we have monthly touchpoints, I feel 00:04:42.341 --> 00:04:44.970 good about proceeding with the work for Estatewood. 00:04:44.970 --> 00:05:01.376