June 04, 2009
Auditor(s) to be held to account? - CardSystems and Savvis
Duane points to a Wired report that Savvis has been sued (also /., 1, 2). Savvis was the Auditor of the ill-fated payments operator CardSystems that was breached heavily, lost huge amounts of privacy data, and went bankrupt.
This is significant. The audit business has invaded the IT field, now dominating the quality aspects with a stamp of approval over security and governance of all forms. I'm in one myself (at least today, not sure about tomorrow). The way it works is that we check the systems according to some metrics like criteria, management's disclosures, and other things that are called variously best practices (worst case) or common sense (better) or core competences (best case). Then we write up an opinion. Then others attempt to use that opinion in some sense or other:
When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report.In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.
The problem arises when something goes wrong -- see last week's post on the inverted pyramid. Is the auditor responsible for failure, and how much? The issue is murky, and here are two extremes:
One view has it that the auditor's opinion is relied upon by others and that this is a fiduciary responsibility before the courts, deriving from the history and tradition of financial audits. These latter hold a privileged place in the legal system; others can rely on audits over financial statements, and they can sue the auditor if there were issues. This then applies to systems audits.
A completely contrary view is that the auditor provides a useful service for whoever asks for it, and writes a limited opinion to that person. Others rely at their peril. The opinion is written in internal language, with limitations of liability, over a snapshot of time, and would not be a sound basis for reliance. The tests are closely guarded secrets, the interpretations are interesting but not revealed, and there is absolutely no indication in the process that it is oriented to the needs of the public. That is, an audit is worth practically nothing to any outsider (and insiders don't need it because they can see what's there themselves).
My view is explored in the "Audit" series of essays (1, 2, 3). However the ultimate call may come before the judge, and whichever way it goes, I suggest it is bad news for the audit business.
“We’re at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it,” says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School who specializes in information security issues. “For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.”
If the court rules that the auditor can be sued, and did wrong ... then the results will ripple through the field. Auditors will reach further into their bag of tricks to cover their backs, which will make audits more difficult to rely upon. This can be seen as an economic result, because likely the court's adverse ruling will break the firm that is doing the audit. No other audit firm will like that scenario of a random bankrupcy event, and we even have the data point to show it: walk the line from Arthur Andersen to Sarbanes-Oxley to the global financial crisis.
In contrast, if the court rules that the Audit cannot be relied upon, then it is game over. Once a court rules that the process is not to be relied upon, then relying parties don't need it. The audit business collapses. Maybe we need to change jobs before the exodus...
Posted by iang at June 4, 2009 07:13 AM | TrackBackI think you needed to read a few of the comments on /., specifically audits are snapshots in time, one of the examples given was someone auditing an elevator that subsequently fails because they failed to notice/care the main cable was frayed. This would be a clear case of negligence. If on the other hand the auditor was shown a working fail safe break/mechanism that was removed after the audit the auditor isn't liable because everything was sound at the time of the audit.
The trick here will be the bank proving that the auditor was aware of a problem but failed to note it in the audit or something to that effect, but the bank will have to prove negligence by the auditor which goes beyond there was a failure it had to be a known issue and the auditor did nothing about it to the extent their job permitted.
@Duane - It's so difficult to tell in print - was your suggest that we go to Slashdot for insight real or full of sarcasm?
Hi Ian,
I still have to meet the company which actually relies on an auditor's (or accountant's, for that matter) judgement on the company's health, whether that health concerns the financial state of the company or the integrity of the information system security. The auditor's "clean bill of health" only purpose is to demonstrate due diligence to an outsider.
But now I've "met" them. Thank you for this valuable piece of information.
Posted by: Twan at June 6, 2009 07:35 AMIf one where to read the contract between the auditor and the client and reference it to the industry standards for such an institution, one could in theory trace the avoidance of liability the auditing industry has devised for its protection. These sublime uses of language and subtle turning of phrases have real implications that when backed by a body of law predict the outcome which will be a settlement that neither denies or affirms the liability of the auditing firm in the debacle.
It is clear that the client-contractor relationship brings risk, but if one looked at the Errors and Omission Insurance premiums versus the settlement amounts one could easily see a path to profitability for the Insurance Underwriter and the Auditing firms.
It is clear after years of debacles the cosmetic appearance of transparency coupled with a fraudulent heavily-lobbied body of law renders a flawed and deceptive representation of the companies' actual condition, processing regime, and security. These flaws are part of the system itself, not something provided for in the rule of law and as such present a dilemma with no solution.
At one time consumer reviews could have saved this flawed regime, but they have gravitated into the realm of satisfaction standards rather that efficacy. The only hope is to reorganize to an independent body of oversight, one that is common within the intra-banking world whereby they judge each other as either safe or unsafe to deal with. The Credit Default Swap market exposed the previously unstated soft under-belly of risk, so another type of market must be presented a Security Risk Premium Market whereby a financial response (ie higher premiums) will be the risk/reward to a company with a flawed process, regardless of what the auditors have to say.
The genesis might be a faux market with notional prices that are applied directly to specific industry participants. The result will be scandalous if an institution is identified then later faces hacked charges. If the market participants are anonymous then the actual hacker community might participate which would bring an informed body to the table and present a more robust environment from which to learn from.
As it stands now the monetary settlement will mask the actual shortfall in the auditing regime and the internal controls with no lessons learned and no knowledge passed on to avoid the same debacle.
Posted by: Jimbo at June 6, 2009 08:41 AMRight on Jimbo!
Unless there is opportunity for someone to make money consistently by finding Security Risks (and I don't mean by fraudulently exploiting them :-) such occurences will continue...