Duane points to a Wired report that Savvis has been sued (also /., 1, 2). Savvis was the Auditor of the ill-fated payments operator CardSystems that was breached heavily, lost huge amounts of privacy data, and went bankrupt.
This is significant. The audit business has invaded the IT field, now dominating the quality aspects with a stamp of approval over security and governance of all forms. I'm in one myself (at least today, not sure about tomorrow). The way it works is that we check the systems according to some metrics like criteria, management's disclosures, and other things that are called variously best practices (worst case) or common sense (better) or core competences (best case). Then we write up an opinion. Then others attempt to use that opinion in some sense or other:
When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report.
In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.
The problem arises when something goes wrong -- see last week's post on the inverted pyramid. Is the auditor responsible for failure, and how much? The issue is murky, and here are two extremes:
One view has it that the auditor's opinion is relied upon by others and that this is a fiduciary responsibility before the courts, deriving from the history and tradition of financial audits. These latter hold a privileged place in the legal system; others can rely on audits over financial statements, and they can sue the auditor if there were issues. This then applies to systems audits.
A completely contrary view is that the auditor provides a useful service for whoever asks for it, and writes a limited opinion to that person. Others rely at their peril. The opinion is written in internal language, with limitations of liability, over a snapshot of time, and would not be a sound basis for reliance. The tests are closely guarded secrets, the interpretations are interesting but not revealed, and there is absolutely no indication in the process that it is oriented to the needs of the public. That is, an audit is worth practically nothing to any outsider (and insiders don't need it because they can see what's there themselves).
“We’re at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it,” says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School who specializes in information security issues. “For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.”
If the court rules that the auditor can be sued, and did wrong ... then the results will ripple through the field. Auditors will reach further into their bag of tricks to cover their backs, which will make audits more difficult to rely upon. This can be seen as an economic result, because likely the court's adverse ruling will break the firm that is doing the audit. No other audit firm will like that scenario of a random bankrupcy event, and we even have the data point to show it: walk the line from Arthur Andersen to Sarbanes-Oxley to the global financial crisis.
In contrast, if the court rules that the Audit cannot be relied upon, then it is game over. Once a court rules that the process is not to be relied upon, then relying parties don't need it. The audit business collapses. Maybe we need to change jobs before the exodus...Posted by iang at June 4, 2009 07:13 AM | TrackBack