I think you needed to read a few of the comments on /., specifically audits are snapshots in time, one of the examples given was someone auditing an elevator that subsequently fails because they failed to notice/care the main cable was frayed. This would be a clear case of negligence. If on the other hand the auditor was shown a working fail safe break/mechanism that was removed after the audit the auditor isn't liable because everything was sound at the time of the audit.
The trick here will be the bank proving that the auditor was aware of a problem but failed to note it in the audit or something to that effect, but the bank will have to prove negligence by the auditor which goes beyond there was a failure it had to be a known issue and the auditor did nothing about it to the extent their job permitted.
@Duane - It's so difficult to tell in print - was your suggest that we go to Slashdot for insight real or full of sarcasm?
Hi Ian,
I still have to meet the company which actually relies on an auditor's (or accountant's, for that matter) judgement on the company's health, whether that health concerns the financial state of the company or the integrity of the information system security. The auditor's "clean bill of health" only purpose is to demonstrate due diligence to an outsider.
But now I've "met" them. Thank you for this valuable piece of information.
Posted by Twan at June 6, 2009 07:35 AMIf one where to read the contract between the auditor and the client and reference it to the industry standards for such an institution, one could in theory trace the avoidance of liability the auditing industry has devised for its protection. These sublime uses of language and subtle turning of phrases have real implications that when backed by a body of law predict the outcome which will be a settlement that neither denies or affirms the liability of the auditing firm in the debacle.
It is clear that the client-contractor relationship brings risk, but if one looked at the Errors and Omission Insurance premiums versus the settlement amounts one could easily see a path to profitability for the Insurance Underwriter and the Auditing firms.
It is clear after years of debacles the cosmetic appearance of transparency coupled with a fraudulent heavily-lobbied body of law renders a flawed and deceptive representation of the companies' actual condition, processing regime, and security. These flaws are part of the system itself, not something provided for in the rule of law and as such present a dilemma with no solution.
At one time consumer reviews could have saved this flawed regime, but they have gravitated into the realm of satisfaction standards rather that efficacy. The only hope is to reorganize to an independent body of oversight, one that is common within the intra-banking world whereby they judge each other as either safe or unsafe to deal with. The Credit Default Swap market exposed the previously unstated soft under-belly of risk, so another type of market must be presented a Security Risk Premium Market whereby a financial response (ie higher premiums) will be the risk/reward to a company with a flawed process, regardless of what the auditors have to say.
The genesis might be a faux market with notional prices that are applied directly to specific industry participants. The result will be scandalous if an institution is identified then later faces hacked charges. If the market participants are anonymous then the actual hacker community might participate which would bring an informed body to the table and present a more robust environment from which to learn from.
As it stands now the monetary settlement will mask the actual shortfall in the auditing regime and the internal controls with no lessons learned and no knowledge passed on to avoid the same debacle.
Posted by Jimbo at June 6, 2009 08:41 AMRight on Jimbo!
Unless there is opportunity for someone to make money consistently by finding Security Risks (and I don't mean by fraudulently exploiting them :-) such occurences will continue...