Industry View

Sue the Auditor and Shut Down the Firm

Irresponsible auditors deserve a harsh fate, and irresponsible auditees deserve a legal injunction, say Ben Rothke and David Mundhenk

By Ben Rothke and David Mundhenk

July 09, 2009 —

The recent news of CardSystems Solutions suing their auditor, Savvis Inc., created a storm of activity in various circles. The Merrick Bank v. Savvis lawsuit has the potential to significantly change the dynamics of legal liability regarding information security audits.

Attorney David Navetta writes that the Merrick Bank complaint alleges it relied on Savvis' certification of CardSystems as Visa CISP compliant (this matter pre-dated the PCI DSS standard), and that certification was false. After CardSystems suffered a breach exposing up to 40 million payment card records, Merrick allegedly incurred $16 million in payments to the card brands (which was ultimately transferred to issuing banks who suffered losses arising out of the CardSystems breach).

Whether or not Savvis -- or Merrick Bank for that matter -- are culpable is a matter for the legal system to decide. That said, having done hundreds of audits, the writers of this article are all in favor of incompetent auditors and auditing firms being held liable for their ineptitude. We agree that their auditing certifications should be revoked, and the auditors themselves should be required to take the requisite courses to ensure that audits they perform in the future, once they are recertified, are indeed appropriate.

Also see A Tale of Two PCI Audits

We would also like to suggest that any future litigation hold the firms and businesses for which the audits were performed to the same level of responsibility. Specifically, when an audit is done and there are negative findings, a clock should start ticking for the audited firm in which it has a limited, yet reasonable (months, not years), amount of time in which to remediate the findings.

We can attest to being at client sites over a course of years where audits were done, the findings ignored, an audit repeated, and the findings again ignored, year after insecure year.

The real story is that any client such as the one described above who blames their auditor for failing them is only shooting themselves in the foot. So what is this thing called an audit? Our dictionary defines audit as a methodical examination or review of a condition or situation. (Editor's note: See Jennifer Bayuk's IT Audit: The Basics.) As security professionals, we tell the client what their exact security state it is at any given time. While management may not know their exact state, they should know their general state.

Any CEO who is astounded by negative findings resulting from an information security audit is quite possibly derelict in their duties. That CEO should have a competent CISO or some other executive level person(s) (e.g., CSO, CRO) advising them on known or suspected information security issues. Assuming that such a corporate function exists, there will usually be findings after an audit, but there should be no surprises. Properly managing risk to corporate assets is a vital part of conducting business, and critical information assets should be protected just like any other corporate asset. It is incumbent upon C-level executives to remediate all known risks to all corporate assets.