CPAs are Not Fraud Auditors or Security Professionals
I am frustrated with two forms of over reach by the accounting profession. One is the public and many professionals view auditors and CPAs as some sort of Good House Keeping seal of approval on the financial state of a business and that the business is somehow more compliant. The second is the accounting professions creep into areas they do not belong, in particular any work on SAS 70 k/n/a SOC 1, 2 and 3 reports. Audited financial statements are not guarantees against fraud.
The audit opinion is intended to provide reasonable assurance that the financial statements are presented fairly, in all material respects, and/or give a true and fair view in accordance with the financial reporting framework. The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements.
Does it say, “guarantee”? No, it does not. Does it say the auditors checked each and every expenditure to insure it is both accurate and non-fraudulent? No, it does not. The audit addresses the financial reporting framework and tests of the reporting framework are applied. If the numbers being fed into the system are gamed and gamed well, as we have seen time and time again, the audit will not catch the phony numbers, and this is OK. The courts have rarely held accounting firms liable for losses that occurred from these all too familiar management frauds. Accounting firms have been held liable when their errors are either blatant or they are complicit in a conspiracy of chicanery. Audited financials are not a guarantee against fraud and the public and the professionals ought to get that through their/our heads and adjust our expectations and practices.
In case you forgot audited financial statements are not a guarantee against fraud, let these cases remind you of the value of audited financial statements; Xerox and KPMG 1997-2000, World Com/MCI, Tyco International, Phar-Mor, Lernout & Hauspie, Health South, Clearstream Affairs, Bristol Myers Squibb, Bre-X and Parmalet.
CPAs have Zero tradecraft in Security
While the (Service Organization Control) SOC 1 report is mainly concerned with examining controls over financial reporting, the SOC 2 and SOC 3 reports focus more on the pre-defined, standardized benchmarks for controls related to security, processing integrity, confidentiality, or privacy of the data center’s system and information. SOC 2 examines the details of data center testing and operational effectiveness. (Old form was a SAS 70 Audit)
SSAE 16 audit was established to verify data center operational and security excellence.
I got it, the accounting professional wants to make the world a better place and sees a need for these types of audits/assurances. However, based upon the appalling data breaches by companies who possessed SAS 70, SSAE 16 and SOC 2 and 3 audits report assurances – they do not yet have a handle on either security or the security of data processing centers. I have no problem with CPA’s not being either a licensed security professional or an expert on data centers. I do have a problem with them declaring themselves experts and issuing opinions and thus assurances on security. The security of a data center is a very big thing and involves many tests and questions that only a data security expert will possess the tradecraft to properly ask and seek solid answers to those questions. For example, a data center was located in a building on a property adjacent to a refinery. When the refinery blew up so did the data center. This event was nowhere on the SAS 70 list of issues. And while it was a very secure datacenter when standing, when blown up – it did not function and the data center’s business continuity plans were insufficient to the task.
These types of audits and assurances are matters for the talents for accredited credentialed security professionals such as CPP a Certified Protection Professional conferred by American Society for Industrial Security (ASIS) as well as a CISSP a Certified Information Systems Security Professional and or a Systems Security Certified Practitioner (SSCP) conferred by The International Information Systems Security Certification Consortium ((ISC)2) – these are professionals saturated in the deeds and knowledge of their profession.
In case you forgot, let these cases remind you of the value of SAS 70, SOC 2&3 and SASE 16 audits; Accendo, Global Payments, Affinity Health Plan, Discover Card, AvMed, Inc, Emory Health Care and Health Net, Inc.
Security of data of firms providing core functions to public companies are real needs that need to be addressed by real professionals providing authoritative audits and assurances. The APPROPRIATE credentialed professionals are not CPAs. CPAs do themselves a disfavour when they pretend to know security for buildings, computers systems and or data centers. People actually rely and make choices based upon these audits performed by CPAs when the CPA profession clearly cannot deliver a creditable end product. Their mere familiarity with the issues and a desire to do good is demonstrably insufficient. Thus, it appears to me to be nothing but an exercise in credential creep by the accounting profession to bill more hours, that in the end will generate more litigation, litigation that the accounting firms will loose and rightly so.
In the end – we still must do our homework ourselves. While it is necessary to rely on the insights and knowledge of experts, audits do not address fraud and CPAs have no credentials in physical security, computer networks or data centers. Just because one has a Doctorate in Economics does not mean that one should apply for privileges at a hospital.
PDF Version – IFC-Review-Novemner-2012-CPAs-