Recent news that PwC (PricewaterhouseCoopers LLP) has agreed to pay US$7.9 million in fines to settle U.S. Securities and Exchange Commission charges it violated auditor independence rules and engaged in improper professional conduct should be a wake up call for anyone hiring an audit firm. Although PwC has not admitted or denied any wrongdoing, they have agreed to a payout which includes a $3.5 million civil fine, plus more than $4.4 million of disgorgement and interest.
What did PwC do? And why is it important for auditors to remain independent?
PwC not only implemented a GRC system for an unnamed client but they conducted the audit as well. Although PwC could develop and implement a GRC tool for their client they would not be acting impartially if they then proceeded to do the audit too. The AICPA (American Institute of CPAs) has a code of conduct which talks specifically about objectivity and independence of the CPA. The AICPA code states: “Independence of mind is the state of mind that permits a member to perform an attest service without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism.”
It’s a bit like writing your own English essay in school then grading it yourself. There is clearly a conflict of interest. PwC could develop and implement a GRC tool for a client, they could also audit a client but they cannot do both for the same client.
Another recent example of the need for an independent auditor is the KPMG scandal where a KPMG partner pleaded guilty to getting advance notice of an audit. Compare this example to a student getting the exam questions ahead of time, fixing his/her mistakes, then handing in his/her paper. Clearly there was a conflict of interest, integrity and independence.
Following these incidents at PwC and KPMG there is definitely a lesson to learn if you are considering an audit partner for your company. Make sure you have independent firms preparing and auditing your company. If they offer to help you prepare and audit that is a red flag!
Many people know Ostendio MyVCM as an Integrated Risk Management software platform. But as a company, we help our customers prepare for many types of security audits. Our software helps customers demonstrate that they are able to maintain an effective security posture. However, we do not conduct formal audits or publicly attest to the compliance of an organization to any standard or regulation. Instead, Ostendio partners with fully independent and certified assessors who will independently attest as to whether a customer has met the standard or not.
This process makes sure we are held to account, because independent third parties are rigorously examining the output of our software and services. With this in mind, our customers can be confident that the support we provide will stand up to the independent scrutiny that comes with an audit.
Ostendio is happy to recommend one of its independent audit partners based on your audit needs. Alternatively, we will work with your preferred auditor if you already have one selected.
Need advice on how to choose an audit firm? In a recent blog post, Jermaine Jones, Ostendio COO wrote about 6 key things to consider when choosing an audit firm. Included in his list were their affiliation with AICPA, their experience in your field and whether they are a reputable firm.
Want to talk to us about our Audit Partners or learn about the Ostendio MyVCM Platform? Schedule a demo and we can do both.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.