Equifax Inc. management and its board are facing heat from Congress, the media and consumers over the hack of the personal information of 143 million consumers and the company’s delay in disclosing the breach to the public.
So far, the company’s chief executive and two other senior mangers have retired as a result of the hack.
The Equifax auditor, however, has largely escaped scrutiny.
Read: After breach, Equifax CEO leaves with $18 million pension, and possibly more
A company’s external auditor is supposed to be an objective independent watchdog, the first line of defense for shareholders and the public when company executives and the board fail to protect them.
auditor Ernst & Young (EY) is primarily responsible for providing an opinion for its shareholders on whether its annual and quarterly financial reports with the Securities and Exchange Commission present the company’s numbers fairly and in compliance with generally accepted accounting principles.
However, before EY even thinks about reviewing and testing the numbers, it must make sure that company executives set the right “tone at the top” about controls, including of its IT systems, to ensure Equifax is protecting its biggest asset—the consumer information it sells to banks and other organizations that generates most of its revenues.
Rani Hoitash, Ph.D., a Bentley University professor of accounting who is also a certified information systems auditor, told MarketWatch that the largest global audit firms, backed by the AICPA’s Center for Audit Quality, a trade association, say that an assessment of cybersecurity risks is outside the scope of a financial statement and ICFR audit based on auditing standards.
“Poor practices related to access controls or patch management will often be found everywhere if they are found anywhere
“Auditors, however, are required to look at policies and practices related to financial reporting-related information technology systems and data early in the annual audit process,” said Hoitash.
“If poor practices related to access controls or patch management are detected,” added Hoitash, “they may not be confined to one system because these general IT controls are not typically managed or controlled separately.”
See also: Equifax executives subject to criminal probe: report
A pattern emerges
Equifax disclosed on September 7 that criminals had exploited a flaw in a public-facing website to gain access to consumer data. Brian Krebs, a freelance reporter on technology and information security, was surprised at the extent of the hack.
“That the intruders were able to access such a large amount of sensitive consumer data via a vulnerability in the company’s website suggests Equifax may have fallen behind in applying security updates to its Internet-facing Web applications,” he wrote on his blog KrebsOnSecurity.com.
KrebsOnSecurity had already reported in May that fraudsters had exploited lax security at Equifax’s TALX payroll division, which provides online payroll, HR and tax services. And on September 12, Krebs reported that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers was wide open, protected by perhaps the most easy-to-guess password combination ever: admin/admin.
EY was already aware that the SEC had scrutinized Equifax for inadequate disclosures of its cyberrisk and poor overall disclosure controls. That’s based on correspondence reviewed by MarketWatch between the SEC and the Equifax CEO and CFO dating from 2011 to 2014.
In January of 2014, the SEC asked Equifax’s CEO about inadequate disclosures regarding a material weakness in internal controls over financial reporting in 2013. In its response Equifax provided the SEC with a detailed timeline of its evaluation of the control weaknesses—and concluded that its interim quarter disclosure controls were also ineffective.
(EY audit partner for Equifax, Joseph King, was copied on the response to the SEC from the company’s controller, along with the rest of the company’s top executives.)
In September of 2012, Equifax was asked to add more information in future filings about cyberattacks, security breaches or other similar events it had experienced in the past, in order to “provide the proper context” for the disclosure. The company agreed to add the additional detail, including the statement that it had “not experienced any material breach of cybersecurity” but that if such incidents should occur it would potentially compromise Equifax’s networks and the information stored there could be accessed, publicly disclosed, lost or stolen.
The Ernst & Young audit partner was not copied on the 2012 correspondence, but it is standard practice for the auditor to review any correspondence between the company’s top executives and the SEC as part of its annual audit process.