@denbesten wrote:Silicon Valley Bank failed just 14 days after KPMG LLP gave the lender a clean bill of health. Signature Bank went down 11 days after the accounting firm signed off on its audit."
Makes me wonder what I purchase when I have somebody audit my security practices.
I've confronted this issue on multiple levels - as a board member, member of management, consultant working for an auditor, etc. I can tell you the fundamental problem is that the different stakeholders work under different assumptions about the scope and purpose of an "audit." It's one of those "emperor has no clothes" syndromes where at the top-most level of organizations, people aren't asking the most important question: "What's the point of this?"
For example, the way an auditor defines "risk" is different from the way an investment officer defines it, and that is still different from the way an information security officer does it. To me, an audit letter is like the inspection sticker on your car. It says you passed a rather superficial inspection, but it makes no statement on how the vehicle is being driven or under what conditions. To carry this analogy to a board, a board will interpret that inspection sticker to mean not only that the vehicle is "safe" (no, all it did was pass inspection) but also that it will be safe under all conditions (no, the greater concern should be the behavior of who is behind the wheel).
