I once worked at a small pen-testing firm that also conducted PCI DSS compliance tests, and I can confirm that this is an accurate depiction of the industry. A majority of the staff were recent grads, and it was disheartening to see that most clients were primarily interested in obtaining the compliance certification rather than genuinely improving their product security. This, in turn, creates a perverse incentive for auditors to grant compliance, as clients who don't get the desired outcome may simply switch to a different auditor. In such a setup, it's difficult to ensure that security standards are genuinely upheld. On a positive note, these compliance tests do help in making sure that card data isn't stored in plaintext, but beyond that, the overall impact on security seems rather limited.

Not financial sector, but in my own experience working in tech consulting partnering with large management consulting firms in the past, security was the last thing to get checked and the first thing to be neglected.

Sure there were some "bare minimum" things that was expected to be upheld like passwords not being in plain text, but come time for a security audit it was exactly as you say. Not done out of genuine interest in security but as a rubber stamp of items to be able to show the client "look we did this"

Not even joking when I say that the development plan for most of these projects basically just tacked on a few days in the last week for "security improvements" alongside things like "tech debt" rather than it being a top of mind thing for the entire development process.

I worked at a company that had to deal with EY as a part of a tech certification. Tha auditors barely knew why they were being sent over. Out managers and techs had to explain the process to them and assure them the numbers in the report were correct. The auditors happily accepted that, and then charged around 100k. Top job.

That is a standard audit of any BIG4 company.

> From business perspective the auditors are clueless.

Hey! I used to be a young IT grad helping with financial audits.

If it helps, I was young and clueless and frequently I still figured out more about the business processes I was auditing than the client employees taking care of them every day :-p

From my experience, you're the exception, not the norm.

Many audits and compliance frameworks have so many loopholes and DIY rulings that basically anything is possible and acceptable as long as whatever you're doing is written beforehand.

Well, I'm not talking about everything, or the high level picture.

But I was checking what were called "IT controls" for their systems and a lot of that stuff was straight forward and yes, it did involve some rubber stamping, but a lot of it made sense: "Do you have a written approval process for adding users to this sensitive system?". "Can you show us how you mitigate not having a written process?".

And it wasn't super rare that besides the fact they didn't have the thing I asked for, but sometimes I couldn't even get them to understand why it would be a good idea.

A lot of companies are the Wild West :-)

The audited company often buys consulting services from the auditors which in effect is an extra incentive on top of the moneys paid for the auditing service. The mechanism that allows this is the ‘Chinese wall’ but that is a total joke. What really need to happen is to separate out consulting from auditing. That’s not going to happen though as there is just so much money is consulting.

What should happen is audit becomes a public trust financed by a tax on all public companies.

Audits can be very expensive and finding the optimal depth of auditing is difficult and unlikely that a public trust would be anywhere close to optimum amount. Financially savvy people should already know that the audit process is flawed and should not simply be accepted on face value. How flawed is usually stated in the audit, checks are split into controls testing and substantive testing. Usually the cheaper the audit the less substantive testing that is done. People need to trust audits less not more. If an organization is unable to pass an audit then it’s a really bad sign, if they have to hire EY to pass an audit then that is also a bad sign.

Also have you ever tried to stop something that makes a ton of money? It is damn near impossible. If governments had that much power the people who would lose their money have a very strong incentive to invest a large portion of that money into regulatory capture. So any solution that uses government must be predicated on a non-corruptable government which do not exist, at least not for very long. A variation of auditor’s prudence. A lot of our traditions and institutions that are resistant to corruption were designed and maintained that way to support wealth extraction via expansive empires, as you can’t export wealth if it all disappears into corruption. And empires must export wealth from colonies in order to compete with other burgeoning empires. Without such an empire to support the resistance to corruption erodes as the mechanism to reward those who eschew corruption disappears. It becomes increasingly difficult to acquire power without first being corrupt.

Here’s a counter example: going public. The SEC does a deep probe, one that has material teeth, and “yes” isn’t a conclusion. Surely the SEC is subject to these forces? Another example is merger approval, along antitrust and other regulations. This is a very deep process, clearly with a lot of extremely powerful money on the line. Or another, tax collection. Fact is there’s actually a lot of examples of effective controls on business, especially when financial crimes or malfeasance are the target. The laws are particularly sharp in the finance world compared to say, food safety or other regulatory areas that are clearly captured.

The laws are only sharp in the finance world because it is more profitable for it to be that way which I think prevents it from being a counter example. Take for example the Positive Accounting Theory of Watts and Zimmerman which seeks to explain actual accounting practices as opposed to academic accounting practices. One of their findings was that due to the costly signaling nature of audits some companies will do more extensive audits than would otherwise be standard or even optimal. There is value in trust and that value can be captured in the form of decreased cost of debt from lenders and an increase in stock price. Without trust the whole financial industry implodes and that would be bad for just about everyone in finance and especially bad for those making the most money from it.

Which in turn creates the issue of how to keep this trust truly independent. There have been successful long term campaigns to wrest control of supposedly independent bodies and align them with special interest groups.

Today they’re explicitly not independent, that seems specifically worse. There are also examples of highly effective regulators. Financial services is actually replete with them.

As a former CPA/External Auditor this fact confused me the most. No amount of disclosure will avoid the reality that the food on my table (audit fee) depends on the clients I am supposed to be impartial to. This system seems blatantly idiotic to me.