On 14/1/09 15:35, Michael Ströder wrote:
David E. Ross wrote:
On 1/3/2009 6:51 PM, Ian G wrote:
It was written:
But aren't auditors the eye of the public performing and recording those
operations?
That's one theory. Here is another: Who is the client of the auditor?
The auditor has a duty to the client that (arguably) outweighs the
duty to anyone else.
You might not agree to the above characterisation. But, try this test:
can you draw a line from the auditor to the public?
The line from auditor to the public has been drawn in the courts, where
lawsuits against auditors by investors injured by corporate fraud have
been successful.
But unfortunately this likely does not apply to IT security audits.
I would agree with that. In my conflicted opinion [1], but from some
research:
By law and custom, the "attest function" is only defined
for to opinions over financial statements by licensed
and/or qualified accountants.
The "attest function" is what an auditor does when stating an opinion
over the finances of a company.
1. From my notes: I found no law or case law that nails this down, but
there is dictum ("non-binding opinion") that is careful to draw a line
between financial audits and any other role. In _Rampell_ [2]:
"...While others may provide tax services or bookkeeping services,
"licensees of the board of accountancy" alone perform the 'attest'
function, which refers to the process by which "licensees" audit
financial statements and express opinions as to those financial
statements. Those audits are relied on not only by the clients on whose
financial matters audits are performed but upon a host of other
individuals and entities who may rely on the information in making their
own economic decisions. Audited statements are relied upon by banks,
other creditors, and investors ... In short, the use of financial
statements attested by "licensees" is so frequently used in our economic
system as to be indispensable..."
2. This issue is also the subject of wider and frequent public debate
over financial statements, auditors and the progression to general
consulting; and the obvious conflicts this generates.
3. I think, again in only my opinion, Mozilla was correct to have made
an implied decision not to seek "attest function" audits. Not that it
matters so much to Mozilla, but it would be a serious concern for a
public company (e.g., Microsoft) which has an interest in preserving the
value of its attest financial audit.
4. Even if we were to see this "constraint" changed to include the
attest function and/or fiduciary duty, I wonder how realistic it would
be? Who's going to sue a big4 auditor because their opinion sucks? How
much luck do they have in the financial sphere on this question, anyway?
5. A better strategy for Mozilla might be to figure out what the current
standard-in-practice is, and figure out ways of either improving it, or
adjusting the relying party behavior to cope with any weaknesses.
iang
[1] Speaking as a non-financial auditor, I'm obviously conflicted, so
someone else should research the position of the stakeholders and the
case law and challenge it.
[2] 1991 court decision in Florida, Department of Professional
Regulation, Board of Accountancy v. Rampell, District Court of Appeal,
Fourth District, No. 89-2668) decided October 16, 1991.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
