Conflict of Interests: When Auditors Become Consultants

I just read a press release from Trustwave where they announced their newest offering: a data loss prevention application that scans and discovers content risk for data at rest. I have used Trustwave since they were first Ambiron as a QSA for PCI DSS since about 2004. Today they are arguably the leading QSA for PCI DSS and provide a pretty good service.

Looking at their web site, I see that they offer a variety of complimentary compliance and consulting services. But I have to ask… When do auditing and the consulting services become a conflict of interests? Sure, they offer services that would be great to help you manage your compliance needs – from discovery tools to the latest “DLP” tool. (Aside: I think the term DLP is used way too much to describe a variety of technologies.)

Discovery tools seem to be in line with Trustwave’s mission. But technologies that actually secure then environment, such as encryption, log management, intrusion detection and prevention, and unified threat management seem to cross that line. These are technologies that should be audited for their effectiveness in accordance with the standard. If you’re providing those services, you should not be auditing them!

To be fair, Trustwave is not the only company doing this. PWC, KPMG, and others are also guilty. I wonder if it will take another Enron-like incident for the PCI Council to jump in and draw the line between the consultants and the auditors. And I wonder which of these big companies will be the next Arthur Andersen?

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Twitter
February 25th, 2010 in Uncategorized | tags: , , ,

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

4 Comments

Eric IrvinFebruary 25th, 2010 at 5:08 pm

I think this is a result of their Vericept acquisition. It does make sense and it should help their other offerings. I would say, however, that they should legally seperate the two divisions. Your auditor and your consultant should never be the same person, and should never work under the same divison of a company.

E PhiferFebruary 25th, 2010 at 11:55 am

It is the responsibility of the CAE (Chief Audit Executive) At the company buying services to perform proper due diligence (due professional care) for conflict of interest related to these types of cross-sell engagements.

Security.exe – Powered by The CISO Group » Blog Archive » Author, Author! Accolades for The CISO GroupFebruary 26th, 2010 at 9:18 am

[...] fiasco as his favorite outside post this week. Then Bobby’s expose on the inherent conflict by being a consultant and auditor at the same time was chosen as a top news of the week [...]

Matthew HacklingMarch 2nd, 2010 at 9:55 pm

You should never engage a company to audit you and implement the recommendations/requirements they would have you over a barrel!

Oh sir, you need to implement secure configuration on all of your devices, we will do that for $10M for you…if you don't you will FAIL!!!

You should get yourself someone to help with your PCI-DSS readiness by doing a gap analysis, then remediate with them, then call in a QSA. The readiness provider can then go into bat for you and handle the QSA being "over the top" and pedantic.

Leave a comment

Your comment