Shostack + Friends Blog Archive


Giving Data to Auditors

In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects:

Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner about the public auto insurer requiring that the shops hand over customer credit card information in the course of routine audits.

The complaint, obtained by The Vancouver Sun, says the disclosure without written consent is “clearly unlawful.”

“It’s of concern to us,” said Gerry Preddy, vice-president of the association. “We’ve had examples of files being lost [by ICBC].”

David Fraser, “BC auto body shops object to auto insurer’s credit-card policy,” quoting the Vancouver Sun.

5 comments on "Giving Data to Auditors"

  • Andy ITGuy says:

    This is something that has concerned me for the last couple of years. Companies seem to fear auditors to the point that they would give them most anything that they ask for. Whether it be data, files, unfettered network access, etc… I try to ensure that whatever I give auditors has been verified as “safe” but several times I have been overruled by Management.

  • Iang says:

    Certainly there are grounds for concern over auditing, both theory and practices. However, giving over data would appear to be the least of the issues.
    Auditors (financial) are required to check transactions are happening. They are required to go deep into the secrets and make sure that all is well. They are also required to make sure that their ways of doing this are within reasonable bounds, and their information is kept private. If this was a financial audit, asking for the customer details would be IMHO within scope.
    There is scant detail in the article as to whether customer card details are needed or not. But, the explanation of the ICBC seems reasonable on the face of it, and the extract published by the paper from the Personal Information Protection Act also confirms that this is ok, assuming that we agree that auditing financial records is “reasonable.”
    What is perhaps interesting is to see the groundswell against automatic acceptance of anything an auditor says. That’s welcome, auditors are not especially protected from broken practices (and, speaking as an auditor of non-financial systems, I welcome scrutiny!)

  • Adam says:

    That auditors need some data doesn’t mean that everyone must collect and transmit all data which an auditor may want.
    If you want to go back to the source, follow a sampling back through the autobody shop.

  • Former BC Auditor says:

    There’s more to this than meets the eye — it is a pissing match between the auto body shops and ICBC because in past we found a significant amount of fraud at certain shops.
    ICBC has experienced about $100 million in fraud from the repair shops each year. Glass repair shops in particular used to charge ICBC for services that were not performed or would charge ICBC for a higher cost replacement, actually use a lower cost item. Or charge the customer a lowe cost and file a higher cost claim with ICBC.
    There were also many, many instances of repair shops acting as fronts for clearing checks and credit vounchers for certain criminal activities, and charging it to ICBC to make it look legit to the police, etc.
    And the shops that complained the most seemed to coincidentally be the ones pulling the scams and keeping the poorest records…
    The repair shops have had a legacy of improper behaviour in these issues, so they’ve brought this on themselves.

  • Chris says:

    In general, it’s nice to see people demand that auditors respect privacy and protect data. I wouldn’t hesitate to demand that my doctor wash her hands before prodding me with them. Similarly, nobody should feel that their auditors can’t be reminded of proper practices, with the strength of the reminder calibrated to produce the desired behavior.

Comments are closed.