Who should be held responsible for the security breach at Equifax? Who should be punished for the breach that could have affected as many as 143 million people? Most would say the management. No argument there. The external auditors had a role to play as well and should be held ethically and legally responsible for failing to detect and report the data breach.
But first, let's examine management's failings. The now disgraced CEO of Equifax, Richard Smith, resigned in the aftermath of the chaos that followed disclosure of the data breach. Unanswered questions include whether Smith and other senior executives should return some compensation earned during the period between gaining knowledge of the breach and its public disclosure, or even further back.
The government should go after Smith and other top officials under a “clawback” provision that has been used by the SEC to get top executives to pay back incentive compensation during the period of a financial fraud. The clawback is the right thing to do. It’s an ethical approach to holding top officials accountable for actions that harm the public good. It holds responsible those who knew, or should have known, about the failure to disclose.
Last month it was announced that the US Department of Justice (DOJ) has opened a criminal investigation into Equifax officials’ stock sales just before the disclosure of the security breach. The DOJ is considering whether officials dumped nearly $1.8 million in stock just after the company discovered the breach and about a month before it was announced. The company maintains that the three didn’t know about the breach when they sold the stock. This is hard to believe to say the least.
The Securities and Exchange Commission (SEC) has decided to investigate whether the stock sales constitute insider trading. This is a serious charge because the public expects top officials and public companies to play by the rules and any effort to move the market or take advantage of non-public information breaches the trust between stockholders and management.
The external auditors need to be investigated as well to determine if they missed the signs that the information and data analysis systems were not working as intended. External auditors examine financial data
and information systems to gather sufficient evidence to render an opinion on a client’s financial statements and internal controls, including those designed to provide data security for customers.
According to Francine McKenna, writing for MarketWatch, EY was already aware that the SEC had scrutinized Equifax for inadequate disclosures of its cyberrisk and poor disclosure controls. That’s based on correspondence reviewed by MarketWatch between the SEC and the Equifax CEO and CFO dating from 2011 and 2014. McKenna points out that the SEC had questioned Equifax about cyberattack security breaches as far back as 2012 and inadequate disclosures regarding a material weakness in internal controls over financial reporting in 2013.
Addressing EY’s responsibilities, McKenna points out that “before EY even thinks about reviewing and testing the numbers, it must make sure that company executives set the right “tone at the top” about controls, including of its IT [information technology] systems, to ensure Equifax is protecting its biggest asset – the consumer information it sells to banks and other organizations that generates most of its revenues.”
The problem for the accounting profession is its interpretation of tone at the top starts with an evaluation of the company’s “risk tolerance.” A white paper by the Committee of Sponsoring Organizations on enterprise risk management (ERM) purports to promote an ethical organization culture, the weak link in the internal controls of many companies. The September 2017 revisions to the ERM Framework highlight the importance of enterprise risk management in strategic planning.
According to COSO’s Chair, Robert B. Hirth Jr., COSO’s “overall goal is to encourage a risk-conscious culture.” PwC developed the framework and, according to Miles Everson, PwC’s Global Advisory Leader and Engagement Leader: “The Framework addresses the evolution of ERM, the benefits that can be achieved, and the need for organizations to improve their approach to managing risk.”
Drilling down on the Framework with respect to corporate culture, ERM suggests that each entity should link its culture – shared behaviors, emotions and mindsets in the organization – to its strategy and risk appetite. The problem here is the ERM framework does not place sufficient emphasis on the ethical dimension of making strategic decisions, opting, instead, for a focus on the entity’s “hunger” for risk in terms of its strategic objectives. This tail wagging the dog approach to developing an ethical culture allows management to create a culture in each situation after first determining its willingness to accept risk in developing strategic activities. This is ethical relativism at its worst.
For me, the questions the SEC should ask are: When did EY find about the breach? What did it know about the nature and extent of the breach? What did it do about it? And, did the firm honor its commitment to serve the public interest above all else?
The accounting profession has failed time and again to identify and report fraud. The Equifax situation is no different. The profession must move beyond management-biased positions such as tolerance to risk and start to look at tolerance for fraud and the breakdown in the ethical systems.
Dr. Mintz is a Professor Emeritus from Cal Poly San Luis Obispo. Visit his website to sign up for his Newsletter and learn about his professional services.