This happens far too often. I’ve had to investigate other auditors many times in my career. Both insiders and outsiders can be a problem. Once it was a team of young auditors who bought a wireless router on their way to the client site and connected it into their client network so they could share audit files more easily…audit files that said no one could connect a wireless router into the network without being detected. That was a fun one.
Another time I found auditors who dumped sensitive files into public folders for review. I got the usual “how did you find that?”
It begs the question of what enforcement there is to reduce the number of auditors who put their customers at risk. We also could discuss whether auditors should follow their own advice, but that is actually a logical fallacy. Just as doctors do not have to take the medicine they prescribe, auditors are under no obligation to use controls not relevant to their work. It is the issue of malpractice rather than hypocrisy.
The largest firms seem to be the ones most prone to hire large numbers of inexperienced staff, which means they have the highest likelihood for rudimentary failures. To be fair, they are being asked to perform a giant assessment that requires a lot of moving parts and people gathering data, but that still is no excuse for basic operational weaknesses based on very well-known vulnerabilities.
KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.
The potential breach affected individuals at two facilities—3,630 patients at Saint Barnabas Medical Center in Livingston, NJ, and 956 patients at Newark Beth Israel Medical Center in Newark, NJ—according to a report on the OCR breach notification website. The website lists entities reporting breaches affecting 500 or more individuals, a HITECH requirement that went live in February 2010.
At the end of the day I see failure from an audit firm to use caution and care in their treatment of a client. Automation is a common argument to resolve errors like this during the data collection phase, but that is a dangerous practice on its own. Process and procedures have to be understood better and fixed prior to accelerating or formalizing them.