Professional Services Monitor: Today

Mark Olsen, chair of the PCAOB since June 2006, announced his resignation effective then end of July.

Mark Olson, chairman of the Public Company Accounting Oversight Board, said he is resigning his post at the end of July, but did not elaborate on the reasons.

In a letter of resignation, Olson, 66, simply said, “The decision is entirely personal and reflects my desire at this time of life to establish new priorities.”

Olson was named PCAOB chairman on June 26, 2006, after serving on the board of governors of the Federal Reserve. The resignation will take effect after more than three years of service in the job, on July 31, 2009.

He was appointed by the SEC to run the board, which inspects accounting firms that perform audits on public companies. The PCAOB is also slated to begin inspecting accounting firms that audit non-public broker-dealers, such as the three-person accounting firm that audited Bernard Madoff’s investment management firm.

A study conducted by two accounting professors at North Carolina State University on the SEC’s pilot XBRL program found significant flaws in the data.  The study examined filings submitted by 22 companies during the SEC’s voluntary program, and raises concerns about data quality ahead of the mandatory XBRL filing deadline for the largest 500 companies, beginning with quarter-ending June 15, 2009.

But, while the XBRL concept is promising, the study from NC State found that reports from companies that participated in the voluntary pilot program contained multiple errors. “They were poorly tagged,” [Dr. Eileen] Taylor says, “and there were fundamental errors of accounting. One report, for example, contained too many zeros – turning millions into billions.” In their abstract, the researchers note that “These errors are serious because since XBRL data is computer-readable, users will not visually recognize the errors, especially when using XBRL analysis software.” In other words, users won’t be able to spot that something is wrong.

The study, “A Comparison of XBRL Filings to Corporate 10-Ks – Evidence from the Voluntary Filing Program,” examined XBRL filings by 22 companies that participated in the SEC’s voluntary pilot program in 2006. The study was co-authored by Taylor, Drs. Al Y. S. Chen and Jon Bartley, who are both professors of accounting at NC State. The study will be presented at the American Accounting Association Annual Meeting being held in New York City, Aug. 2-5.

Savvis, a “IT infrastructure services” provider, is being sued after issuing a clean security audit to CardSystems Solutions in 2004, three months before CardSystems was hacked and compromised.  Wired’s Threat Level blog calls this the first such suit against a security auditing firm.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report.

In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised.

More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.

They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies.

The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards.

Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secure and trustworthy. Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway.

A Visa executive told an audience earlier this month that the companies were not compliant, though auditors certified they were. “No compromised entity has yet been found to be in compliance with [the standards] at the time of the breach,” she said.

In the CardSystems case, Merrick Bank, which is based in Utah and services 125,000 merchants, sued Savvis last year in Missouri. Merrick says Savvis was negligent in certifying that CardSystems was compliant. The case was moved to Arizona five months ago but only recently assigned a judge, allowing the suit to finally move forward.