There are several issues for the big 4 brought about by the Facebook Cambridge analytica privacy scandal.
In that scandal Cambridge analytica was utilizing private information of Facebook users to try and influence the U.S. presidential election. This should have been caught by Facebook because they were supposed to have strong controls following a settlement with the FTC in 2011.
Facebook settled with the FTC in 2011 over misrepresenting their privacy program back then. Facebook told users that they could keep their information on the social network private but that information was being shared with third parties.
As part of that settlement, Facebook was
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
- required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
Facebook obviously did not comply with these requirements when their users information was accessed and utilized by Cambridge Analytica.
The last one of the audits of the Facebook privacy program required by the FTC was performed by PwC. Pwc performed an independent report on Facebook’s privacy program dated from February 12, 2015 to February 11, 2017
During the time period covered by the report it is thought that Cambridge Analytica was likely using facebook users information, so it appears that PwC missed this huge mistake during their audit.
There are a number of questions that PwC’s sign off brings up.
1. Are 3rd party audits truly independent?
No matter how many caveats PwC brings up in their report, it was expected that they would be able to detect the very lapses that happened in the Cambridge Analytica scandal. One of the reasons they might not have caught the lapses in the privacy program is because they don’t want to rock the boat.
They don’t want to tell a huge client like facebook that they might be doing something wrong.
There is also a question of whether auditors can go into an audit with an independent lens where they are earning millions of dollars. Are they blinded by dollar signs when auditing?
2. Should the SEC trust the Big 4?
People are questioning why the FTC didn’t conduct the audit themselves. The public was failed by the FTC because it was the FTC’s job to enforce their penalties from the previous Facebook settlement.
Instead they farmed it out to an accounting firm that received money for the work but did not perform sufficient work to catch the errors. Is this also true of the Securities and Exchange Commission for trusting the big 4 to catch errors in public company financial statements too?
3. Can The Big 4 Catch The Majority of Material Errors or Weaknesses In Controls
With all the recent accounting scandals and now this privacy scandal, it appears that the big 4 are caught up in a series of huge mistakes that should have been caught by them. The magnitude of the scandals are huge. To the point where your average citizen could catch them if they were hired to perform the work let alone a professional auditor.
In all these scenarios, the big 4 are being paid millions of dollars for their expertise. Even with all their expertise they are missing extremely material mistakes.
This leaves the question as to whether the big 4 have the technical expertise to be auditing large complex companies. That applies to both auditing financial statements and other areas. I definitely have a huge issue with them claiming they can audit a privacy program.
Should the big 4 be engaged to an audit a privacy? What do the big 4 or pwc know about privacy programs and standards at a large social networking firm?
Facebook probably chose an accounting firm like PwC because they have experience with auditing and sampling.
PwC approached the audit like they would have approached any audit. They took some samples and extrapolated that against the whole population, but does PwC know how to design and audit a privacy program or similar technological areas.
I think this brings questions up about the big 4 for future work such as auditing blockchains and auditing cyber security breaches.
Large companies and clients should raise more questions before hiring the big 4 to perform tasks other than auditing financial statements.
Let us know your thoughts in the comments below.