News that the SEC fined Ernst & Young $100 Million because hundreds of its auditors cheated on ethics exams brought up the age-old question, "Who audits the auditor?"
The SEC accused Ernst & Young of misleading regulators about an internal report of cheating on required ethics exams, and suggested the firm’s lawyers and other executives were aware of the tip but failed to reveal it. Ernst & Young's fine seems to have resulted from the SEC investigation that ensued after KPMG was fined $50 Million in 2019 for stealing inspection information from the Public Company Accounting Oversight Board (PCAOB) in addition to internal exam cheating by its employees.
This was not Ernst & Young's first violation for cheating. A similar scandal involving more than 200 EY professionals exploiting a flaw in the company’s testing software took place between 2012 and 2015.
This is one of the reasons we at Vicis Law like working with HITRUST, where every HITRUST Validation goes through HITRUST's QA process where the auditor's work is scrutinized and evaluated. This is unlike other information security reporting mechanisms like SOC audits, where an accounting firm's report is not subject to any independent Quality Assurance. To us, having guarantees that someone is auditing the auditor is something that is sorely missing from other information security & privacy validations and adds to the value of a HITRUST Certification.