Information security and mishandling of personal information are increasingly important risk areas for organizations, and two reports on a massive data disaster at a U.K. government department show how badly things can go wrong.
The reports cited Her Majesty’s Revenue & Customs, the British tax authority, for its “deplorable failures” to comply with data protection laws. Its performance was so bad that the country’s data regulator has threatened to open criminal proceedings if the department fails to improve.
HMRC sparked a national debate last November on organizational data handling, when it confessed that it had lost two unencrypted disks containing the personal and bank details of 25 million people. The incident was the second-largest reported loss of government data in the world.
The information was downloaded onto the CDs and sent to a government audit agency, which had requested information about benefit payments. The CDs, which contained far more data than the auditors asked for, were dispatched via HMRC’s internal mail without any trace or record. They never arrived, and have never been found.
Poynter
The government asked for two reviews of the fiasco. The Independent Police Complaints Commission investigated how the disks were lost and whether staff had committed a criminal offense; PricewaterhouseCoopers’ U.K. head, Kieran Poynter, reviewed management structures relating to data handling. Both reports blamed the loss on institutional failure, rather than individual error.
The IPCC report said data security processes at HMRC had been “woefully inadequate” with a “complete lack of any meaningful systems” and an “absence of a coherent strategy for mass data handling.” Only a few members of staff understood the highly sensitive nature of the data held on the disks; even those who had direct responsibility for handling the data “did not demonstrate a clear understanding or knowledge of how to protect the data at the highest possible level.”
“An event like this was certain to happen—the only question being when,” said IPCC Commissioner Gary Garland, who oversaw the investigation.
The 103-page Poynter report found that information security “simply wasn’t a management priority as it should have been” at HMRC. It criticized the department for its “inadequate awareness, communication, and training on data security” and no clear chain of responsibility existed for the handling of information. His report said the organizational blunder raised “serious questions of governance and accountability.”
The Poynter report contains a detailed description of what went wrong at the department, including how operational demands were allowed to override compliance and security concerns. It has a section of detailed recommendations on how the department should improve its practices, which other organizations may find useful.
Coalition Calls for Mandatory Carbon Reporting
Pressure is mounting on the British government to pass laws forcing companies to report their carbon emissions. A coalition of leading businesses, institutional investors, 40 members of Parliament, and the mayor of London has called on Prime Minister Gordon Brown to back the move.
A climate change bill is currently working its way through Parliament, and the House of Lords recently passed an amendment that would introduce mandatory carbon emission reporting. But the minister responsible for the environment, Phil Woolas, has since said the government would weaken the measure. It wants to issue voluntary guidance on carbon reporting with a promise that it would review the guidance’s effect in 2010.
The coalition claims that current carbon disclosure by British companies is inadequate, and that the information they release is not comparable. A mandatory standard would create a level playing field, let consumers and investors make meaningful comparisons, and allow the London Stock Exchange to become a leader in carbon accounting and reporting, the coalition argues.
Young
Peter Young, Chairman of the Aldersgate Group, a group of environmental organizations that has played a leading role in the campaign for mandatory reporting, says “overwhelming” support exists for compulsory disclosure.
The campaigners claim that the business community backs mandatory reporting since it would put all companies on the same footing. Members of influential business lobby group the Confederation of British Industry voted 82 percent in favor of the measure at its annual conference last November.
Commission Gets Tough on French Audit Rules
The European Commission has escalated its battle with the French government over the country’s strict rules on the work that accounting firms can do for their audit clients.
France introduced a tough Code of Ethics for Statutory Auditors in 2005 that raised the bar on independence issues and stopped French firms selling services to their audit clients. The code, however, has had a wider effect since it also bans international audit firms from providing a wide range of non-audit services to any company that is either a parent or a subsidiary of a company it audits in France.
The Commission expressed anger that the code is “not proportionate” and illegally prevents audit firms from selling their services. It “goes far beyond” the Commission’s own framework of rules to ensure auditor independence, which EU officials published in 2006. And the French code ignores independence rules that exist in other European Union member states, the Commission said.
The Commission gave France a formal warning last year, telling it to revise the code, but the government has refused to act. Now the Commission has referred the case to the European Court of Justice, which can force France into line.
KPMG Admits Audit Errors
KPMG has finally admitted that it was seriously negligent in its audit of the collapsed British public company Independent Insurance. The audit profession’s standards watchdog has ordered the firm to pay a fine and costs amounting to $3.2 million.
KPMG has always maintained that its was duped by Independence’s chief executive and finance director when it audited its books eight years ago. Both have since been jailed for fraud. Now, however, KPMG has admitted that it failed to properly check insurance contracts that it knew were both suspicious and highly material.
The dodgy contracts, of a kind which insurance companies use to cap their provisions against loss-making business, allowed the company to report a $43.9 million profit rather than a loss of nearly $210 million.
KPMG and its audit engagement partner, Andrew Sayers, “accepted that loss could be turned to profit by using stop loss insurance which was too good to be true,” according to the judgement from the Joint Disciplinary Scheme, which regulates chartered accountants.
That the company providing the insurance appeared certain to lose money “gave rise to an obvious suspicion that there may be more to the stop loss insurance than KPMG was being told,” the ruling added.
The Joint Disciplinary Scheme found that a concurring partner on the audit, who was supposed to act as a second pair of eyes, suggested that KPMG get direct confirmation of the terms of the contracts, because of their huge materiality, but Sayers took no action.
KPMG was reprimanded, fined $987,000, and ordered to pay costs of $2.3 million. Sayers was reprimanded and fined nearly $10,000. He is still a partner at the firm.
In a statement, KPMG said it “regrets shortcomings in certain aspects of its audit of Independent and we accept we could have done better.”
No comments yet