Here in New Orleans (Louisiana, USA), some auditors failed (before Katrina) to inquire if the firm’s insurance policy covered business interruption, leading to an improper valuation of the business.
Now a Reuters wire service story, published on 22 July 2011, states that Sony’s insurer asked a New York state court to rule that its general liability insurance policies with Sony do not cover data breaches.
This has large financial implications for accounting and IT auditors. With allegedly more than 12 million credit cards stolen in that breach alone—and with a year of a credit monitoring costing $72 per person, per the Consumer Report web site—this may be an unforeseen billion-dollar liability. Did Sony’s external auditors include a note in their report that Sony did not have such coverage and was thus exposed? Or, did they (like Sony) think general liability coverage was inclusive? Be sure to add that question to your auditing checklist.
Jeffrey Wagar, CISA, CISSP-ISSAP
Vice President, ISACA Greater New Orleans Chapter
We welcome your comments! Please log in using the Sign In button at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now button in the blue box on the left.