EBA Insists On Access To Cloud Providers' Premises And Machines

Yes, it's 2017 and the European Banking Authority really does want financial regulators and their auditors to be able to visit the datacentres of regulated firms' cloud service providers, "including the full range of devices, systems, networks and data used for providing the services outsourced".  Responses on these 'recommendations' are due by 18 August 2017.

No one, including the EBA, really knows why regulators would need to do this, or what they would do on arrival - beyond exchanging pleasantries with the datacentre management and staff (who may not be co-located) and perhaps accepting the kind offer of tea or coffee from a robot or good old-fashioned dispensing machine.

The EBA simply presumes that other firms whose data is kept in the same datacentre (however fleetingly) will be happy for the financial regulators and their auditors to be allowed to wander among the cages amidst the pretty lights, exercising their "unrestricted rights of inspection and auditing".  And there's no mention of whether the EBA is happy for all firms' information security policies to be subject to the unauthorised access to their and their clients' sensitive data by audit teams from random financial (or other?) regulators, even where a firm and its clients are not the subject of the audit. 

Far better that the EBA recommendations focus on these thorny, practical issues instead of blithely insisting that firms negotiate broad, unfettered rights of access to datacentres on their regulators' behalf. 

Or maybe this is just a passive aggressive way of trying to prevent firms from using cloud services?

The Nature of Scepticism

Readers of Pragmatist will know that I've expressed my bemusement before that auditors have to be taught how to be sceptical. That was back in March. In November, the European Commission confirmed that the Financial Reporting Council wasn't joking:

"Article 15

Professional scepticism

When carrying out the statutory audit of a public-interest entity, the statutory auditor or audit firm shall maintain professional scepticism throughout the audit, recognizing the possibility that a material misstatement due to facts or behaviour indicating irregularities, including fraud or error could exist, notwithstanding the auditor's or firm's past experience of the honesty andintegrity of the audited entity's management and of the persons charged with its governance.

The statutory auditor or the audit firm shall maintain professional scepticism in particular when reviewing management estimates relating to fair values and the impairment of goodwill and other intangible and future cash flow relevant to the consideration of the going concern.

For the purposes of this Article, 'professional scepticism' means an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud and a critical assessment of audit evidence."

Proposal for a regulation on specific requirements regarding statutory audit of public-interest entities.

Next: a European Regulation governing the exercise of scepticism in the course of police interviews...  


Hat-tip to Mark from last night's London New Finance Meet-up. Image from The Philosopher's Magazine.