Equifax Inc. used a consulting arm of its auditor to certify that its information-security risks were under control — a possible conflict for a company that missed the system vulnerability that gave cybercriminals access to the personal information of 143 million consumers.

Equifax never disclosed that a subsidiary of its auditor, Ernst & Young, is the consulting firm that provided services that failed to detect the control weakness that led to the massive breach. What are called ISO certifications are relied upon by the auditor when assessing controls over information systems that support financial reporting.

Lynn Turner, the former chief accountant of the Securities and Exchange Commission, said it’s a gray area.

“It’s not clear if SEC auditor independence rules prohibit EY from issuing an attest opinion on a company’s information security controls, including an opinion that covered whether or not Equifax had proper controls in place to ensure necessary software changes (updates and patches) were properly authorized and done in a timely manner,” he said in an email. “That is something the auditor would need to test as part of their audit of internal controls. Provided EY had nothing to do with the design, implementation or operation of those IT controls, I think it would be OK.”

However, Turner cautioned, “The problem here seems to be that EY issued an Attest Opinion on the Equifax IT security controls that was apparently not supportable. That calls into question the quality and veracity of their work and that report. It also calls into question whether EY has support for any report issued on the adequacy of the internal controls of Equifax, issued in connection with their independent audit.”

Equifax EFX, -0.14% system administrators discovered in July 2017 that an unauthorized party had gained access via the internet to its online dispute portal, according to an investigation of the hack published by the General Accounting Office. Equifax’s own investigation of the breach determined that weaknesses in identification, detection, segmenting of access to databases and data governance allowed the unauthorized party to gain access to its network and take information from its databases containing identifiable personal information.

Read:GAO’s Equifax report: Company left private data vulnerable on several fronts

Cybercriminals used the fact that Equifax had not yet patched a vulnerability in software called Apache Struts, a hole in defenses that its IT team was informed of on March 9, 2017. The company was told to patch it within 48 hours. That didn’t happen, said Richard Smith, the former CEO of Equifax, in testimony before House Energy and Commerce Committee in October 2017.

That failure occurred even though EY CertifyPoint had audited and certified the quality of Equifax’s processes to update software, fix bugs and detect criminal hacks. Criminal hackers breached Equifax’s systems through the Apache Struts vulnerability on May 13, and the company didn’t spot the breach until July 29.

Howard Scheck, a former chief accountant for the SEC’s enforcement division and a partner at StoneTurn, a global advisory firm, told MarketWatch, “Recent breaches may raise the question concerning how much reliance should be placed on the ISO certification when assessing internal controls over financial reporting. There may be an expectation gap regarding what the ISO certification covers--raising the question of what additional work may need to be done by the audit firm--regardless of whether it, or another company, issued the ISO certification-- to conclude that accounting controls are effective.”

Read:Why it was easy for SEC, DOJ to spot Equifax insider trader

See also:Equifax auditors are on the hook for data security risk controls

EY CertifyPoint is a Dutch subsidiary of Ernst & Young, Equifax’s independent external auditor since 2002.

The EY CertifyPoint site lists Equifax’s Alpharetta, Ga., headquarters and TALX Corp., a provider of Equifax Workforce Solutions and a St. Louis–based Equifax subsidiary, as recipients of its ISO 27001 certification. The certificates were first awarded in 2011 and then on an annual basis after an audit process.

EY CertifyPoint did not respond to a request for comment.

An EY spokesman emailed a statement to MarketWatch: “The International Organization for Standardization has authorized certain independent organizations that meet rigorous professional standards to perform reviews and, subject to the results of those reviews, to certify to an organization’s compliance with specified ISO standards. EY CertifyPoint is accredited to perform reviews and issue certifications with respect to ISO Standard 27001, which sets the requirements for establishing, implementing, maintaining and continually improving an information security management system.

“A company is in compliance with ISO 27001 when there is reasonable assurance that it maintains designated processes around governance of information security, including processes to minimize the impact of information security events when they occur. ISO 27001 compliance is not assurance that a company is effectively protected against data security or data privacy breaches such as a cyberattack.”

In its 2017 annual report, Equifax admitted after the breach that its general certification was suspended and then allowed to expire: “Due to the 2017 cybersecurity incident, certain of our ISO certifications have been suspended and we will be required to take additional remediation steps to retain such certifications, which efforts may not be successful.”

EY’s CertifyPoint site indicates that the Equifax general certification is now expired.

Equifax asked for an ISO 27001 audit by CertifyPoint because, as it said in its 2017 annual report, some of its current and potential customers and the contracts governing certain customer relationships, as well as certain data suppliers, required it.

Christopher Paris, founder of Oxebridge Quality Resources International LLC, a consulting firm that implements ISO solutions, first wrote about EY CertifyPoint’s services for Equifax on his firm’s blog in September.

Paris wrote that a lawsuit against Equifax in federal court over the hack names an Equifax executive with a management role in overseeing the company’s ISO 27001 system. It is thus possible that the ISO 27001 certification provided by auditor EY will be cited in the subsequent trial, wrote Paris.

Equifax has invested more than $275 million in the security of its systems in 2018, a spokeswoman said, and “has been working tirelessly to rebuild trust with customers and consumers. We are pleased with the progress that has been made so far and have reinstated the majority of the certifications that were suspended as a result of the 2017 cybersecurity incident.”

The spokeswoman reported that Equifax worked with a new ISO certification body — not EY CertifyPoint — for all ISO certifications that the company received in 2018. The ISO 27001 certification has been reinstated in the U.S., U.K., Ireland, Canada and India and in the Iberian, Central and South American and Asia Pacific regions, according to the spokeswoman.

Also read:Equifax wipes away breach charges to claim an earnings beat

The Equifax 2018 proxy discloses it paid U.S. audit firm EY $504,000 in 2017 for audit-related services that included employee-benefit-plan audits and “information technology security process reviews.” However, the ISO 27001 services provided its Dutch unit are not specifically identified.

The Equifax spokeswoman told MarketWatch that the EY CertifyPoint fees for 2017 were classified as audit-related in the disclosure contained in its proxy statement.

EY CertifyPoint provides ISO 27001 certification services to several other prominent EY audit clients — Amazon Web Services Inc. AMZN, +0.66% , Alphabet Inc. GOOG, +0.92% , Workday Inc. WDAY, +0.62% , Facebook Inc. FB, +0.20% , Dropbox Inc. DBX, -2.08% , Zendesk ZEN, -2.60% , Oracle ORCL, +0.57% and UBS Group AG UBS, -1.19% , in addition to many other non–EY audit clients in the U.S., Asia and Europe.

None of EY’s audit-client companies disclosed that their audit firm was doing double duty in certifying internet and data security. A spokeswoman for Dropbox declined to comment. Representatives of Amazon, Alphabet, Workday, Facebook, Zendesk, Oracle and UBS Group did not immediately respond to MarketWatch requests for comment.

The statement from EY’s spokesman also indicated that the firm believes ISO compliance certification is compatible with the role of an independent auditor, and is a permitted service for audit clients under SEC rules. SEC rules require that this service be subject to audit-committee pre-approval and that the fees for this service be included in independent-auditor-fee disclosures in a company’s proxy statement.

“History has taught us time and time again,” Turner told MarketWatch, “that just because one of these large audit firms puts out a report with their ‘Seal of Approval’ on something, does not necessarily mean things are in fact OK.”

The Equifax spokeswoman told MarketWatch that “Equifax has complied with all applicable disclosure requirements. We have also been forthcoming about the causes of the 2017 cybersecurity incident which were both technical failures and human error.”