> Good point. But the audit seems useless now. It's supposed to prevent the carelessness from causing... this thing that happened anyway.
> Sure, maybe it prevented even more events like this from happening. But still.
Because the point of audit is not to prevent hacks, it's to prove that you did your due diligence to not get hacked, so fact that hack happened is not your fault.
You can hide under umbrella of "sometimes hacks happen no matter what you do".
CYA is the reason you do the audit. But the reason for the audit's existence and requirement is definitely so that hacks don't happen. Don't tell me regulatory agencies require things so that companies can hide behind them.
> Sure, maybe it prevented even more events like this from happening. But still.
Because the point of audit is not to prevent hacks, it's to prove that you did your due diligence to not get hacked, so fact that hack happened is not your fault.
You can hide under umbrella of "sometimes hacks happen no matter what you do".