I was recently reading the excellent documents from Ross Anderson on Information Security Economics. A good reading tip for those interested in the subject is the famous Freakonomics book.

After reading Anderson's texts I realized that the reason for the lower quality of the External Audit that I've been seeing is strictly economic. There are no incentives for an audit company to actually deliver good audits! For those who hire a big audit company the main reason is the final report, usually needed to comply with things like SOX. A "clear" report is the best thing that they can receive, as they will be compliant with regulations and won't have to spend money on solving audit issues. Naturally, audits that find less issues will be preferred by the market. Meanwhile, those companies that run more thorough audit processes will suffer the opposite effect. Is it possible to build into those regulations something to avoid it?