You're right, but 3rd party audits can help, especially because the precedent set by Arthur Andersen w/ Enron. It destroyed their business completely when their fraud was discovered, so there would be a strong incentive for auditors to get it right. As you said, not a silver bullet, but it's a step up from nothing.
Nobody at Arthur Andersen went to prison and SCOTUS reversed their conviction. The firm may have gone up in smoke, but nobody was actually punished for their crimes. Who at Ernst and Young has gone to prison for Wireguard or WeWork? None by my count.
> It destroyed their business completely when their fraud was discovered...
I suppose rebranding and transferring assets is kind of like a Chapter 7 "destroyed their business completely", but no one involved went to jail, no one lost their Series 7 or any other kind of licensing, no one was ever barred for life from ever managing at a public company ever again, etc. Sure, to laypeople a selling off of assets and rebranding sounds pretty "destroyed...completely", but unless there are lifelong, severe, natural person repercussions, business people are thrilled with the results. No clawbacks, no offender registration, can always point the blame elsewhere in future discussions (like job interviews). This is mostly regulatory theater, and all net upside for those who benefited by unethical action or by unethical omission.
I completely agree, and that's a huge topic unto itself.
Briefly, the issue with auditing, as with most things, is incentives over time. The difference between fraud in finance and software engineering is how long the bezzle[1] lasts. In finance, it can last a very long time in up economies, leaving Big Three auditors plenty of time to scurry off. In software you have to deliver at some point, leaving lying auditors exposed to discovery by security researchers immediately.
There is certainly still room for shenanigans if not set up correctly, but less than in finance.
Auditors operate off money, too. I have seen this first hand. If I tell them about an egregious violation and they don't even bother to write it down, I know what type of "auditor" I am dealing with. If they write it down and the issue is not resolved, same thing.
I agree. I am writing my project a certain way to achieve a goal I call reimplementability.
This means that I try to design in such a way that a reasonably competent dev could sit down and rewrite the whole system in a couple hours/days/weeks.
Third party audits aren't a silver bullet. Enron and Worldcom had third party audits.