The missing credential

July 2026

The law is particular about who may sign the accounts that reach an audit committee. The cyber report that reaches the same committee has nothing like that behind it, and the only people any UK regulator has ever insisted on certifying are the testers, not the people defending the firm all year round. The personal accountability for being satisfied lands where the last decade of regulation has aimed it, on named executives and boards, with no profession underneath them.

Read the essay

New pieces appear here as they are published. Ordonis is the advisory practice of Anthony Hines. To talk about anything written here, start a conversation.