If an auditor certifies a system compliant, at a set point in time, to an agreed, contractually stated structure of compliance, how is this different from an insurance agency underwriting the contract to a set event misfortune? If there is no effective penalty mechanism, does this not just encourage the types of behavior most recently lambasted during the GFC?
Operators in this sphere are well rewarded for their efforts. Why should they not stand by their assessments (ie fiscal risk) in addition to reputation loss? Any other contract scenario would require it so why not this circumstance?