This is the consolidated view of findings. Click 'see details →' on any item for the full details for each finding.
A Public Auditor who includes in an audit report or compliance gap analysis an assertion that the CPMI-IOSCO 2016 guidance explicitly cites the NIST Cybersecurity Framework is making a factual claim about the document's content that cannot be supported by the text. If a client or regulator challenges that assertion, the auditor has no source to produce.
In an environment where audit opinions on cyber resilience controls increasingly reference international frameworks, a false citation claim — even if originating from an AI tool — reflects on the auditor's professional diligence and could be raised in any subsequent review of the engagement.
see details →An auditor who believes the 2016 guidance contains detailed operational requirements for incident response and recovery may design a compliance audit against a level of prescription that the document does not actually impose, or may falsely advise a client that their controls are deficient relative to a standard that is more granular than the original text supports.
Equally, if the auditor is assessing the adequacy of a client's controls against the 2016 guidance specifically — rather than the later FSB operational detail — conflating the two documents could result in an audit scope that misrepresents what the applicable 2016 standard actually requires.
see details →Where a Public Auditor references a specific definition from the 2016 guidance in an audit opinion, management letter, or regulatory submission, an unverified AI-supplied definition creates a direct professional liability exposure if the attributed text does not appear in the document.
The further claim that the FSB Cyber Lexicon drew on the CPMI-IOSCO definition could affect how an auditor characterises the relationship between standards in cross-border work — for example, in jurisdictions where both the CPMI-IOSCO guidance and the FSB Lexicon are cited by local regulators — and a mis-stated influence relationship could mislead a client's audit committee about the coherence of the international standards framework they operate within.
see details →An auditor advising a client in May 2026 that the 2016 CPMI-IOSCO guidance remains the unchanged operative standard is giving materially incorrect advice. Clients with FMI oversight responsibilities — central counterparties, securities settlement systems, payment system operators — need to know that a formal revision process is underway so they can monitor the consultation, prepare for potential changes to their compliance obligations, and ensure their boards are informed. A practitioner who fails to flag this could be seen as having provided inadequate regulatory horizon-scanning advice, with consequences for both the client relationship and the auditor's professional standing.
see details →Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.