The excuse given was to blame the auditor.  And for privacy reasons, they won't name the auditor.

This doesn't make any sense at all.  What use is an audit performed by unnamed entities?  It's the credentials of the auditor which give credence to the audit they perform, is it not?