That's not a real auditor, that's a hacker posing as an auditor. If that auditor didn't have a signed, bonded affidavit from the CEO saying that he could social engineer the IT department to test their resolve then they should immediately have called the FBI, assuming that this is the US. That the person claims to be an auditor doesn't make him one, that he keeps badgering the IT guy makes what might be a mistake into clear social engineering. Charges should have been filed against them. Had they done that to a public company, charges would like have been brought under any number of federal statutes including SEC regulations.
from the linked article:
My "legal guy" has suggested revealing the company would probably cause more problems than needed. I can say though, this is not a major provider, they have less 100 clients using this service. We originally started using them when the site was tiny and running on a little VPS, and we didn't want to go through all the effort of getting PCI (We used to redirect to their frontend, like PayPal Standard). But when we moved to directly processing cards (including getting PCI, and common sense), the devs decided to keep using the same company just a different API. The company is based in the Birmingham, UK area so I'd highly doubt anyone here will be affected.