We hit half-million: The Cidr Report
owen at delong.com
Thu May 1 18:34:03 UTC 2014
On May 1, 2014, at 11:07 AM, John Souter <john at linx.net> wrote:
> On 01/05/14 17:41, Owen DeLong wrote:
>> The problem with this theory is that if auditors can be so easily put to the
>> street, you run into the risk of auditors altering behavior to increase customer
>> satisfaction in ways that prevent them from providing the controls that are the
>> reason auditors exist in the first place.
> I disagree. And the power balance is generally tilted way in favour of
> the auditors, as many people on this thread have already commented. In
> my experience, most companies are afraid/inhibited to raise issues or
> challenge their auditors in any way. Nobody is asking auditors to roll
> over, but if their behaviour is unprofessional/illogical, then a short
> sharp shock should do the trick.
I’m not saying that auditors shouldn’t be accountable or that people shouldn’t be able to do something about auditors that are being irrational/stupid. Believe me, I cringe every time I hear “our auditors require NAT as a security mechanism” since NAT is a minor hindrance to security at best.
I realize you’re not asking auditors to roll over, but finding a balance point is tricky.
>> If you don’t believe me, examine the history of Arthur Anderson and their
>> relationship with a certain Houston-based company which failed spectacularly.
> Can't really comment, but it was financial auditing, and ISTR that many
> things failed in that situation - not just financial auditing.
Many things failed in that situation. MOST of them should have been caught and stopped by financial auditing.
Yes, it was financial auditing, but I don’t really see the difference. When you turn “pleasing the customer” into a potential conflict with “accurate audit results”, you create a recipe for trouble. As much as I want auditors accountable for unprofessional/illogical conduct (which does not yield “accurate results” anyway), I consider it critical to avoid putting auditors in the “a happy customer is a good customer with a happy audit” mentality because that leads to very bad places. The right place is somewhere between these extremes, but defining that location is quite difficult.
More information about the NANOG