We hit half-million: The Cidr Report

Owen DeLong owen at delong.com
Thu May 1 18:34:03 UTC 2014


On May 1, 2014, at 11:07 AM, John Souter <john at linx.net> wrote:

> On 01/05/14 17:41, Owen DeLong wrote:
>> The problem with this theory is that if auditors can be so easily put to the
>> street, you run into the risk of auditors altering behavior to increase customer
>> satisfaction in ways that prevent them from providing the controls that are the
>> reason auditors exist in the first place.
> 
> I disagree.  And the power balance is generally tilted way in favour of
> the auditors, as many people on this thread have already commented.  In
> my experience, most companies are afraid/inhibited to raise issues or
> challenge their auditors in any way.  Nobody is asking auditors to roll
> over, but if their behaviour is unprofessional/illogical, then a short
> sharp shock should do the trick.

I’m not saying that auditors shouldn’t be accountable or that people shouldn’t be able to do something about auditors that are being irrational/stupid. Believe me, I cringe every time I hear “our auditors require NAT as a security mechanism” since NAT is a minor hindrance to security at best.

I realize you’re not asking auditors to roll over, but finding a balance point is tricky.

>> If you don’t believe me, examine the history of Arthur Anderson and their
>> relationship with a certain Houston-based company which failed spectacularly.
> 
> Can't really comment, but it was financial auditing, and ISTR that many
> things failed in that situation - not just financial auditing.

Many things failed in that situation. MOST of them should have been caught and stopped by financial auditing.

Yes, it was financial auditing, but I don’t really see the difference. When you turn “pleasing the customer” into a potential   conflict with “accurate audit results”, you create a recipe for trouble. As much as I want auditors accountable for unprofessional/illogical conduct (which does not yield “accurate results” anyway), I consider it critical to avoid putting auditors in the “a happy customer is a good customer with a happy audit” mentality because that leads to very bad places. The right place is somewhere between these extremes, but defining that location is quite difficult.

Owen




More information about the NANOG mailing list