[Gllug] Audit Season...

Nix nix at esperi.org.uk
Sun Jun 28 22:31:46 UTC 2009 

On 27 Jun 2009, Jose Luis Martinez stated:

> On Fri, Jun 26, 2009 at 11:51 PM, Nix<nix at esperi.org.uk> wrote:
>> Actually I've told auditors they were full of shit in the past, and got
>> away with it too.
>>
>>
>> It can be done.
>
> I would be extremely careful with dishing such advice. Seriously, SOX
> and other national and international regulations could mean you are
> actually breaking the law if you are obtrusive to certain types of
> auditors, and certainly your boss may have to do lots of explaining if
> one of his charges is being unhelpful.

This *very* much depends on the type of auditor. These were auditors
called in for no clear reason (certainly not legal requirements: I think
it was a result of a high-level political bunfight, one person calling
in auditors on her enemy's department sort of thing), and the auditors
were requiring changes to our version control system that would have
destroyed our ability to get any work done: banning any further commits
to any file that had been modified by a given commit until the change
that commit was part of had been tested and signed off by 'all clients'.
Given that this can take upwards of five years at the upgrade rate of
some clients, and that there's no real sense in a file-by-file
granularity anyway, this was nonsense with disastrous consequences and I
wasn't going to stand for it. And I told them so, and showed them why.

I also had the advantage of a nice determined lady on my side of the
fence who had once been an auditor, and unlike the Anderoid
barrel-scrapings I was facing she'd been a financial auditor, i.e. the
sort the infosec auditors working for the big five^Wfour look up to...

> To say that you got away with it implies that there was a certain
> level of risk to your position, to each one his own, but I frankly
> fail to see why one should be obtrusive.

I wasn't trying to be annoying: I just had to stop them imposing
ridiculous requirements that would destroy my ability to get any work
done and piss me off mightily on a daily basis.

Good auditors do a useful job. It's a damn shame so many are utter
cowboys.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list