Only as Good as Your Auditor

  • Comments posted to this topic are about the item Only as Good as Your Auditor

  • Having sat through several audits myself I appreciate what you've said here, Andy. Every audit I sat through was done by one vendor or as was more likely the case, some government agent working on behalf of a Federal agency we were being funded by. But you've brought up a point which I've never had to deal with and that's what happens if more than one auditor performs an audit on you/your company. I know it's easy to think, "Yeah, we passed the audit! Now its back to normal." I see how that might lead to some complacency.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • One of the outcomes of the banking crisis was awareness that the regulator had been a watch dog that didn't bark, let alone bite.  There was an all-to-cosy relationship between the regulated and the regulator.

    The old watchdog was put down and the new watchdog was very keen to show it had teeth and that they worked.  I don't know if the situation has slumped back into the old status quo.  What I do know is that security is a topic where you have to be continually ratcheting up your capability.  A toothless auditor is no help.  Yes, an audit can be a painful process, but if it was easy I'd be worried.

    My thoughts are that an organisation shouldn't wait until the end of the year and sit quaking in fear at the sound of the auditors tread.  Some form of continuous improvement process needs to be in place which includes a RAID log.

    • Risks - Threats, real and potential

    • Actions- Things done proactively to address risks and things done reactively to mitigate risks.  These should also reference the decisions.

    • Issues - This should include where risks have become an issue as well as the issues that snuck in under the radar

    • Decisions - Who, what, when and the target for implementation

  • I tend to think that an audit that raises nothing provides no value at all. It is similar to the test team. I expect that many things will be covered off by the teams leading up to the audit (or testing in the comparison) but I only believe they are being thorough when they raise the first non-superficial issue. No issues (defects) means that it hasn't been evaluated (tested) enough.

    ...and, basically, David is spot on in his assessment.


    -- Stop your grinnin' and drop your linen...they're everywhere!!!

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply