Comments on: The Auditor’s Prerogative

By: Jeff Kirsch

Jeff Kirsch — Sat, 22 Aug 2009 04:11:06 +0000

I am glad to see some discussion around this topic. To answer the question of if this was a satire, the simple answer is yes, I indicated this in the closing paragraph. As I attempted to layout in the Retrospective portion of this article, I do not believe people lie to me nor do I utilize “defensive auditing” techniques. I completely agree with you, Micheal Starks, that credibility is a cornerstone to being an effective auditor. To maintain that credibility we need to act in a professional manner, but we also need to explain our intentions and value to those we audit. I think Micheal Janke makes a good point about both sides learning from the other. The transfer of knowledge between both sides improves the quality of future audits and gives the auditee a better understanding of the overall control environment.

Chris, I believe you have misunderstood my position. I do not feel auditor’s perform their testing simply to find what is wrong, instead I feel an auditor tries to meet the objectives of their engagement. In the process of conducting procedures to ensure controls are in place and operating effectively an auditor may find the controls do not meet the control objectives. After performing their due diligence in determining if a control failure effects the overall effectiveness of a system, they must report their findings.

After throwing out all that technical analysis I would say this, both parties to an audit should openly discuss what the objectives are and keep communications open throughout. Hopefully this helps build value for all parties involved.

By: Chris Griffin

Chris Griffin — Wed, 19 Aug 2009 14:31:31 +0000

I agree with you that auditors do look for where people screwed up and not help improve controls.
But I dont think that is how it should be. We have worked ourselves into this compliance box
where real security doesnt matter.

With the attitude of just looking for screw up’s, then your not really helping them, or the security world.
We need to be thinking about how to make things better. By looking for flaws without concern for helping, that is only breeding more and more compliance based thinking. And it is hindering true security based thinking.

Most of us can realize just because its in a regulation, does not mean its good for security. It’s usually
just good for the vendors that fill that void by making the regulation solutions based.

Just wanted to throw my 2 cents in.

By: Michael Starks

Michael Starks — Mon, 17 Aug 2009 15:07:41 +0000

I’m not sure how much to read into this, but I think you may have lost some perspective. Yes, people will certainly be less-than-honest and not as forthcoming as you would like. But as an auditor, it is your job to focus on the evidence and verifiable facts. Are you serious when you say:

“So I’ve come to the conclusion that the best thing to do when asked questions is to lie right back.”

I really hope that was satirical. The profession needs to maintain credibility with auditees if the process is to be beneficial for both parties.

I am left with the feeling that perhaps I didn’t get the underlying message of the post, because I can’t imagine this would really be the way you conduct yourself.

By: Network Security Blog » Thursday night PCI articles

Network Security Blog » Thursday night PCI articles — Fri, 14 Aug 2009 04:45:04 +0000

[...] The Auditor’s Prerogative – No network is so squeeky clean a decent assessor can’t find at least one mistake. But that doesn’t mean the assesor is the enemy. [...]

By: Michael Janke

Michael Janke — Fri, 14 Aug 2009 01:00:47 +0000

I’ve been audited by some pretty competent auditors – the kind that can SQL inject an app and rootkit a server, so I’ve been part of some pretty intense audits. I’ve always treated the audit as a learning experience (for me) and an opportunity to nudge upper management in a positive direction.

If I’ve got a weak area, I’ll admit it. If I’ve got stuff that works pretty good, I’ll let them know. But I figure it doesn’t pay to BS them. If they are good, they’ll know, and if they are incompetent, I will not learn anything from the audit. Learning from *good* auditors is a good thing.

The stakes are high though. In my case, the findings are public and if they are bad, they’ll make the local news.

–Mike

By: Interesting Information Security Bits for 08/13/2009 | Infosec Ramblings

Interesting Information Security Bits for 08/13/2009 | Infosec Ramblings — Thu, 13 Aug 2009 20:59:12 +0000

[...] tells it like it is! Actually, he does, but read the whole article to know what I mean. The Auditor’s Prerogative : The Security Catalyst Tags: ( audit [...]

By: Security Briefing – August 13th : Liquidmatrix Security Digest

Security Briefing – August 13th : Liquidmatrix Security Digest — Thu, 13 Aug 2009 19:54:18 +0000

[...] The Auditors Prerogative – Security Catalyst [...]