[171471] in North American Network Operators' Group
Re: We hit half-million: The Cidr Report
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu May 1 14:34:31 2014
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <53628D64.4010205@linx.net>
Date: Thu, 1 May 2014 11:34:03 -0700
To: john@linx.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On May 1, 2014, at 11:07 AM, John Souter <john@linx.net> wrote:
> On 01/05/14 17:41, Owen DeLong wrote:
>> The problem with this theory is that if auditors can be so easily put =
to the
>> street, you run into the risk of auditors altering behavior to =
increase customer
>> satisfaction in ways that prevent them from providing the controls =
that are the
>> reason auditors exist in the first place.
>=20
> I disagree. And the power balance is generally tilted way in favour =
of
> the auditors, as many people on this thread have already commented. =
In
> my experience, most companies are afraid/inhibited to raise issues or
> challenge their auditors in any way. Nobody is asking auditors to =
roll
> over, but if their behaviour is unprofessional/illogical, then a short
> sharp shock should do the trick.
I=92m not saying that auditors shouldn=92t be accountable or that people =
shouldn=92t be able to do something about auditors that are being =
irrational/stupid. Believe me, I cringe every time I hear =93our =
auditors require NAT as a security mechanism=94 since NAT is a minor =
hindrance to security at best.
I realize you=92re not asking auditors to roll over, but finding a =
balance point is tricky.
>> If you don=92t believe me, examine the history of Arthur Anderson and =
their
>> relationship with a certain Houston-based company which failed =
spectacularly.
>=20
> Can't really comment, but it was financial auditing, and ISTR that =
many
> things failed in that situation - not just financial auditing.
Many things failed in that situation. MOST of them should have been =
caught and stopped by financial auditing.
Yes, it was financial auditing, but I don=92t really see the difference. =
When you turn =93pleasing the customer=94 into a potential conflict =
with =93accurate audit results=94, you create a recipe for trouble. As =
much as I want auditors accountable for unprofessional/illogical conduct =
(which does not yield =93accurate results=94 anyway), I consider it =
critical to avoid putting auditors in the =93a happy customer is a good =
customer with a happy audit=94 mentality because that leads to very bad =
places. The right place is somewhere between these extremes, but =
defining that location is quite difficult.
Owen
