On Sat, 6 Jun 2009 19:12:35 +0200, R.S. <[email protected]> wrote:
>Walt Farrell pisze: >[...] >> I agree with the others that you really need to explore what your auditors >> are intending to accomplish, and provide some education to them. > >(This is semi off-topic, since it is - let's say - political issue.) >The question is why should I educate auditors? >Why should they rely on my explanations/education? >BTDT. My auditor wanted me to protect non-existent programs, because >they are dangerous. Of course he knew only (part!) of the program name, >no justification why it is dangerous and what does it do. No >understanding why it is impossible to protect nonexistent program. No >progress in education. So - why it should be my (audited person) >responsibility to educate auditor to understand hi own demands. It seems to me you have only a few choices: (a) simply do whatever the auditor asks, which in my personal experience can be both painful and meaningless, accomplishing nothing of real value while making life more difficult; (b) educate the auditor, so he understands why what he's asked for makes no sense in your environment; (c) educate your management so they understand why you're ignoring the auditor (management can, also, ignore something the auditor has said, in most circumstances); (d) educate your management about why they should choose a different auditor. Again, in my experience, approach (b) is often the easiest in the long run. But elements of (c) and/or (d) may ultimately be needed. And, of course, in some cases if you don't have good management support, (a) may be needed but it has always been my last choice. You're right that you -should not- have to educate the auditor, but in cases like the one you cite perhaps (c) or (d) is worthwhile. There are good auditors out there, who know what they're talking about and find real problems you should deal with, and if you need auditing you should use a good auditor who can provide real value. (I think we're primarily talking about external auditors, here. If we're talking about internal auditors, then it is, I think, more clearly your responsibility to ensure that they understand how the system works.) -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
