Don't blame the auditors. On Fri, 3 Aug 2012 15:21:06 +0000, Chicklon, Thomas wrote:
>... I have seen responses that ended up in a management request that a given >auditor not return because of his incompetence. This finding rates right up >there >with the one we discussed here a while ago where the auditor wrote a finding >for the mainframe server not running the corporate standard antivirus product. >Both of these auditors need to find another line of work, as they are wasting >their >client's time. >> Our auditors (Feds) say we need to apply all new PTF's within 30 days of >> availability. I'm speechless. Does anyone have the patience to form a cogent >> >> argument without laughing, crying, or tying one on? >> >> I told my boss that if I did that, we'd be about as stable as a windows PC. And what do you find wrong with the auditor's action in either of these cases? It has been discussed, repeatedly, in these pages that the proper function of an auditor is to assess conformance to standards, government or corporate, and to report deviations, as these auditors did; not to look the other way based on personal judgments that those standards may be inadvisable or counterproductive. Would you shoot the messenger? Of course, if the standards made a clear exception for the mainframe, perhaps limiting their scope to personal computers or Personal Computers (I'm case- sensitive), and the auditors overlooked that, then they're in the wrong. But that was never alleged in this thread. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
