Very true, Alan. But a good auditor always asks the question, "Where is the risk?"
It is pointless to look for controls, test controls, or require controls, where there is no risk which a testing everything approach would try to do. It is the 20:80 rule. 80% of the risk can usually be covered by 20% of the controls. The key to a good audit is to identify that 20% for the client and then test it. There are General Controls and Application Controls. Infrastructure controls are General Controls which are far more powerful and probably why SA's feel so beaten up. Application Controls rely on the General Infrastructure Controls and if there are glaring weaknesses in the infrastructure controls then the Application Controls do not mean much. It would be like locking the door to a room in your house, but leaving the front door unlocked. But this is the very reason a production z/VM, the front door if you will, should have a security system, be it RACF or whatever. An auditor who says test everything will never stay in business very long because he would not be competitive. Auditors, like everyone else, need to make a living and know they would never, get new business, win bids, or just make money if they ever tried to test everything. In fact, the whole purpose of controls and testing controls which is what SOX is all about is to reduce what is known in the auditing trade as "substantive testing", adding up all the numbers and tying out to a financial statement, which is very labor-intensive, time consuming, and costly. Auditors could never perform 100% "substantive testing" on all the transactions and data processed in a financial cycle. It would be impossible. So they invented "compliance testing" which says that if I can test the controls of a process, then I am justified in reducing the amount of "substantive testing" I must do for "due diligence". A good auditor must first understand the entire process flow and think through the process to identify these controls and then design and identify the minimum testing needed to attest to the financials. He can and will be held responsible for negligence. 30 years ago there was the Big 8 CPA firms. Now there is only the Big 4 and we all know what happened to Arthur Anderson when the cry went out in the MCI scandal, as it always does, "Where were the auditors?". After all, if an auditor is not going to tell you, the client, of weaknesses and exposures from which you eventually may or actually do suffer great loss or are forced out of business, what do you need him for anyway? If the general public had no confidence in the financial statements of publicly traded companies what would happen to the stock market, to free enterprise, to capitalism? Honesty and integrity is just plain good business. Alan Altmark <[email protected]> Sent by: The IBM z/VM Operating System <[email protected]> 12/09/2010 01:43 PM Please respond to The IBM z/VM Operating System <[email protected]> To [email protected] cc Subject Re: Vswitch Grant as a CMD in User's Directory? On Thursday, 12/09/2010 at 12:01 EST, Tom Huegel <[email protected]> wrote: > Does it really matter? SOX is just another way congress has come up with to > destroy the American economy, and in fact the American way of life. When you read the law, you find that SOX is "simply" a way to hold executives responsible for the financial statements issued by their companies. Assuming no ill intent (no comments, please!), that means trustworthy data. That flows downhill, as all such things must, until we start talking about access controls and audit mechanisms for financial data. That is, knowing who has the means and the opportunity to access the data, and knowing who has actually done so. (I leave it to others to talk about motive.) Who, what, where, when. Unfortunately, IT security industry consultants have mangled this laudable concept into a paranoia-inducing behemoth that has people screaming in terror as it rampages across the country, flogging every sysadmin in its path. Why? Because financial status is inferred from many other data sources and no one wants to spend the time it takes to follow all the data flows. Result: Secure Everything. With HIPAA and PCI running alongside, the "Secure Everything" policy looks even more reasonable to CEOs, CIOs, CFOs, and their lawyers. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 [email protected] IBM Endicott
