Re: Auditors (was: Survey says...)

2009-01-09 Thread Shmuel Metz (Seymour J.) 
In , on 01/07/2009
   at 07:59 AM, Walt Farrell  said:

>Thus, it was not -our- management making that policy, but an outside body
>making the policy, and we had to adhere to it or show why it should not
>apply to us.

The real question is what you do when you are complying with the published
external policies but the external auditors claim that you aren't.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-08 Thread Hal Merritt 
Well, yes, but there is a tiny little detail that is drop dead
important. To 'document' is defined as having management involvement and
approval. 

With that, comes accountability. Legal accountability. Many PHB's are so
because they are skilled at misdirecting and managing perceptions as to
is responsible for what. 

Consider the PHB team that intentionally runs a loose shop and
eventually gets bit. Their first line of defense is blaming those
airhead techies that should have known better and should not have
allowed that to happen. Never mind that the firewalls were cut from the
budget as was training. 

And that seems to work somewhat. Witness the number of former high
management now sitting in prison. 

Just my $0.02   

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Shmuel Metz (Seymour J.)
Sent: Wednesday, January 07, 2009 8:14 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Auditors (was: Survey says...)

In <5411f4eec9c68f4ca6f78821e685165a027dd...@htxmail.jhacorp.com>, on
01/06/2009
   at 04:11 PM, Hal Merritt  said:

>In many parts of the world, auditor behavior is spelled out in ISO
9000.

"Crap is okay as long as you document that it is crap."
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see <http://patriot.net/~shmuel/resume/brief.html> 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-07 Thread Shmuel Metz (Seymour J.) 
In <5411f4eec9c68f4ca6f78821e685165a027dd...@htxmail.jhacorp.com>, on
01/06/2009
   at 04:11 PM, Hal Merritt  said:

>In many parts of the world, auditor behavior is spelled out in ISO 9000.

"Crap is okay as long as you document that it is crap."
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-07 Thread Rick Fochtman 

--
Audits, especially external audits, carry a lot of weight. The 
enforcement does not come from the auditors, but the audits do not seem 
to be questioned. And the audit groups seem to have their own SME which 
in some cases really stretch the definition of "expert".

--
As RACF Administrator, I suffered through a security audit in 1989. The 
result, as reported to senior management, essentially declared me 
incompetent to hand out towels in the Men's Room. Naturally, senior 
management went ballistic. But I was given a copy of the report and 
invited to write a rebuttal, which I did, point by point. It turns out 
that things weren't anywhere near as bad as the report made them out. 
They had used a "hole" in a proprietary software package to bypass all 
security. When I brought this up to the vendor involved, it was fixed in 
less than 72 hours. Other points in the report were rebutted by reasoned 
and truthful argument.


(They spent a week trying to "break in" from outside, using our defined 
outside interface. They couldn't even keep our computer on the phone 
long enough to try a userid/password "breaker", a fine tribute to our 
communications staff.)


Again, in 2001, I was "subjected" to a security audit. This time was 
different; vastly different. The gentleman that was detailed to do the 
audit had just been to RACF class, at IBM, and had a LOT of 
misconceptions and mistaken ideas. We developed a friendly rival 
relationship. He would make an allegation of a hole or potential breach 
and I would prove him either right or wrong. Loser bought a steak lunch 
for the winner. He was there for 2 weeks and I ate steak lunches for the 
entire two weeks, at his expense. (Or his company's expense.) We parted 
friends and he learned a great deal about the ins and outs of RACF. I 
consider that I helped his carreer development and he forced me to think 
hard about how we did things.


Moral of the story: not all auditors are ogres; some of them are 
actually human.


(I never did disclose any actual password to him and he was smart enough 
not to ask. Even with orders for "full cooperation", I refuse to 
disclose passwords, to ANYONE.)


--

Rick
--
Remember that if you’re not the lead dog, the view never changes.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-07 Thread Howard Brazee 
On 7 Jan 2009 06:00:59 -0800, wfarr...@us.ibm.com (Walt Farrell)
wrote:

>While I generally support the position that auditors should not "make
>policy", having worked at a national bank previously I think there is an
>aspect of this discussion that no one has mentioned yet.

But many times policies are set by lawyers, interpreting laws created
by politicians.   The auditors follow the lawyers' guidelines.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-07 Thread Walt Farrell 
On Wed, 7 Jan 2009 14:24:47 +, Ted MacNEIL  wrote:

>>There can be different levels of "policy".  For example, when the national
bank examiners (aka, "auditors") visited us they conducted audits according
to the policies established by the national body that chartered/insured our
>bank.
>
>It's the same in Canada.
>But, the examiners don't make the policy either.
>They just report on it.

Agreed, but my point was that it's not necessarily -your- policy (or your
management's policy) that they're reporting on.  The thread had gotten into
arguing why your management accepted the findings if they were't according
to the policy they had set.  Unfortunately, some times policies are set by
external organizations, and your management has less control in that case.

-- 
  Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-07 Thread Ted MacNEIL 
>There can be different levels of "policy".  For example, when the national 
>bank examiners (aka, "auditors") visited us they conducted audits according to 
>the policies established by the national body that chartered/insured our
bank.

It's the same in Canada.
But, the examiners don't make the policy either.
They just report on it.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-07 Thread Walt Farrell 
On Wed, 7 Jan 2009 06:59:45 -0600, Chase, John  wrote:
>Indeed.  If management merely "rubber-stamps" whatever recommendations
>or suggestions auditors make, it certainly can create the appearance
>that the auditors are "running the show".  That doesn't change the facts
>that management makes policy and auditors report on compliance with
>policy, and that if the policy is "wrong" it's not the auditors' heads
>that will roll.

While I generally support the position that auditors should not "make
policy", having worked at a national bank previously I think there is an
aspect of this discussion that no one has mentioned yet.

There can be different levels of "policy".  For example, when the national
bank examiners (aka, "auditors") visited us they conducted audits according
to the policies established by the national body that chartered/insured our
bank.  (That was a long time ago, so I'm not sure what body they were
representing, but the idea is right, I think.)

When they made findings based on thse national policies, we could (and did)
argue some of them, but primarily we had to comply or demonstrate how we had
some compensating factor that addressed their concerns.

Thus, it was not -our- management making that policy, but an outside body
making the policy, and we had to adhere to it or show why it should not
apply to us.

Our internal auditors, on the other hand, did audit us according to our
management-specified policies.

Of course, I suppose one could argue that one of our management's policies
was "comply to the national examiners' policies", and in that sense it was
still our management setting the policy.   But they had little choice in
that, nor in what that externally applied policy required.

The same applies today with policies set by Visa, Mastercard, etc.

-- 
  Walt Farrell (speaking as a former banker, not in my usual role as an IBMer)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-07 Thread Chase, John 
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Hal Merritt
> 
> In many parts of the world, auditor behavior is spelled out in ISO
9000.
> And, as I recall, that behavior is much like Ted's posts. Not so in
the
> US, it would seem. I wonder if that would account for the differing
> experiences?
> 
> To be fair, not all of the silliness is coming from the auditors. But
> they are embracing it and ramming it down any handy throat.

Indeed.  If management merely "rubber-stamps" whatever recommendations
or suggestions auditors make, it certainly can create the appearance
that the auditors are "running the show".  That doesn't change the facts
that management makes policy and auditors report on compliance with
policy, and that if the policy is "wrong" it's not the auditors' heads
that will roll.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-06 Thread Hal Merritt 
In many parts of the world, auditor behavior is spelled out in ISO 9000.
And, as I recall, that behavior is much like Ted's posts. Not so in the
US, it would seem. I wonder if that would account for the differing
experiences? 
   
To be fair, not all of the silliness is coming from the auditors. But
they are embracing it and ramming it down any handy throat.  

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Ted MacNEIL
Sent: Tuesday, January 06, 2009 3:06 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Auditors (was: Survey says...)

>I guess our mangement forgot to read the definitions. And come to think
of it, that has been true in every shop I've seen.

Yes. But, who carries the hammer?

>Audits, especially external audits, carry a lot of weight.  The
enforcement does not come from the auditors, but the audits do not seem
to be questioned. 

Then your company is missing something in due diligence.
Any finding can (and, sometimes must) be questioned.
If not, due diligence arises again (or wimpiness).

>And the audit groups seem to have their own SME which in some cases
really stretch the definition of "expert".

Again, due diligence.
Accept bad findings, curl up your toes, go belly-up and 6 feet under, or
fight back and defend your position and job.
If you're going to lose it fighting, you're probably going to lose it
accepting.

If they're accurate, suck it up and accept.

An audit finding is not necessarily gospel!

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-06 Thread Patrick O'Keefe 
On Tue, 6 Jan 2009 21:06:01 +, Ted MacNEIL 
 wrote:

>>I guess our mangement forgot to read the definitions. And come to 
think of it, that has been true in every shop I've seen.
>
>Yes. But, who carries the hammer?

The management that called for the audits in the first place.
They have no way of evaluating the supposed SMEs, etc.
  
>...
>Then your company is missing something in due diligence.

Uh, yes, I'd say that describes us pretty well.  I think the FDIC 
already commented on that pretty well.  :-) or maybe :-(  

>...

Pat O'Keefe

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Auditors (was: Survey says...)

2009-01-06 Thread Ted MacNEIL 
>I guess our mangement forgot to read the definitions. And come to think of it, 
>that has been true in every shop I've seen.

Yes. But, who carries the hammer?

>Audits, especially external audits, carry a lot of weight.  The enforcement 
>does not come from the auditors, but the audits do not seem to be questioned. 

Then your company is missing something in due diligence.
Any finding can (and, sometimes must) be questioned.
If not, due diligence arises again (or wimpiness).

>And the audit groups seem to have their own SME which in some cases really 
>stretch the definition of "expert".

Again, due diligence.
Accept bad findings, curl up your toes, go belly-up and 6 feet under, or fight 
back and defend your position and job.
If you're going to lose it fighting, you're probably going to lose it accepting.

If they're accurate, suck it up and accept.

An audit finding is not necessarily gospel!

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Auditors (was: Survey says...)

2009-01-06 Thread Patrick O'Keefe 
On Tue, 6 Jan 2009 20:37:06 +, Ted MacNEIL 
 wrote:

>...
>>> 2. Auditors don't approve; they report on compliance.
>
>>Maybe that's how it works where you live.  It is different elsewhere.
>
>True auditors just report on compliance.
>SME's define.
>Compliance officers enforce.
>
>Anything else is not a true separation of duties and is a conflict of 
>interest.
>...

I guess our mangement forgot to read the definitions.  
And come to think of it, that has been true in every shop I've seen.

Audits, especially external audits, carry a lot of weight.  The 
enforcement does not come from the auditors, but the audits do
not seem to be questioned.  And the audit groups seem to have 
their own SME which in some cases really stretch the definition of
"expert".

Pat O'Keefe

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html