I blogged a while back about not just going through the motions with audits, but meeting the spirit of what’s trying to be accomplished. The problem is that the auditors themselves know so little about IT, so they often ask for something that's either useless or outright ridiculous, even as audits grow in importance. Now, the government is talking about creating more audits for Wall Street, but will extra work really do the trick?
[ Cut straight to the key news for technology development and IT management with our once-a-day summary of the top tech news. Subscribe to the InfoWorld Daily newsletter. ]
Here are a couple of examples:
During this last round of audits, an auditor asked for screenshots of all 400 users in our system to prove that none of them are admins in the prod database -- a ridiculous task. It shows a complete lack of understanding by the auditor on how databases and even audits work. Even if I were willing to sit there and take screenshots of all those users, it’s highly unlikely that the auditor would've inspected each one thoroughly. The auditor would've gathered them, put them in the folder, and checked her little box -- end of story.
I refused to provide the screenshots and asked her what she was actually after. Essentially, she wanted to make sure nobody was an admin in the production database. Though she didn't really understand my explanation of how database security works, I told her she could get her desired results if took screenshots of the sys admin group.
It doesn't end there. Just today, I was asked to provide a screenshot that shows only the sys admins have write perms in a certain database. Again, I had to explain that there wasn’t a single screenshot that would provide that info, but the auditor said she needed that screenshot to satisfy the audit. Eventually, I offered to provide a screenshot of the DB_datawriter group, and she accepted. In actuality, though, there are plenty of other ways someone could have write perms in a database. At best, the screenshot is a check mark on a page that means nothing; at worst, it’s a tremendous waste of time.
So with clueless auditors and unrealistic audit guidelines, why do we even bother with the process? My guess is that it’s more useful on the financial side; accounting doesn’t change much, so it’s possible to be an accountant for 30 years and do a lot of the same things during that time. IT is another story, though. IT goes through major changes all the time, so it’s a lot harder to have 30 years' experience with a single application or process.
I’m not saying that nothing can ever come of an IT audit, but in the many years I’ve been providing audit info, most of it has been complete crap and means nothing in the real world.
All of this makes me less than thrilled to hear the government talking about putting in more audits to prevent further Wall Street mishaps. If they’re run the way IT audits are run today, then I’m not hopeful for the future.