January 28, 2013 at 9:23 pm
Comments posted to this topic are about the item Acing an Audit
January 29, 2013 at 6:59 am
I totally agree that companies should have processes in place that keep them audit-worthy (not to mention more secure in general) at all times. My group is partly there - in SQL Server, we are pretty much always audit ready. I haven't been able to understand why our Oracle environments aren't. It's utter chaos for weeks leading up to an audit every single time.
And how reliable are those audit results, anyway? The audits should be looking at day to day processes, not giving people a heads-up weeks or months in advance to get themselves up to standard when they're lagging behind the rest of the year.
January 29, 2013 at 9:30 am
Nice piece, and valuable information about a process that builds the right processes.
M.
Not all gray hairs are Dinosaurs!
January 29, 2013 at 10:23 am
I would estimate that at least 20% of processes we have running and the resulting data generated are there exclusively to satisfy PCI and ISO audits.
The probability of survival is inversely proportional to the angle of arrival.
February 3, 2013 at 3:27 am
In my experiences the priority placed on financial and accounting audit functionality beyond what is required is driven by the industry they are in...ie insurance, banking, etc.
I question your thought about companies swaying their focus from what they excel at to focusing too much on home grown systems. As any system integrator has experienced more often than not scalability and integrations can become problematic. Usually cant get away from some level of modifications though, and in my experience the large enterprises have a mixture (for better or worse it keeps us employed).
Thanks!
February 3, 2013 at 10:45 am
I agree with what I believe the premise of the article to be. If you have to actually spend any significant time preparing for an audit beyond setting up a couple of computers for the auditors to use, then you're doing something fundamentally wrong to begin with. Most things having to do with audits just aren't rocket science and, as Steve said in the article, are things that folks should be doing anyway.
By the way, my favorite "spec" for doing things the right way is "MIL-TP-41". It's the basis of all other specs whether they be ISO, ANSI, SEC, PCI, SOX, or whatever and is applicable to all industries. It means "Make It Like The Print For Once". 😛 It doesn't suppress the ability to think outside the box or innovate or to react quickly to an emergency because "The Print" should have plans even for that.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply