Throwback Thursday: Spoilsport

Credit to Author: Sharky| Date: Thu, 04 Jul 2019 03:00:00 -0700

This IT security pilot fish knows something about audits — and knows what he expects of auditors.

“I have more than 15 years of audit experience in IT,” fish says. “I have written and implemented policy and procedure, and developed incident response plans. I spent the better part of last year making sure that the external auditors could not find any inconsistencies in our control standards.”

Then the internal audit director decides to perform an audit of fish’s group — and sends a young auditor who thinks he knows everything IT.

After three weeks of research and testing, young auditor presents his results in a meeting with his boss the audit director and fish.

Among other findings, young auditor reports: “As a good practice, all company policies and procedures must include a disaster recovery plan …”

Fish’s response: “Please indicate how a policy can contain a disaster recovery plan, and why a policy would need one.”

That momentarily slows young auditor down, but then he plows ahead with another shot: IT needs “a schedule for planned reviews and updates, as well as for unscheduled changes or significant changes to the environment.”

Fish’s calm response: “So your finding is that IT does not have a schedule of reviews and updates for unscheduled changes in the environment? Please tell me how we are to implement that.”

Young auditor’s testy reply: “It is not internal audit’s job to tell you how to correct these findings!”

“The audit director left the room red-faced and with smoke coming from the ears,” reports fish.

“A battle of wits is so unfair when the opponent is unarmed.”

Sharky trusts your wits. Send me your true tales of IT life at sharky@computerworld.com. You can also subscribe to the Daily Shark Newsletter and read some great old tales in the Sharkives.

http://www.computerworld.com/category/security/index.rss