Aug 31 2006
Audit, then audit again
I can’t agree more with today’s SANS Handler’s Diary. Maybe it’s because I’m in an auditing class right now (and a SANS course at that), but I think it’s more because I’ve begun to realize how important auditing is. People usually care about their jobs, but they’re less interested in doing the job right than they are about just getting the job done. And that leads to mistakes and shortcuts that are just aimed at getting things done. Which is why we need audits. Internal audits are a great starting point, but familiarity breeds a willingness to overlook mistakes. Or just being too close to the problem. Which is why the external audit is so important.
A corollary of being too close to the issue, and part of why we need external auditors, is that an internal auditor can often be dismissed as being reactionary or overly alarmist, where as an external auditor is an expert in their field who’s opinions often carry more weight in the board room. The external auditor will sometimes find the exact same issues that the internal auditor found, but be able to talk from an position of authority and express the issues in a way that makes management listen a lot closer. After all, which of these is your senior management going to give more authority to: “Joe from IT says …” or “Mr. Van Nuys (who we just paid $50,000 to audit us) says …”?
Why is it paying someone to say something gives it the ring of truth?
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Errr, an internal auditor would not be from IT, Martin. She’d be from Internal Audit Department which has no management responsibilities to IT. Granted, she’d still need to establish her own credibility and have the evidence, strength of character and senior management access/support to raise thorny issues. The cost of External Audit is not relevant. They have more clout because they get to sign-off the company accounts, or not. Some but not all of them are more experienced and therefore generally better than Internal Auditors, but this tends to apply only to the seniors & partners.
Enjoy the course!
G.