|
 |
On Fri, 04 Jul 2008 09:10:42 +0100, Invisible wrote:
>> And then again, you can always take the auditor to them after
>> explaining to the auditor "Tom here in my management chain doesn't see
>> this as an issue - perhaps he can explain why better than I can.".
>> Then take the auditor to see Tom.
>
> Not easy when Tom lives on a different continent in a different time
> zone. :-P
That's what the phone is for. Or if it's the middle of the night (though
you have managed to call "Tom" in the middle of the night before), give
his number to the auditor along with the time zone offset.
> Auditors are always singularly unimpressed by "well X told me to do it
> this way". They expect *me* to realise that this isn't good enough and
> *force* the other person to understand this.
Auditors understand that often times the person they're talking to
doesn't have the authority to do things the way they want, and if the
orders are coming from above to do things in a way that's not compliant
with the regs, then that needs to be disclosed during the audit.
Otherwise it *is* your ass on the line. It's not about shifting blame,
it's about holding the decision makers responsible for their actions.
That's why audits happen.
>> Maybe Andy should get a job with the auditors instead. <eg>
>
> Muhuhuhu!
You laugh, but that might not be a bad option. You know the regs, you
know what should be done and how it should be done, and you know that it
isn't being done that way. You want your current management to listen to
you? Become *their* auditor.
BTW, you don't have to change jobs to do that. If making sure things are
done in compliance, then you put together a pre-audit audit that goes
over the checklist the auditors will, and do a "dry run". Ask the
questions of your management that the auditors are going to ask you.
Hold them accountable. Then take the results from your own internal
audit and compare to the results of the external audit, put them both in
a report, and send it up the chain and highlight the areas where the
audit result was what you predicted, and outline what needs to change in
order for things to become compliant.
I used to have to do license auditing when I was the customer - we had
auditors from Ernst & Young come in once a year to audit our license
usage for a couple products that I was responsible for. There were times
I was asked to "fudge" the numbers a bit because of a recent layoff (for
example); I did everything up front with the auditors, told them that we
had a layoff but our policy was to retain the user accounts in a disabled
state for 60 days, just in case the employee was rehired (as a means of
preserving their access to resources), but that the vast majority
wouldn't come back. We just couldn't predict which ones would be
rehired. Rather than hide those accounts from the audit, I asked for an
exception. And got it from the vendor.
The auditors commented every year that they appreciated our approach -
they were typically in and out in less than a day. Other customers they
had to spend 3 or 4 days trying to get the audit done, and it was like
pulling teeth. I always figured if I could facilitate the audit and make
it go smoothly, I could get the auditors out of our hair quickly, and I
was right. We never paid for users we weren't using, and everyone was
happy.
I know your audits aren't license audits, so things are a bit different,
but if you work to make it non-confrontational with the auditors, they'll
appreciate it and make your life easier, generally speaking.
Of course there are pricks in every field, and auditing is no different
in that respect.
Jim
Post a reply to this message
|
|
