IT Breathes!

So a friend of mine sent me a link to a small article on ZD net. The article contained an interesting quip about someone setting up a website to rate auditors: ratemyauditor.com.

After thinking about it for a bit I realized how awful an idea it is. Rate my auditor is either the worst idea (if it is not an anonymous service) or the worst idea (if it does allow anonymous comments) I’ve ever heard. People hate being audited, no matter what. Especially IT audits. Why? Because IT people but a lot of blood sweat and tears into making sure a system works. The audit firm sends in a young 20 year old with a 10 page checklist
telling him exactly what to look at. There’s no context, no risk evaluation. Just a kid with a checklist and if one of those checks fail then, at best, the IT department has a meeting with the execs, at worst, it gets outsourced to
India. (I’m obviously going a little over board here). This also makes dealing with the IT department very difficult as they have to defend every decision made against a checklist. It shouldn’t be like this but this is what happens because a subject matter expert, who knows Unix cold, costs $250 an hour while intern only costs $80. So of course you get an IT guy, who already knows his way around the internet, pissed off because the auditors don’t know the difference between CONSOLE and FTPACCESS so what is he to do? He could complain to management but they likely wont listen. He can’t complain to the auditors. So what is he to do? He will go online and sound off on some website saying that the people at firm XYZ don’t know anything about Unix. If another company starts looking and they find out that firm XYZ doesn’t know Unix then how can that company faithfully
rely on a SAS70 performed which specifically tested Unix logical access controls.

This could go the other way too. A lot of IT folks, especially in smaller shops or shops that have grown organically, don’t understand what being audited means, why SoX matters to them and what controls are. All they know is that people have access, security is pretty tight and things just work. It can be very frustrating for them when they’re told that the lockout threshold should have been set to 3 instead of the 8 they have set now. They can’t argue against an the auditor. They can’t complain to management so they will go online and write that Firm ABC doesn’t understand how their IT works. Since it is all anonymous it doesn’t matter how long a diatribe they write.

Now the other side, non-anonymous comments (I.E. So and so from company GDC) wouldn’t work either, people are not going to complain because the second a partner finds out John complained he’s going to call his friend on the audit committee and John is going to be having a meeting with an executive. Now, executives probably wont complain because they would be concerned about the image it gives their company *and* the strain it would put on their relationships with partners.

Finally, I doubt it would ever contain any negative ratings because the second a firm finds out about the negative rating they’ll sic their lawfirm on them to get the comment removed. All in all I prefer the current method of allowing clients to review your performance in private and sending that to the partner level, which helps decide their bonus. This way crap auditors get to learn their crap (supposedly) and can learn how to improve instead of never hearing the complaint until they stumble on ratemyauditor.com