As the responsible manager for IT (usually CTO - internal SOX was a different matter) I have been "asked" by EY (and KPMG) about IT setups and security several times for audits. And I could have told them whatever I like, the people were right out of university with no clue about the matter and in no position to ask the right questions except reading their checklist; I always had the impression they only knew half the words they were reading.
KPMG asked me once: "Can you show it's actually encrypted?"
Do you have any programming skills? ... No? Then no. Then they started blabbing about what the data could be and it basically came down on them not understanding what random is and they then just checked it off and went on. Since then I do not believe any audit which come from those paper farms.
Yes, we ensure that the data is only available via TLS foo.bar with encryption algorithm baz, which is on the approved list. We have monitoring and logging that ensure that we receive an alert if the port the app is on is not encrypted, and if you'd like we can dump the traffic to show you that there is no clear text available.
Further, only users on the approved admin list can make a change or deploy to production, or login to the server as root. Moreover, we do a background check on employment for all users who have admin access, and all deployments and code changes require at least one other employee to approve them, and we log who they were, and what the change was.
I think the role of an auditor is to make sure all the right questions have been asked and record who answered and what they answered. Asking them to be guarantors of truth is maybe putting a bit too much faith in a non-judicial investigation
That almost seems like they would need to be active in the relevant field they are auditing. I’m not sure if the auditor role pays enough to hire people from all of the various fields that have to be audited.
Audit is not a foolproof guarantee that no fraud exists, the same way that locking your door doesn't guarantee that no crime exists. It deters opportunists by making crime more difficult and onerous.
In this context, they're just making sure the answer isn't "no, it's not encrypted". Sure, you can lie, and that would fool them. But your answer will be cross-checked with other employees, maybe with other documentation if those exists.
And sure, you can forge all of those as well, as Marsalek did with his bank statements. But these sort of verification significantly raises the bar to how difficult it is to commit fraud: you now need to get several people into the conspiracy to forge those documents and audit trail. Your average employee isn't willing to lie for their company for no good reason and risk prosecution, and may very well whistle-blow on you.
Being an expert certainly makes you a better auditor, but it's not any more necessary than making police officers have law degrees.
Software development has a frustrating history of reappropriating words from other contexts. Your "code auditor" is probably more akin to an OSHA compliance officer/safety inspector. Again, experience helps, but you don't need to be the architect of the Pyramids to ensure everyone onsite is wearing a helmet.
They make a good-faith effort to ensure some checklist of conditions are met.
I was just curious and visited the LinkedIn profile that's linked to from the ctone.ws website (in KingOfCoders's profile) and was wondering why Wirecard was omitted.
As the responsible manager for IT (usually CTO - internal SOX was a different matter) I have been "asked" by EY (and KPMG) about IT setups and security several times for audits. And I could have told them whatever I like, the people were right out of university with no clue about the matter and in no position to ask the right questions except reading their checklist; I always had the impression they only knew half the words they were reading.