| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 84.1 | A dumb question | MLOKAI::MACK | Ralph | Sat Feb 15 1986 23:46 | 13 |
| Didier,
Pardon my ignorance, but what is an "audit"? I've heard the term used before,
usually in reference to financial matters (of which I know nothing). Lately
I've heard the term used in a way that sounds vaguely like it should be
relevant to my work. Should it?
And if it is what I think it is, by posting this note have I inadvertently
"qualified" myself for one? :-)
Ralph
(Full-time software developer,
system manager when it breaks.)
|
| 84.2 | some info | PRSIS3::DTL | Paris, France | Sun Feb 16 1986 04:27 | 18 |
| An audit is a person, generally with accounting expertise background,
who is in charge of checking all money-related and security-related
issues.
They usually come every two years in Europe to a given facility
and stay one month or two to 'audit' all documents, looking for
errors, missing papers, ignorance of policies, excess in expense
claims, etc.. In Paris, I have been told that they had a look at
*all* functional managers expense claims!
Then they build a report with recommandations on each subject, that
they go and discuss with the country manager and the accounting
revisor manager. Then they go back to Corporate management to give
a summary of what has been done on each of the facilities visited.
(learned all this from Leo Quinn, the European Audit team manager)
Didier
|
| 84.3 | Just money? No sweat. | MLOKAI::MACK | Ralph | Sun Feb 16 1986 11:58 | 43 |
| As long as its money they're looking at, I feel pretty comfortable
about it. (Never touch the stuff. :-) ) Money that goes into excess
expense vouchers could be going into something useful, like funding
software development.
I was thinking of the "games purge" that went on a few months back,
when security was rumored to pass through the systems at midnight like
the angel of death, firing people wherever unlicensed software was
discovered. I had gotten my system up by copying a system pack from
another group in the building, and never bothered to clean anything
much up unless disk space got tight, which it wasn't at the time.
When the "purge" was rumored to be sweeping through the company,
rather than try to figure out if any game was a Trojan horse or
unlicensed software, I just deleted the whole area lock, stock,
and barrel.
Also, at the time, someone suggested that I was personally responsible
for what my users had in their areas. About the same time, a system
manager at another site was reprimanded for reading files in a user's
area looking for W:R files with passwords in them. There was (and is)
a lot of confusion and ambivalence about software security and
software privacy.
I would probably classify myself as a "minimal" system manager.
As a system manager, I just keep the beggar running, update the
software versions as they become available, and remind people when
the disk is getting a little over-full. I spend the other 28 days
of the month developing software and fielding questions.
I have been concerned that these midnight systems examinations would
become routine. I don't know of any breaches of security on my system,
but every time I hear a rumor of that kind of stuff, I get the same
feeling as when I slip my income tax form in the mail ... you never
can tell.
Also, it is hard to get users real excited about software security.
But that is a whole new topic. Should I place it here, or in the
security conference?
Ralph
P.S. Actually, all of this probably belongs in the Security conference, huh?
|
| 84.4 | Its not just money | SWORD::WELLS | Phil Wells | Mon Feb 17 1986 21:13 | 5 |
| Although their primary purpose is to "audit" cost centers, businesses,
etc for common accepted practices, they also do "systems audits".
CT has been working with Internal Audit to come up with some procedures
that they can use when conducting a normal audit. One of the
procedures appears to the the presense (or lack thereof) SECURPAK.
|
| 84.5 | | TLE::WINALSKI | Paul S. Winalski | Fri Feb 21 1986 23:52 | 4 |
| SECURPAK, eh? Boy, are they going to have fun when they get around to
systems auditing in Engineering.
--PSW
|
| 84.6 | What Auditing Is | NY1MM::SWEENEY | Pat Sweeney | Sat Mar 01 1986 20:45 | 13 |
| Accounting is the system of recording and reporting financial
transactions.
Auditing is the examination of accounting records in order to determine
their accuracy and consistency.
Internal auditors are employees of corporation who facilitate the
examination by independent auditors who are retained by the shareholders (ie
the owners). The shareholder's independent auditors are Coopers
and Lybrand.
Now, will somebody explain to me what this note is about before
I offer an opinion.
|
| 84.7 | A guess?? | PAUPER::GETTYS | Bob Gettys N1BRM | Sat Mar 01 1986 21:59 | 8 |
| Sometimes audits have NO relationship to the financial
workings of a group. Sometimes they are aimed at looking what
each person in a group does compared to what is needed, and even
what a group is doing in a larger context. I have heard these
"investigations" called audits.
/s/ Bob
|
| 84.8 | re: 84.6 | PRSIS3::DTL | Paris, France | Sun Mar 02 1986 05:07 | 5 |
| The root note is intended to collect opinion on audit in general,
and on any experience the readers of this file may have had about
auditing within DEC.
Didier
|
| 84.9 | Audit your dictionary, please | NY1MM::SWEENEY | Pat Sweeney | Mon Mar 03 1986 17:13 | 7 |
| The root note is intended to collect opinion on something that isn't
auditing. Maybe it's investigation, maybe it isn't. Could someone
who has a clue tell me what it's all about.
Could it be tI'm on the same side of every dictionaryof the English
language on the meaning of the word audit and some in Digital are
adding a new meaning to the word?
|
| 84.10 | some definitions | PRSIS3::DTL | Paris, France | Tue Mar 04 1986 02:58 | 19 |
| (seems your note get corrupted, Paul)
HACHETTE-COLLINS English/French dictionary
------------------------------------------
AUDIT : accounting verification
The DIGITAL DICTIONARY (v2)
---------------------------
AUDITING : VAX/VMS
The act of noting the occurences of an event that has security
implications
DTL
---
AUDITS : people who are mandated by the Corporate Board of Directors
to do financial&administration verification and electronic
data processing security check among all Digital facilities.
other definitions anyone?
|
| 84.11 | Internal Audit vs. Audit | ULTRA::ELLIS | David Ellis | Tue Mar 04 1986 11:43 | 6 |
| I've heard a definition of _Internal_ auditing that is much
more comprehensive than the areas discussed so far.
According to this definition, internal auditing in a corporation
is the independent investigation of any or all aspects of the
company's operations, not just accounting or financial.
|
| 84.12 | From the textbooks... | MTV::KLEINBERGER | Gale Kleinberger | Fri Mar 07 1986 18:00 | 30 |
| Maybe I can help clear up some confusion...
The following comes from two books; I knew they would come in handy
someday!
From ACCOUNTING PRINCIPLES (Fess/Niswonger):
AUDITING is a field of activity involving an independent review of the
accounting records. In conducting an audit, public accountants examine the
records supporting the financial reports of an enterprise and express an
opinion regarding their fairness and reliability. An essential element of
"fairness and reliability" is adherence to generally accepted accounting
principles. In addition to retaining public accounts for a periodic audit,
many corporations employ their own permanent staff of INTERNAL AUDITORS.
Their principal responsibility is to determine to what extent, if any, the
various operating divisions are deviating from the policies and procedures
prescribed by management.
And from INTRODUCTION TO MANAGEMENT ACCOUNTING (Charles Horngren):
An AUDIT is an "examination" or in-depth inspection that is made in
accordance with generally accepted auditing standards (which have been
developed primarily by the American Institute of Certified Public
Accountants).
Hope this might help clear up some of the terms...
GLK
|
| 84.13 | | TLE::WINALSKI | Paul S. Winalski | Fri Mar 07 1986 18:20 | 8 |
| At one time, internal site auditors only concerned themselves with the
financial records. There has been a trend lately to examine computer
operations, particularly security, as well. Thus the new term 'Computer
Security Audit' to describe the process of examining the security of a
computer installation. I think this is the kind of audit that Didier
is talking about.
--PSW
|
| 84.14 | | NY1MM::SWEENEY | Pat Sweeney | Fri Mar 07 1986 23:23 | 16 |
| That's my problem with this novel use of "audit".
What an auditor does is well-defined. How one audits and what an
auditor produces is done according to professional standards by
accredited people for the task of the examination of financial records.
What a 'computer security audit' is, perhaps, an examination the
locks on a computer room door, and making sure that it's not too
easy to hack the system. This is a necessary task but no standards
for who or what this entails exist, or why it can't be done by the
local responsible manager with appropriate training.
Calling such people 'auditors' blurs the distinction of what auditing
has been since the advent of bookkeeping. Audits are performed on
behalf of the owners (ie shareholders) as a check on the management
of a corporation.
|
| 84.15 | clarifications | PRSIS3::DTL | Paris, France | Sat Mar 08 1986 06:41 | 15 |
| re: all
o thanks for provided help to clarify the concept
o I was talking about both jobs, accounting and EDP auditing, since
Leo Quinn, the European Audit Team mgr, just included a computer
sciences engineer in his team to deal with EDP auditing.
o Pat, there are european standards on EDP rules (see
PRSIS3::SECURITY_INFORMATION for more, including the data center check
list I posted there, or in HUMAN::SECURITY_POLICY; I don't remember)
Corporate Security is currently working with us on these policies to
prepare a Digital Corporate document on security (physical and sw)
Didier
|
| 84.16 | Security audits are a fact of life for some. | ENGGSG::GROLLMAN | GSG Systems Engineering | Sat Mar 08 1986 23:00 | 11 |
| D. You might want to have the folks formulating security policy take a look at
the CSEC (Computer Security Evaluation Center's Orange Book). It deals with
system security from a model of threats, audit, and levels of resistance to
penetration.
Digital's VMS V4.2 is in evaluation against the C2 level. There are numerous
other places that security is being discussed. For an address of how to get the
book, steer folks to Tom (MKTGSG::) Bailey. He is our security marketing manager
(or some such title like that).
Regards, Ira Grollman (GSG Systems Engineering)
|
| 84.17 | re: 84.16 | PRSIS3::DTL | Paris, France | Sun Mar 09 1986 10:49 | 3 |
| Thanks. I will get in touch with Tom.
Didier
|
| 84.18 | | TLE::WINALSKI | Paul S. Winalski | Sun Mar 09 1986 15:07 | 10 |
| RE: .14
1) This use of 'audit' is hardly novel. It's been industry-wide for at least
10 years. It may be new to Digital, but that's just because DEC has taken
so long to get its MIS act together.
2) In many companies, the same team that does the financial record audit
also does the security audit. This is true at IBM, for example.
--PSW
|