undefined | Better HN

0 pointsKingOfCoders2y ago0 comments

Yes I know they did ask.

As the responsible manager for IT (usually CTO - internal SOX was a different matter) I have been "asked" by EY (and KPMG) about IT setups and security several times for audits. And I could have told them whatever I like, the people were right out of university with no clue about the matter and in no position to ask the right questions except reading their checklist; I always had the impression they only knew half the words they were reading.

0 comments

15 comments · 3 top-level

consp2y ago· 6 in thread

KPMG asked me once: "Can you show it's actually encrypted?"

Do you have any programming skills? ... No? Then no. Then they started blabbing about what the data could be and it basically came down on them not understanding what random is and they then just checked it off and went on. Since then I do not believe any audit which come from those paper farms.

Aloisius2y ago

> Can you show it's actually encrypted?

When someone asks a question like this, they're not literally asking you to show them it.

They just want an expert to confirm it they could show it, so they can check off their box for due diligence.

Congratulations. You were the expert.

influx2y ago

I would frame it more like this:

"Can you show it's actually encrypted?"

Yes, we ensure that the data is only available via TLS foo.bar with encryption algorithm baz, which is on the approved list. We have monitoring and logging that ensure that we receive an alert if the port the app is on is not encrypted, and if you'd like we can dump the traffic to show you that there is no clear text available.

Further, only users on the approved admin list can make a change or deploy to production, or login to the server as root. Moreover, we do a background check on employment for all users who have admin access, and all deployments and code changes require at least one other employee to approve them, and we log who they were, and what the change was.

1 more reply

wolfi12y ago

I once saw the acronym translated as "Keiner prüft mehr genau" (No one does checking accurately any more)

summarity2y ago

Also “Kinder prüfen meine Gesellschaft”

1 more reply

namibj2y ago

Double-meaning: s/mehr genau/genauer/

Though that reading is a bit weird, it's practical enough to tickle the funny.

cryptonector2y ago

I've had fun trying to educate auditors, though this was a long time ago and several jobs back. In short: I couldn't educate the auditor.

19h2y ago· 4 in thread

Did you remove Wirecard from your LinkedIn?

Sebguer2y ago

Are you thinking their post is indicating that they were part of the Wirecard audits? They're saying they've undergone similar audits.

Beijinger2y ago

No, since I did not work for Wirecard. But my resume is so bad, I wish I had Wirecard on it.

alsetmusic2y ago

> Did you remove Wirecard from your LinkedIn?

[Not the person you replied to.]

Did the person you replied to work for LinkedIn? What's the context for this question?

19h2y ago

I was just curious and visited the LinkedIn profile that's linked to from the ctone.ws website (in KingOfCoders's profile) and was wondering why Wirecard was omitted.

2 more replies

namdnay2y ago· 2 in thread

I think the role of an auditor is to make sure all the right questions have been asked and record who answered and what they answered. Asking them to be guarantors of truth is maybe putting a bit too much faith in a non-judicial investigation

lukan2y ago

"Asking them to be guarantors of truth is maybe putting a bit too much faith in a non-judicial investigation"

But them knowing what they are checking, is maybe a reasonable ask?

JoBrad2y ago

That almost seems like they would need to be active in the relevant field they are auditing. I’m not sure if the auditor role pays enough to hire people from all of the various fields that have to be audited.

1 more reply

j / k navigate · click thread line to collapse

0 comments

15 comments · 3 top-level

consp2y ago· 6 in thread

KPMG asked me once: "Can you show it's actually encrypted?"

Aloisius2y ago

> Can you show it's actually encrypted?

When someone asks a question like this, they're not literally asking you to show them it.

They just want an expert to confirm it they could show it, so they can check off their box for due diligence.

Congratulations. You were the expert.

influx2y ago

I would frame it more like this:

"Can you show it's actually encrypted?"

1 more reply

wolfi12y ago

I once saw the acronym translated as "Keiner prüft mehr genau" (No one does checking accurately any more)

summarity2y ago

Also “Kinder prüfen meine Gesellschaft”

1 more reply

namibj2y ago

Double-meaning: s/mehr genau/genauer/

Though that reading is a bit weird, it's practical enough to tickle the funny.

cryptonector2y ago

I've had fun trying to educate auditors, though this was a long time ago and several jobs back. In short: I couldn't educate the auditor.

19h2y ago· 4 in thread

Did you remove Wirecard from your LinkedIn?

Sebguer2y ago

Are you thinking their post is indicating that they were part of the Wirecard audits? They're saying they've undergone similar audits.

Beijinger2y ago

No, since I did not work for Wirecard. But my resume is so bad, I wish I had Wirecard on it.

alsetmusic2y ago

> Did you remove Wirecard from your LinkedIn?

[Not the person you replied to.]

Did the person you replied to work for LinkedIn? What's the context for this question?

19h2y ago

I was just curious and visited the LinkedIn profile that's linked to from the ctone.ws website (in KingOfCoders's profile) and was wondering why Wirecard was omitted.

2 more replies

namdnay2y ago· 2 in thread

lukan2y ago

"Asking them to be guarantors of truth is maybe putting a bit too much faith in a non-judicial investigation"

But them knowing what they are checking, is maybe a reasonable ask?

JoBrad2y ago

1 more reply

j / k navigate · click thread line to collapse