undefined | Better HN

0 pointsvasco2mo ago0 comments

It's auditing, nobody that is good at doing anything goes to auditing, unfortunately its one of those jobs. I haven't interacted with any auditor that actually understood all they were auditing, some are better than others but the average is worse than almost any other job description I have dealt with.

0 comments

15 comments · 3 top-level

arianvanp2mo ago· 6 in thread

If you care about this stuff you need to in-house auditing and do your own audits with people who care. Then get certified by an external auditor for the paper.

You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.

But the important part is you, as a company, should inherently care.

If you rely on an auditor feedback loop to get compliant you've already lost.

disgruntledphd22mo ago

This function exists in every publicly traded public company, and is called internal audit.

It has the potential to be incredibly impactful, but often devolves into box ticking (like many compliance functions).

And it's really hard to find technical people to do the work, as it's generally perceived as a cost centre so tends not to get budget.

ownagefool2mo ago

Nobody really tries to get technical people to do the work.

Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.

There's very little ability to fix a large public company when HR is involved

2 more replies

Koffiepoeder2mo ago

To be honest, I would even go further: if you think certification equals security, you are even more lost.

So many controls are dubious, sometimes even actively harmful for some set-ups/situations.

And even moreso, it's also perfectly feasible to pass the gates with a burning pile of trash.

jacquesm2mo ago

And they do not track the industry at all, at best they'll help you win the war of five years ago.

1 more reply

PunchyHamster2mo ago

But companies don't care. They don't want compliance for feel goods, they want compliance because their partners require it. They do the minimum amount required to check the box

Aurornis2mo ago

Caring about security and comparing about some of the arbitrary hoops you have to jump through for some of these compliance regimes don’t always overlap as much as you’d expect.

I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.

bob10292mo ago· 4 in thread

You should check out the banking industry sometime if you'd like to interact with a competent auditor.

Compliance gets taken quite seriously in an industry where one of your principal regulatory bodies has the power to unilaterally absorb your business and defenestrate your entire leadership team in the middle of the night.

jacquesm2mo ago

They could. But they don't.

I've seen this up close. The regulatory bodies as a rule are understaffed, overworked and underpaid. I'm sure they'd love to do a much better job but the reality is that there are just too many ways to give them busywork allowing the real crap to go unnoticed until it is (much) too late.

close042mo ago

Because they’re put there as a box ticking exercise without ever being given the power or resources to be able to do damage or negatively impact the bottom line of the big rule breakers. It’s just supposed to maintain the appearance of doing something without ever supporting these activities for real. For the most part they are a true Potemkin village. If the risk is diffuse (just some average Joe suckers will lose money) I wouldn’t hold my breath that anyone is controlling for real.

1 more reply

soc2fraud2mo ago

Usually on a Friday night. If you see a bunch of rental cars hanging out near a bank HQ on a Friday afternoon, get all your money out before the doors close. FDIC is about to wreck shop.

maxbond2mo ago

They do it on a Friday so they can work through the weekend and reopen the bank on Monday as a branch of a different bank which is solvent, so I wouldn't worry too much. I'd be more worried about putting my money in a fintech not regulated by FDIC or NCUA (though many contract with a "real" bank so that your money is still protected).

1 more reply

TheOtherHobbes2mo ago· 2 in thread

The industry is paid to provide a fig leaf for shady practices. Everyone knows what's going on, no one is going to do anything about it unless governments step in and give regulators more resources and more teeth, and "errors" lead to prosecutions and jail time.

None of those are likely.

This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.

jacquesm2mo ago

> Wirecard

Don't get me started. That hasn't even properly ended yet, the fall-out is continuing to today.

noir_lord2mo ago

I suspect many AI startups will be on that list in 2-5 years.

j / k navigate · click thread line to collapse

0 comments

15 comments · 3 top-level

arianvanp2mo ago· 6 in thread

If you care about this stuff you need to in-house auditing and do your own audits with people who care. Then get certified by an external auditor for the paper.

You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.

But the important part is you, as a company, should inherently care.

If you rely on an auditor feedback loop to get compliant you've already lost.

disgruntledphd22mo ago

This function exists in every publicly traded public company, and is called internal audit.

It has the potential to be incredibly impactful, but often devolves into box ticking (like many compliance functions).

And it's really hard to find technical people to do the work, as it's generally perceived as a cost centre so tends not to get budget.

ownagefool2mo ago

Nobody really tries to get technical people to do the work.

Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.

There's very little ability to fix a large public company when HR is involved

2 more replies

Koffiepoeder2mo ago

To be honest, I would even go further: if you think certification equals security, you are even more lost.

So many controls are dubious, sometimes even actively harmful for some set-ups/situations.

And even moreso, it's also perfectly feasible to pass the gates with a burning pile of trash.

jacquesm2mo ago

And they do not track the industry at all, at best they'll help you win the war of five years ago.

1 more reply

PunchyHamster2mo ago

But companies don't care. They don't want compliance for feel goods, they want compliance because their partners require it. They do the minimum amount required to check the box

Aurornis2mo ago

Caring about security and comparing about some of the arbitrary hoops you have to jump through for some of these compliance regimes don’t always overlap as much as you’d expect.

bob10292mo ago· 4 in thread

You should check out the banking industry sometime if you'd like to interact with a competent auditor.

jacquesm2mo ago

They could. But they don't.

close042mo ago

1 more reply

soc2fraud2mo ago

Usually on a Friday night. If you see a bunch of rental cars hanging out near a bank HQ on a Friday afternoon, get all your money out before the doors close. FDIC is about to wreck shop.

maxbond2mo ago

1 more reply

TheOtherHobbes2mo ago· 2 in thread

None of those are likely.

This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.

jacquesm2mo ago

> Wirecard

Don't get me started. That hasn't even properly ended yet, the fall-out is continuing to today.

noir_lord2mo ago

I suspect many AI startups will be on that list in 2-5 years.

j / k navigate · click thread line to collapse