I had been meaning to write something on audits when this dropped into the email box from Bruce Schneier, late last year, which gave me the perfect opening:
How to Prevent Digital Snooping
What these three incidents illustrate is not that computerized databases are vulnerable to hacking -- we already knew that, and anyway the perpetrators all had legitimate access to the systems they used -- but how important audit is as a security measure.
Most security against crime comes from audit. Of course we use locks and alarms, but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit.
Audit helps ensure that people don't abuse positions of trust. The cash register, for example, is basically an audit system. Cashiers have to handle the store's money. To ensure they don't skim from the till, the cash register keeps an audit trail of every transaction. The store owner can look at the register totals at the end of the day and make sure the amount of money in the register is the amount that should be there.
Bruce Schneier presents the positive, classical case for Auditing fairly well. Audits can help, especially operations that have never been audited, which receive what amounts to a serious kick in the behind.
But, and switching away from Schneier's "world without Audit" context to the financial world, it is fairly clear that the Audit has limits. Here's a word on those limits: *Madoff*. A reasonable question would be, if Audit can save us from bad stuff, why didn't it save us from Madoff? Some apparent or alleged facts from that case:
(Note, I wrote this about a month ago, and we probably know more now... hopefully I haven't missed something key. Anyway, journalistic standards being pretty low these days, onwards and upwards!)
All these claims, alleged or claimed or assumed or otherwise, have to give pause for thought.
What's truly scary about Madoff is that when you talk to people who were ripped off you think, there but for the grace of God goes me.
Professionals feel the same way.
This from the president of a fund of fund business: "Every time one of these frauds is discovered I get scared to death it could happen to us. We do lots of things to try to ensure it doesn't, such as checking and confirming auditors and auditor changes, using a private investigator to check on managers when we first invest and the having the PI annually update the file, trying to find references which are not on someone's reference list, etc." If big investors like these could be fooled, he said, anybody can be fooled.
Audits can help, and I do one myself. It helps, I claim, and I document some of the effects. Yet we clearly have problems, there are many flaws. For example, some will say, Madoff happened because it wasn't a big auditor:
"Clearly everyone believed that someone else had done the due diligence. And by relying on some small firm that Madoff employed rather than a big independent auditor was clearly a mistake," said one person who asked not to be identified because several clients lost money with Madoff and he was not permitted to speak publicly.
If you believe that, then I have an audited bridge to sell you. There is something more endemic and more core going on here, and the answer to this is likely not as trivial as "use a big 4 auditor." Indeed, we can knock that one on the head, comprehensively, with one single fearsome word: Enron. Followed by two more scary words: Arthur Andersen.
The world's oldest and most prestigious Auditor collapsed because of the audit failure with Enron. But, for the real result in this, and what happened after those fearsome events, let's slice some more scary words off to another post.Posted by iang at January 25, 2009 05:38 PM | TrackBack