I established in a series of posts that Audit is in a crisis (I, II, III, IV, V, VI). It didn't perform during the financial crisis, and even if it had, we wouldn't know it. Audit has entered a phase of life where it can not deliver its brand-promise to the buying public, but the cost of the brand is delivered frequently in invoices to us, the buying public. Worse, the cost will go up and the relevance will go down, the machine they built ensures it.
What then do we do in the future? How do we live in a world of Audits without Control? How do we reclaim the control that works to our real needs?
As a user, as a (systems not financial) auditor, as a builder of systems, both financial and Internet, as an investor, as a financial player and as a party reading and relying on audits, I've come across only one person that will provide for your auditing needs. That person is:
In a maxim, it is this: if you the user cannot see it, it is worthless. To you.
It is not entirely true that Audit is worthless, per se, in absolute terms. Many checks and balances can help, and this is the spirit that the audit profession alludes to. These checks and balances are good; we call them governance. But the problem for you is, you can't tell from the outside whether these checks, this audit, are useful or useless. Whether they are coded positively or negatively, whether they are purchased or perverted.
And therefore, your only good strategy is to label an opaque process as useless.
Which leads to a first step: Let's call for an open audit process, not a closed audit process. We know that "open" works from the Internet world, and the claim of many is that "open" can work in many more scenarios than we believed. I emphasise this in a presentation on An Open Audit (which, to close the loop back to the first post of the Audit series, was immediately after Bruce Schneier's apropos talk on the psychology of security).
But, please note, openness is only a first and intermediate step: once we get across the brave step of opening up the entire process, we are inexorably drawn to the fact that if an audit is really open, then the user can do it, herself. An open audit is an audit over open data; if the data is open, she can also audit the data herself.
All of it, or most of it, as much as the user can handle. Which is to say, even my meager attempt at open audit is not going far enough; what you really want is to openly audit the entire system yourself. I as auditor might simply lay the guide posts for you to follow, and in future, you can follow them better than I can.
Say hello to open governance . Yes, this way means more work for the user. But, this is work we already proved we could do. The wider Internet musters thousands of communities of thousands and millions, and a few of those people -- call them the 1% -- are the self-appointed guardians of truth and justice within their communities. Open governance harnesses the vigilantes of Wall Street, the crypto-jihadists of the security world, the peer-to-peer rebels of the intellectual property world, all, as the leaders in a process of checking for everyone else.
What then is the part of the professional auditor? We already recognised over the past couple of years that the proper role of the security expert is to educate programmers and architects to employ more security techniques. Likewise, the proper role of the auditor may be to teach the mechanisms of open governance; rather than opine on their results themselves. To teach, rather than to measure. To lead, rather than to do. To participate, rather than bill.
How would this work? Well, here's one idea. I haven't implemented it, but I want to. Over at the audit I participated in, there is a set of criteria which have to be audited against. Some have green ticks, others have red crosses, signifying OK and not OK. Classical audit process would call for me to investigate all those criteria, find evidence of controls over the criteria, and report on each. That's a lot of work. A lot of billable hours.
Open governance would call for each individual of the body-public to do that instead; in tech terms, each criteria would become a blog post, with comments added by the public, including comments of reliance. In effect, mini-opinions. If you the member-public post that the criteria is good and covered, and you put your monika on to that statement (which is easy to do because it is a CA and client-certs are its business), then that becomes reliable evidence. Once the set of criteria meets some watermark (say 95% green ticks), the audit is done.
That's just one idea. I know a dozen or so others; but their essence is all the same. Instead of having one person look and attest, have our entire net community look, and share notes. Travelling long distances, checking technical things and making clear reports is now trivial with the net, with cryptography, with protocols, with communities. We no longer need the single trusted third party to do this, we have the trusted members, we have our own stakeholders, we have customers.
It may be that the evolution of open governance, an invention from the world of digital cash, has come just in time to save us. We'll see.Posted by iang at December 28, 2009 11:30 PM | TrackBack