📜 ⬆️ ⬇️

The secret phrase of the auditor

Considering that my obligations to the former company have not yet been fully exhausted, the names of the characters have been changed. Here, actually, they are:
Company, Auditor, Rightholder.

A few years ago, in connection with entering the American market, the Company's strategists considered the risks and considered the use of illegal software to be absolutely unacceptable. The bulk of the software produced by the Copyright Holder. The IT service was tasked with becoming “white and fluffy” (C) - the gene. director The task was complicated by the fact that the IT service needed not only to ensure the purity of the software, but to receive from the Rightholder “all the pieces of paper” (C) - FF Transfiguration . Such a document so that no third party inspection body could indiscriminately accuse the Company of non-compliance and the Company did not have to prove the opposite, while the risks are triggered.

After repeated meetings with the Rights Holder at the highest level available to him (European and Russian watchers) received 2 suggestions:
')
  1. The audit of the software installed by the Rightholder’s forces and facilities is free of charge for the Company, with the actual obligation to remove, purchase or lease the software after the audit, but without purity papers;
  2. Paid audit by forces of the Partner of the Rights Holder, at the expense of the Company, with the issuance of papers confirming the absence of any claims of the Rights Holder for a specified period.

The cost of the audit was about a fairly large percentage of the annual cost of software rental, the duration - 4 months.

Everything went quite smoothly, the software was removed or paid for, the papers were received, the directorate was satisfied.

After a few years of renting, the IT management faced the challenge of purchasing software for permanent use. The prospect of a re-audit is highlighted. The new CIO, not familiar with the process of past negotiations, was surprised at the cost of an audit of the Rightholder and decided to save. The auditor from the “big four” offered a price several times lower than the Rightholder, stating that the results of his audit will be quoted no less than that of the Rightholder. And, of course, the theme of "paperwork" was avoided, as a minor element. The option with free auditing was not considered by the Rightholder itself.

The audit was quite crumpled, a very small list of performers from the Auditor (“what did you want for such ridiculous money”), the composition of the software for redemption grew by many tens of percent (the performers did not have time to understand the requirements and recorded everything in the found, including unnecessary elements ). Plus, the first line in the report received was an interesting phrase: “According to the information provided by the Customer, …….” It turned out that according to the risk management standards, the information from the customer is the most unreliable. And, as an employee of the Rightholder explained in a private conversation, the presence of such phrases in the report automatically reduces the Auditor’s responsibility to the Rightholder. In fact, this is the “Fas” team for those to whom the auditee gives an audit opinion in the hope of avoiding claims or falling under the presumption of innocence.

In addition, the duration of the audit went beyond the plan and did not allow the standard tender procedures for the selection of a license provider. As a result, the delivery was made by a privileged supplier without any price reduction or improved payment terms.

The total economic damage at times blocked the cost of the audit of the Rightholder and left the Company under the threat of new risks.

Findings.

  1. When preparing for audits, ask the auditors not to use phrases about getting any part of the information from you and do not accept the results if there is one. Outside your organization, the value of an audit report with similar phrases tends to zero.
  2. If the Copyright Holder proposes to conduct an audit of the software with its own resources and means and you do not need security certificates, it is better to use this audit than a third-party audit. In this case, it is not possible to hide part of the software, but at least the final specification will be more relevant, and most likely, smaller in size than recommended by a third-party auditor.

Source: https://habr.com/ru/post/422155/


All Articles