Reply to: Anyone here ever been audited ?

Questions to ask the auditors
1. What internal controls are in place within your own organisation to prevent an employee passing commercially sensitive information over to our competitors?
4. Are you aware of any forms of compensation or benefits received by your organization's auditors, directors, or key employees that were not specifically approved by your board of directors that may indicate collusion with one of our competitors?
5. Are you aware of any inappropriate or undisclosed relationships between any of your company’s officers, directors, key employees?
6. Are you aware of any relationships between any of your companies officers, directors, key employees involved with this audit that appear to be less than ethical.
7. Are you aware of any relationships between any of your companies officers, directors, key employees involved with this audit and any employees of our competitors that appear to be less than ethical?
8. Are there any individuals involved in the auditing process who wield excessive control or whose work is not subject to adequate review by another individual?
9. How would you characterize the morale standards and professionalism of the auditing personnel and senior management of your organization?
10. Overall, how would you rate your organization in terms of how well we are protected against fraud?
11. What is the most important step we could take to further protect our organization against fraud?
12. What controls are in place to prevent you from overbilling our organisation?

Don't forget to inform them that their responses are being recorded for security reasons

My entire project was audited by another large well-known management consultancy. The directors of the IB I was working for gave me 14 days to prepare. Came completely out of the blue.

Anyway, I wrote a 30 page report on the system and all the checkpoints it had been subjected to in painstaking detail. Final page was a bit rough, as I was running out of time, just made it a simple bullet-list of items that would be covered in the future.

Auditors came in for two days on-site and were a bit overwhelmed by the whole system, TBH. Gave them my report and they went away.

A month later, IB's directors call me in to seen a excellent report written by the Auditors, painstakingly detailed. You can guess the rest: It was my report verbatim, with the management consultancies cover page attached to it. The buggers hadn't lifted a damn finger. I even pointed out the very rough nature of the last page, as I'd run out of time - the auditors had been too lazy to even clean that up. Utter piss-take of the highest order.

The auditors charged the IB about £30k for their time. Nice work if I could get it.

frequently, SOX once a year, BSI every so often.

Agree with above posters if you have a process and you can prove you follow it and more importantly you didn't create it then YOU are ok.

Quite likely they are after consult hours so keep stchum about any variations or improvements you would like to make.

Don't volunteer anything except to throw them off the scent if they sniff something bad.

In that case mate, you're sorted!

thanks folks

I am working for a sw house as lead dev, and its them that are being audited by a big client, using external auditors.
I am following the sw house process and procedures, which may or may not satisfy the audit

will they be looking at documentation, or the apps ? or both
code review ? versioning, data takeup

what level of detail?

You maybe hanging, but I'm definitely hung.

Oi Fatso, it's "hanged".

No EO? I hope he's OK? Another ex-colleague hung himself in the wardrobe with an orange in his mouth when he'd heard he was being auditted.

I had to explain the reconcilliation process and associated jobs for a load of finance feeds to a pretty young auditor once.
Everything went well, I took her through all the different steps and explained all the jobs and she left satisfied that all was as it should be.
As she left the office, I asked my boss "Do you think I should have told her about the job that checks the files and adds in a transaction if it doesn't balance?" He looked troubled for a bit, "Best not" he replied.

They'll come in, rubbish however you are doing it and then use this to try and sell some of their own people in to do it 'properly' and 'professionally'. I would put money it. I bet they will even throw in the audit activity for free as part of the overall pitch.

I regularly get audited.

HTH

Tom C. (former fighter pilot).

Post Audit
Don't bend down for the soap.

HTH

You know it makes sense

Not All There is correct. If there is one bit of advice that you MUST stick to it's;

Never, ever, ever volunteer information.

External auditors, been there and really it was that bad. It was a scam and glad I moved into IT

Internal auditors can be useful though

When I did it I warned of lax security that could lead to fraud, and when someone was found to be defrauding the organisation was tried to be implicated as a whistle blower

I managed it when I was younger, and found a lot of business processes that were outdated and/or pointless

Now I'd be too cynical to do it, but then I genuinely thought I was helping the organisation