Interesting bit of a quote
Anne & Lynn Wheeler
lynn at garlic.com
Tue Jul 11 18:45:27 EDT 2006
dan at geer.org wrote:
> I can corroborate the quote in that much of SarbOx and
> other recent regs very nearly have a guilty unless proven
> innocent quality, that banks (especially) and others are
> called upon to prove a negative: X {could,did} not happen.
> California SB1386 roughly says the same thing: If you cannot
> prove that personal information was not spilled, then you
> have to act as if it was. About twenty states have followed
> California's lead. The surveillance requirements of both
> SEC imposed-regulation and NYSE self-regulation seem always
> to expand. One of my (Verdasys) own customers failed a
> SarbOx audit (by a big four accounting firm) because it
> could not, in advance, *prove* that those who could change
> the software (sysadmins) were unable in any way to change
> the financial numbers and, in parallel, *prove* those who
> could change the financial numbers (CFO & reports) were
> unable to change the software environment.
my slightly different perspective is that audits in the past have
somewhat been looking for inconsistencies from independent sources. this
worked in the days of paper books from multiple different corporate
sources. my claim with the current reliance on IT technology ... that
the audited information can be all generated from a single IT source ...
invalidating any assumptions about audits being able to look for
inconsistencies from independent sources. A reasonable intelligent
hacker could make sure that all the information was consistent.
a counter example is the IRS where individual reported income is
correlated with other sources of reported financial information.
however, i don't know how that could possibly work in the current
environment where the corporation being audited is responsible for
paying the auditors (cross checking information across multiple
independent sources)
some past posts on the subject
http://www.garlic.com/~lynn/2006h.html#33
http://www.garlic.com/~lynn/2006i.html#1
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list