Re: audit response

On Tue, 29 Jul 2003 20:30:03 +0100, Paul Brewer <paul_at_paul.brewers.org.uk> wrote:

> "Quarkman" <quarkman_at_myrealbox.com> wrote in message
> news:oprsvw9bw0r9lm4d_at_haydn...

>>
> I completely agree with Brian. Anyway, what is the point of trying to
> restrict what the DBA can do in the database, (with the oracle unix
> account)
> when the Unix Admins who have root anyway, can do whatever they like?
>
> In descending order of importance, you have to trust:
>
> 1) The authorised cheque signatories
> 2) Anyone who has access to the company letterhead stationery
> 3) The security guard who has the key to the server room
> 4) The sysadmin who has root password
> 5) The DBA.
>
> Regards,
> Paul

See elsewhere in the thread. "Trust" doesn't mean resigning yourself to the fact that people can "do whatever they like". Because they can't (or shouldn't). The company has rules and procedures, and they have to be followed.

The authorised cheque signatories have to co-sign cheques. The bank account has to be reconciled. The auditors have to be appeased.

Sure, they might collude, scan & re-touch the bank statements, and bribe the auditors.

But that's why signatories have cheque-signing limits, why managers sign off on bank account reconciliations, and why auditors should not be hired as consultants, and why they should be rotated every 3 years even so.

ISO-9001 isn't just a whole lot of hoolacky, you know.

~QM Received on Wed Jul 30 2003 - 15:01:54 CDT