charlesyouman@MWUNIX.MITRE.ORG (10/24/89)
In Vol 6, No 66 of Soft-Eng, Lee Sailer writes:
I can imagine a fairly acceptable Computer System Auditing industry.
Pay big bucks to a small cadre of the best people, who work hard to keep
up on new technologies. These guys would be bonded, and probably
certified by a professional organization including reps from
Universities and Industry, Gov't, etc. They would work much as auditors
do. They would come into *your* organization, try to build a list of
all computer systems, select a few hundred of them at random, and then
spend several weeks perusing them til they felt confident that they
understood them. Their work wouldn't be finished til *you* were
confident, too.
Then, they'd report that whether they believed that your systems were in
great shape, pathetic, or whatever. You're shareholders, owners, and
customers would know more than they know today, and life would be
beautiful.
The industry he imagines currently exists. The EDP Auditors Association
has a Certified Information Systems Auditor (CISA) program. It was
started in 1978 and over 9,000 individuals have been awarded the CISA
designation. In part because they awarded the CISA designation by an
association rather than by a state board (as in the case of
accountants), these people tend to be internal auditors (i.e., they are
employed by the company whose work they review) rather than external
auditors (i.e., such as a CPA firm). The management consulting arms of
big CPA firms may also have personnel with the CISA designation.
The problem I see with the EDP auditing profession as it currently
exists is that it lags the leading edge of the state of practice.
Software engineering technology advances first have to filter down from
the researchers and into use by leading software engineering
practitioners before they will come to the attention of EDP auditors.
They then have to be disseminated to other EDP auditors. The last time
I remember looking at EDP auditing textbooks, I noticed they still teach
EDP auditors about flowcharting.
Because EDP auditing grew out of the financial accounting field, they
are more commonly found around applications that are financial and
commercial. My sense is that people who read this newsgroup don't
develop those types of applications.