The secret phrase of the auditor

Published on September 03, 2018

The secret phrase of the auditor

    Considering that my obligations to the former company have not yet been fully exhausted, the names of the characters have been changed. Here, in fact, they are:
    Company, Auditor, Rightholder.

    A few years ago, in connection with entering the US market, the Company's strategists considered the risks and found the use of illegal software to be absolutely unacceptable. The bulk of the software produced by the Copyright Holder. The IT service was tasked with becoming “white and fluffy” (C) - the gene. director . The task was complicated by the fact that the IT service needed not only to ensure the purity of the software, but to receive from the Rightholder “all pieces of paper a piece of paper” (C) —F. Preobrazhensky. Such a document so that no third party inspection body could indiscriminately accuse the Company of non-compliance and the Company does not have to prove the opposite, while the risks work.

    After repeated meetings with the Rights Holder at the highest level available to him (European and Russian watchers) received 2 suggestions:

    1. An audit of the software installed by the Rightholder’s forces and facilities is free of charge for the Company, with the actual obligation to remove, purchase or lease the software after the audit, but without purity papers;
    2. Paid audit by the Partner’s Rights Holder’s partners, at the Company's expense, with the issuance of papers confirming the absence of any claims of the Rights Holder for a specified period.

    The cost of the audit was about a fairly large percentage of the annual rental cost of software, the duration - 4 months.

    Everything went quite smoothly, the software was removed or paid for, the papers were received, the directorate was satisfied.

    After a few years of renting, the IT management faced the challenge of buying software for permanent use. The prospect of a re-audit is highlighted. The new CIO, not familiar with the process of past negotiations, was surprised at the cost of an audit of the Rightholder and decided to save. The auditor from the “big four” offered a price several times less than the Rightholder, stating that the results of his audit will be quoted no less than that of the Rightholder. And, of course, the “paperwork” theme was bypassed, as a minor element. The option with free auditing was not considered by the Rightholder itself.

    The audit was quite crumpled, a very small list of performers from the Auditor (“what did you want for such ridiculous money”), the composition of the software for redemption grew by many tens of percent (the performers did not have time to understand the requirements and recorded everything in the found, including unnecessary elements ). Plus, the first line in the report received was an interesting phrase: “According to the information provided by the Customer, ……”. It turned out that according to the risk management standards, the information from the Customer is the most unreliable. And, as an employee of the Rightholder explained in a private conversation, the presence of such phrases in the report automatically reduces the Auditor’s responsibility to the Rightholder. In fact, this is the Fas team for those

    In addition, the duration of the audit went beyond the scope of the plan and did not allow for a standard tender procedure for choosing a license provider. As a result, the delivery was made by a privileged supplier without any price reduction or improved payment terms.

    The total economic damage has, at times, blocked the cost of the audit of the Rightholder and left the Company at risk of new risks.

    Findings.

    1. When preparing for audits, ask auditors not to use phrases about receiving any part of information from you and do not accept the results if there is one. Outside your organization, the value of an audit report with similar phrases tends to zero.
    2. If the Copyright Holder proposes to conduct an audit of the software with its own resources and means and you do not need security certificates, it is better to use this audit than a third-party audit. In this case, part of the software cannot be hidden, but at least the final specification will be more relevant, and most likely, smaller in size than recommended by a third-party auditor.