Shostack + Friends Blog Archive


U.S. versus E.U. Audits

Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular:

But it also illustrated a fundamental difference in the way audits are conducted on both continents. In the United States, audits are about ensuring that sufficient controls are in place to mitigate risks. Thus, the audit findings tend to emphasize lapses in application and network security. In Europe, audits tend to focus on following a predefined process, being transparent in the actions taken, precisely defining policies and procedures, and adhering to international standards.

I’d love to see a much deeper analysis of managing compliance in the U.S. versus the E.U. from someone who has a lot experience working in both domains. Does this already exist? Or are folks interested in collaborating on writing something like this?

3 comments on "U.S. versus E.U. Audits"

  • Iang says:

    I second that!

  • wpn says:

    I’ve been audited on both sides of the pond, but that was way before SOX et al. came out. But the article really sounds depressingly true to form. 🙂
    Which is the whole key: the Europeans care almost exclusively about form, process, and conformity; the Americans feel put out if they have to follow any rules that impinge on their sovereign right to make things up as they go along. 😉

  • A lot depends on ones assumptions I suppose.
    If you take the view that audits have to exist but they are worthless, and/or that auditors don’t have any special lock on knowledge, then the European view is better as it is important to corral them and limit their damage. In the alternate, audits and audtiors are obviously subject to agenda capture, which one wants to minimise for the public good.
    Alternatively, if you take the view that auditors know what they are doing, audits add a valuable service, and these things are better off left at the discretion of the auditor, then the American view is better.
    I’ve historically championed the former approach, and have developed the techniques to reduce or eliminate the utility of formal audit processes (I call this Open Governance) at least in the field of value issuance. This year I’ve been doing some actual audit work, and this has tended to confirm my impression that audits are only valuable and reliable to the extent that they are done openly and verifiably.

Comments are closed.