>We recently completed an audit for a financial institution. After we turned
>in our report we received word that the V.P. who commissioned the audit
>would like us to "tone down" the report. He apparently thinks that the audit
>was too harsh. I obviously have an opinion on this, but I would like to hear
>your thoughts on the subject.
what we do is prior to hand over we sit down with the people responsible
(inc the VP in your case) and go through our findings. The idea behind them
is to also produce a prioritised 'follow-up' report with people responsible
and actions to be tacken. The removes a lot of problems of the kind that
you are facing as we can ensure that it will appear to the board that the
major problems will be acted upon immediately.
However I would _never_ change the wording of an audit finding unless I
could be shown what I had missed that would make my finding unjustified. As
an auditor you need to be independent of the internal politics (I guess the
VP thinks that they will get something kicked if the report goes in as is).
They have no grounds to refuse to pay you unless they can prove that you
have been negligent inyour duty - telling them the bad news is not
negligent - I recently put as my number one finding that senior management
were providing no support for security within the corp. The politics were
different though and it was accepted with relish :}
Technical Incursion Countermeasures
ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042
The Insider - a e'zine on Computer security