Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment: There are two types of SSAE16 audits (Score 1) 84

by fleetwood (#38768070) Attached to: Do Data Center Audits Mean Anything?

In a Type 1 audit, all the auditors look for is whether the company has policies/procedures/controls in effect to obtain the objectives of the company (whatever those may be)

In a Type 2 audit, the auditors will attempt to determine whether the policies and procedures in place are being followed. Whether the controls are effective in achieving the objectives that have been stated.

I work for a software company that recently went through a Type 2 audit. In our case most of what was looked at was our SDLC (software development life cycle) process, version control, etc. They went through our work ticket system & spent a week following more than a few tickets through the entire process: code check out, work produced, QA testing, user testing, peer review, code check in. They spent several weeks over a three month period driving our internal audit & software staff nuts.

Does it mean anything? From our point of view, yes. But, not only does the audit depend on the quality of the auditors, but on the quality & detail of those process & procedure documents that they are auditing.

"A child is a person who can't understand why someone would give away a perfectly good kitten." -- Doug Larson