←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 3 comments | 01 Apr 18 12:14 UTC | HN request time: 0s | source
Show context
bogomipz ◴[01 Apr 18 19:07 UTC] No.16729876[source]
>"And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would."

It's worth pointing out that KPMG was Wells Fargo's independent auditor while the bank recently committed fraud on a massive scale by creating more than a million fake deposit accounts and 560,000 credit card applications for customers without their knowledge or approval.[1]

Calling KPMG a "well-respected auditing firm" when they failed to detect over a million fake bank accounts is a joke. See:

https://www.reuters.com/article/wells-fargo-kpmg/lawmakers-q...

[1] https://www.warren.senate.gov/files/documents/2016-10-27_Ltr...

replies(10): >>16729897 #>>16730009 #>>16730105 #>>16730119 #>>16730193 #>>16730271 #>>16730746 #>>16730782 #>>16731153 #>>16731246 #
thenewwazoo ◴[01 Apr 18 19:12 UTC] No.16729897[source]
Speaking as a former KPMG employee who did infosec, the financial audit and controls people are far removed from anyone with technical skill in this domain. It may be cold comfort, but these kinds of special purpose attestations may as well be done by a different company (insert BearingPoint joke here).
replies(1): >>16729991 #
bogomipz ◴[01 Apr 18 19:33 UTC] No.16729991[source]
Right, that's why it's amusing to think we're supposed to believe that KPMG are going to audit a code base and logging infrastructure.
replies(1): >>16730234 #
ismail ◴[01 Apr 18 20:21 UTC] No.16730234[source]
Agreed. Anecdotal but...

We have had to supply information to KPMG “IT Auditors” at a client due to some software we wrote.

In most cases the auditors are young grads who have never worked in an actual IT/software dev team. So they have very naive view and never ask the right questions. If one wanted to hide something it would be super easy.

replies(1): >>16730446 #
1. sameyolo ◴[01 Apr 18 21:08 UTC] No.16730446[source]
Audits provide reasonable assurance, not total. When auditors test access controls for a homegrown application for example, it is unreasonable to ask that a full code review is done to check 100% that checking the box next to Admin confers that, and that checking Read Only restricts it always. In my experiences performing these tests (as a young grad who had never worked on a software dev team), we would ask what the permissions were designed to provide and limit, and observe in the system that they did that. If a developer had programmed a backdoor that when you press A+B+3 and whisper into a microphone grants unlogged admin access, our test would miss that. But that's why we also test change controls and who has access to push to live, etc.

Edit - and to speak more to the topic at hand, there were plenty of people at the firm I worked with who absolutely had the technical expertise to perform such an in depth audit. They are simply engaged when higher levels of assurance are required. What level of scrutiny should your auditors provide your bathroom time monitoring system?

replies(2): >>16730491 #>>16730737 #
2. ◴[01 Apr 18 21:19 UTC] No.16730491[source]
3. fjsolwmv ◴[01 Apr 18 21:59 UTC] No.16730737[source]
The audit checks your documented procedures, not your actual practices.