Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!ukma!tut.cis.ohio-state.edu!bloom-beacon!MWUNIX.MITRE.ORG!charlesyouman From: charlesyouman@MWUNIX.MITRE.ORG Newsgroups: comp.software-eng Subject: Re: Programming Licensing? Message-ID: <8910301824.AA17750@mwunix.mitre.org> Date: 24 Oct 89 16:46:31 GMT Sender: daemon@bloom-beacon.MIT.EDU Organization: The Internet Lines: 42 In Vol 6, No 66 of Soft-Eng, Lee Sailer writes: I can imagine a fairly acceptable Computer System Auditing industry. Pay big bucks to a small cadre of the best people, who work hard to keep up on new technologies. These guys would be bonded, and probably certified by a professional organization including reps from Universities and Industry, Gov't, etc. They would work much as auditors do. They would come into *your* organization, try to build a list of all computer systems, select a few hundred of them at random, and then spend several weeks perusing them til they felt confident that they understood them. Their work wouldn't be finished til *you* were confident, too. Then, they'd report that whether they believed that your systems were in great shape, pathetic, or whatever. You're shareholders, owners, and customers would know more than they know today, and life would be beautiful. The industry he imagines currently exists. The EDP Auditors Association has a Certified Information Systems Auditor (CISA) program. It was started in 1978 and over 9,000 individuals have been awarded the CISA designation. In part because they awarded the CISA designation by an association rather than by a state board (as in the case of accountants), these people tend to be internal auditors (i.e., they are employed by the company whose work they review) rather than external auditors (i.e., such as a CPA firm). The management consulting arms of big CPA firms may also have personnel with the CISA designation. The problem I see with the EDP auditing profession as it currently exists is that it lags the leading edge of the state of practice. Software engineering technology advances first have to filter down from the researchers and into use by leading software engineering practitioners before they will come to the attention of EDP auditors. They then have to be disseminated to other EDP auditors. The last time I remember looking at EDP auditing textbooks, I noticed they still teach EDP auditors about flowcharting. Because EDP auditing grew out of the financial accounting field, they are more commonly found around applications that are financial and commercial. My sense is that people who read this newsgroup don't develop those types of applications.