And so I popped it open for a read.
It was an announcement about how the FDIC and the Bank of England signed an agreement (they called it a Memorandum of Understanding or MOU) to cooperate with one another in the dissolution of cross-border institutions. Forgive a compliance geek his potentially misplaced enthusiasm, but I thought this to be a neat and somewhat intriguing bit of news. The biggest banks all operate on a global level and I know from first-hand experience that in many instances they do so not so much to tap into new markets but rather to exploit competitive and legal advantages (think Switzerland and their very favorable rules). One of the distinctive advantages of doing business this way is that what might go wrong in one marketplace is often insulated from the rest of their organization, thus reducing their risk; you may blow up one business unit but legally it doesn’t expose the remainder of the company. But regardless of the reasons, what this business model almost always creates is the overly complex monolithic banking monsters that have commonly been thought of as “too big to fail.”
This MOU is an important step towards doing something to simplify the global banking world. It potentially lays the groundwork for the oversight agencies that are often responsible for cleaning up the mess made by the banking giants to have wider authority to do what’s necessary to protect depositors (and tax payers) from absorbing the brunt of the blow. It also is the first salvo resulting from the recommendations of the Cross-border Bank Resolution Group (which operates as part of the Basel Committee) headed up by my favorite banking superstar, FDIC Chairman Sheila Bair. You might recall that she railed against the concept of “too big to fail” and as a result of her involvement with this group put herself in the position to do something about it.
I’m not sure how much further this sort of thing will extend itself, being bit of a cynic when it comes to banking oversight on an international level. You see, back in 2008, I conducted a fairly exhaustive amount of research trying to identify the FDIC’s counterparts around the world and was amazed and dumbfounded based on what I didn’t find. Outside of the U.S. and UK there really wasn’t anything even close on a functional level. Sure there were some government agencies in place but their role and powers weren’t anywhere close to what we have here. And I was all the more amazed that despite having the Euro currency in place and an organization to oversee its management there really wasn’t a related banking oversight group. When you think about Europe and how it’s laid out and how simple and obvious it would be for banks to operate across borders, you’d think they’d be among the first to coordinate efforts but it simply wasn’t there. So what we have at this point is an important agreement between the two most mature and best- organized nations regarding banking oversight. But this one was relatively easy; what remains to be seen is how the rest of the civilized world addresses this issue.
I’m hopeful that in light of the mess the global economy has been in due to mistakes made in the banking industry, that the various governments will move to get on board quickly but there’s little in the way of historical precedent to make anyone think that’s likely. Still, with Sheila Bair involved, you never know.
One of the key considerations in sorting through the irony that’s my place in this world is that I’m nothing like the auditors I used to deal with in my application development days on Wall Street. What I audit, how I examine related controls and activities and review supporting evidence is heavily biased by my first-hand knowledge of the IT infrastructure. I understand technology and how it’s used, and so when I’m conducting fieldwork, I’m able to see things from a blended perspective. Most of the auditors I dealt with understood audit way better than they understood technology and so they’d ask question after question, not really knowing if the answers made sense, only if they matched expected results. For me, if the answer doesn’t make sense or is the wrong one, I immediately switch gears and seek out compensating controls because they’re often there if you know where to look.
Audit is heavy on my mind this week because I’m in the process of wrapping up a report for a client about the exit meeting. It’s interesting how the names and faces change from engagement to engagement but the script rarely varies. You’d think it would get old or boring but curiously it never does. The client never likes to see anything negative in print and it usually sets off a flurry of activity from report issuance to the first review meeting. There are almost always a series of requests to move things around, change the way things are worded and occasionally to reevaluate ratings. And I can’t recall a single audit where additional evidence wasn’t submitted for review after the initial draft was distributed to offset findings – artifacts that often have that “new car” sort of smell. But that’s actually a good thing and I’ll explain why.
An auditor’s job is to find control gaps and weaknesses. I’ve often compared what we do to fishing: You cast your line, see what you can catch, and keep at it until you either fill up your basket or have exhausted all available time and resources. Sometimes the bounty is rich and sometimes not so much. But there are always things to catch (I’ve never been shut out yet) even in the very best managed IT shops. The payout for the auditor is to identify legitimate issues that resonate with client. You want for those who own the controls to understand what the issues are and take swift action to remediate. I know some auditors take offense to after-the-fact evidence being provided because they perceive it as if though it’s implied that they missed something. Not me. When the client comes back quickly with viable solutions to make the findings go away, I consider that a bonus even if they didn’t exist a week earlier. That means that real risk is being further mitigated and managed and that’s the only reason to ever conduct an audit, in my opinion.
The client I’m working with, as it turns out, has fast become a favorite of mine. They’ve made great strides over the past year or so in enhancing their security posture and have gone a very long way towards putting in place effective controls to protect themselves, which ultimately results in their better protecting their customers. They take this sort of thing very seriously and as such, they have earned my respect. So when they come back to me with newly available information to offset findings in the draft report I’m happy to factor that into my findings. I did my job, they did theirs and in the end, the world is a little more secure.
So I guess I’m a minority on a couple of fronts: I’m more than satisfied with my job and I’m an IT auditor who genuinely understands the technology infrastructure. So much for there being strength in numbers.