Recently, I assisted our audit team to performed a technical audit on a public listed company in Malaysia. While the details of the audit are confidential, I would like to share my experience since this was the first time that I did such an audit before. Needless to say, it was quite interesting.
On our first visit, we got there early and I was promptly introduced to the director and development team as the newest member in our audit team. I said my greetings to everyone and took a seat in the centre of the meeting table since nobody else took it.
Water was then brought in by the tea lady. She brought in a number of glasses and two jugs of water. Unfortunately, we weren’t served the water and since I was rather thirsty, I got up and served everyone a glass of water. My audit team members remarked that I was really sweet in doing so – I was just doing it because the tea-lady placed it all on the table and left.
Since this was my first time exposed to this project, I asked for a quick briefing on the product that they have developed. Before this, I already knew their main objectives but I was still curious as to how they would go about achieving them. As they explained things to me, I began to probe their system and their understanding of the issues involved.
The development team was fairly nice to me and explained things that I had difficulty understanding to me. For example, I couldn’t understand why they had chosen certain cryptographic ciphers and used them in a certain way, which resulted in reduced security. I let them dig their own grave.
In fact, the rest of my audit team remarked that I was extremely nice to them because I did not go on the attack. There was no need to come out guns blazing when they were doing such a good job of cornering themselves. During the product demo, I asked them to run the thing a certain way – and the thing crashed, which demonstrated a lack of robustness.
So, we were quite disappointed that it didn’t work. As the audit team, we try not to fail anyone and personally, I try my best to pass other people. So, we told them to fix things and to arrange for another session. We’ll give them another chance.
On our second meeting, I got to meet the CEO of the company who decided that it was important enough to grace us with his presence. This time around, the tea-lady brought in the water and placed it on the table without serving too. However, the director got up and served me a cup of water instead.
The treatment this time was totally different. It was “Dr. Shawn” this and that from the development team, “Dr.” this and that from the director and “Doc” this and that from the CEO (it got shorter as we went up the hierarchy). However, as the CEO tried to drag some wool over our eyes with his charisma, I was forced to take out my pistols and shoot down some of his points.
In the end, they tried to do a proper demo but even that did not pass satisfactorily. I spoke to the development team and we were all in agreement that the system did not perform as it was supposed to. In fact, their external consultant and team lead privately told me that they would need another few months to finish the product.
After the poor showing, the CEO was visibly furious and started to bark at his people. Our audit team were quite sympathetic with the development team because we knew that they were all going to kena after we left. It is sad, but they were not able to deliver what they promised to.
On a more personal note, I could appreciate the problem that they were trying to solve. In fact, I even told them that there was clear value in certain parts of their product. However, I do not have the confidence that they would be able to solve it since they failed to demonstrate sufficient technical competency. There was also sufficient inconsistency in their speech versus the actual product that they developed to further weaken my confidence.
Anyway, I have a couple more companies to audit after Raya and I am looking forward to more excitement!