Unchecked outputs are not a control
In the IT world, lots of us write log entries as software works its way—or doesn’t—through its tasks. Structured logs are the new fad, but these have always existed, it’s just that today’s structured logs are “logs that are structured such that they are easier for computers to automatically check without the need for custom parsing because they are written in a standardized language that has available parsers”.
This is obviously too wordy to catch on, so we have “structured logs”.
IT thinking:
Logs and log trails are there to check when things go wrong.
Auditor thinking:
Unchecked logs are not a control. (Auditors think a lot about controls, which are things that either stop bad things, detect bad things, or fix bad things).
Why is this on my mind?
Well, one reason is that these days, I’m preparing for formal certification as an auditor, so it’s on my mind as a thing to practice.
But another reason is that I’m writing this note in advance of being admitted to the hospital for some brain imaging. I had a stroke not quite 18 months ago, and I was being monitored via MRI on a regular basis to see if a particular medical problem was still under control.
Except, like an unchecked log, the doctor—who I have now fired from my case—logged the results but didn’t check them. When you only get a new image every 6 months, it’s not very comforting to hear “oh, this might look bad, but it could just be an imaging problem; let’s wait and see”. Particularly when you’ve already gone blind from intracranial pressure and have on a somewhat regular basis spinal fluid leaking out your nose.
So, new doctor, this one more like an auditor than a programmer, and he wants to check the results. This requires a brain imaging study (radionuclide angiography of a dural arteriovenous fistula, for those who are interested for some reason).
After that, we’ll know better. Check the logs!
Exception handling should be tested
As careful, savvy readers will know, I’m blind. Not totally blind. I can see a computer screen, if not all at once, and can generally see enough to navigate in public, though I use a white cane to avoid tripping over things like bollards (curse them!) and falling due to unseen steps.
Because of this, I need accomodation for my auditing test. This should be a straightforward thing. I don’t see well. I want to use software to zoom text to about 4x of its typical size (200% in each direction). And yet, getting that permission has been (un?)surprisingly difficult. First, it was “pay us for the test and then we’ll decide whether to accomodate your needs”. Then, it was “you aren’t allowed to magnify text on your own computer, so you’ll need to come to a testing center.” Fine. I can do that. Now, it’s “Oh, you’ll need to call the United States during the middle of your night to arrange this. And then go to Osaka.”
Big sigh. Fine. But someone should really audit their processes in light of the fact that they operate in most countries in the world, nost just the US. Irony.