fromJune 2015

Auditing, Ethics, and Drupal Sites

A Call For Standards

Photo of Irish Setter at Dog Show As web sites and applications have become more complex, the need for auditing – at multiple points in the lifecycle of a project – has become ever more important.

Before delivery, a web project can be audited to ensure the ability to meet business goals or compliance with regulations. After delivery, an audit can identify problems and propose remedies. In a possible merger or acquisition, an audit can help evaluate the project’s relative benefits and liabilities.

Website auditing has become similar to financial auditing (which is separate and distinct from accounting and financial activities). It is similar to the practices applied in auditing management systems (see “There’s a Module Standard for That” sidebar).

Website auditors must apply these four principles:

  • Judgment They must be able to choose the scope and granularity of the website, without wasting effort on discovering problems with no meaningful impact on the behavior and performance of the site; hence, a need for business acumen.
  • Expertise In order to determine whether or not best practices were followed by the original site developers, auditors must achieve a level of proficiency beyond that with which the site was delivered.
  • Objectivity Auditors cannot audit a site they themselves produced, or else risk selective blindness – the inability to see problems they missed the first time around.
  • Distance Auditors cannot operate on a website developed by a company – especially their own – with which they have any kind of commercial or personal involvement.

The Real World

Market studies show that site audits are often used as a loss leader by generalist Drupal agencies. Their objective: to set the stage for redevelopment and third-party maintenance work, where the main volume of business is done using “findings” from a short and low-cost audit to provide the developer with a technical advantage against competitors.

Aside from preventing efficient market competition, this practice applies strong pressure on tailoring audit results to meet the specific abilities of the target company; i.e., it questions the trustworthiness of audits. Such “audits” neither meet neutrality requirements – because of the expected gain – nor meet proficiency requirements – because no company can operate above its own level.

In 2014, for the first time, many customers mentioned that the very existence of a code of ethics – albeit minimal – was an important factor in selecting one auditing practice over others.

In order to provide businesses and organizations, and even certifying bodies, with reliable audit reports, our sector must continue to mature and establish auditing as a separate activity – with strict ethical requirements.

Unlike the financial profession and general management systems, there is now little regulation in place for web/app development vs. auditing (with a few exceptions like PCI compliance); the onus is on us practitioners to establish a code of ethics, based on the best practices identified in other sectors, but adapted to the specifics of our line of work.

Existing Texts and Drupal Work

The general standards community in ISO/IEC has already produced a significant amount of work, mostly targeted to business management systems, as in the ISO 19011 standard, by Technical Committee 176 on quality; the ISO/IEC 17021 standard on auditing bodies, by the Committee on Conformity Assessment; and the ISO/IEC 27006/27007/27008 series of standards established around security auditing.

The IEEE/ACM Software Engineering Code of Ethics and Professional Practice is also relevant to both auditors and system implementers.

Auditor Constraints

Am I able to audit this?
  • Technical proficiency consists of:
    • experience in delivering the technology;
    • “horizontal” cross-cutting knowledge of all technical aspects of websites;
    • constant training on the latest technical trends applied to Drupal projects;
    • acknowledging gaps in knowledge, and subcontracting accordingly.
  • Business proficiency entails “vertical” knowledge of the business in which the website under audit is deployed.
Am I free to audit this?
  • To avoid conflicts of interest:
    • never provide maintenance or other implementation services directly after you have performed a website audit;
    • never audit code delivered by a company with which you have a personal or commercial tie.
  • Avoid selective blindness by never auditing code you have previously delivered.

Inspiration and references can be provided by national and international legal and regulatory texts for ethics in the accounting audit fields, although some practices vary from country to country.

A fine example of Drupal-specific audits was created by the French auditing practice, OSInet. It can provide a starting point for a common code of practice for the Drupal Community, which auditors in all countries should be able to adapt to the specifics of their national environment.

If this topic is of interest, get in touch – or attend the sessions in 2015 DrupalCon editions or other community events like the Drupal DevDays 2015.


Software ethics

General auditing standards

  • Relevant body: ISO/TC 176/SC 3 – Quality management and quality assurance, and supporting technologies
  • Main standard: ISO 19011-2011 – Guidelines for auditing management systems

Security auditing

  • Relevant body: ISO/IEC JTC 1/SC 27 – IT Security techniques
  • Main standard series:
    • ISO/IEC 27006:2001 – Requirements for bodies providing audit and certification of information security management systems
    • ISO/IEC 27007:2011 – Guidelines for information security management systems auditing
    • ISO/IEC 27008:2011 – Requirements for bodies providing audit and certification of information security management systems
Certification auditing
  • Relevant body: ISO/CASCO – Committee on conformity assessment
  • Main standards series: ISO/IEC 17021 – Conformity assessment and requirements for bodies providing audit and certification of management systems

Financial auditing

Drupal audits

Image: ©richardlpaul on istockphoto