By: Matt Hall, Bocada CEO
Last week a competitor of ours was acquired by a company that uses our competitor’s software for their own compliance reporting. For Bocada, and the data protection industry as a whole, this event highlighted the importance of independence as a cornerstone of compliance.
In our case, compliance is related to data protection and business continuity preparedness audits. However, objective, independent data validation applies to audits in any discipline. The best-known example of mandated audit independence is Sarbanes-Oxley (SOX). Passed in 2002, this financial oversight legislation was a result of many high-profile accounting scandals including Enron, WorldCom, Tyco and others. SOX prohibits financial auditors from being part of the same firm that performs the operational accounting. The goal: eliminate conflicts of interest.
Why do we do audits anyway? Audits provide an objective and independent verification of self-reported performance. We like to think of it as ‘trust but verify’. The intention of an audit is not to discover weaknesses and fraud – though those can be by-products of an audit. Rather, an audit validates and adds credibility to self-reported performance. Successful audits increase everyone’s confidence in the reported results and reduce risks or the likelihood that reported results are flawed.
If audits validate and build confidence, why is independence such a big deal? Because the foundation of independence is objectivity.
After all, the opposite of objectivity is bias. Auditors cannot have a vested interest in the result of an audit. If an auditor has any incentive beyond successful completion of the audit itself, they cannot provide an unbiased evaluation. Said another way, auditors cannot convey the confidence that comes from an audit if they are not independent.
Consider how this played out in the VW diesel fuel scandal. Given the company goal of opening more markets for diesel cars, VW emissions teams were incented to certify that vehicles pass each country’s emissions guidelines – not test whether they actually did meet emissions standards. A parent company’s sales goals compromised an internal team’s objectivity. Three years later, VW is still plagued with lawsuits and the loss of credibility that comes with manipulated audit results.
At Bocada, we are committed to being a truly independent reporting and auditing tool for data protection teams. We report on a broad range of enterprise data protection applications that include large incumbents like Dell EMC, upstarts like Cohesity, and cloud-native backup products like Azure Backup. We are not owned by any of these companies. We do not have strategic partnerships or co-selling relationships with any of them. We have no stake in what backup products our customers choose to implement.
We have a normalized set of definitions for what a successful backup is, and we provide the tools needed to make operations and audit reporting easy. In the end, our goals are to develop trust with our customers, convey confidence to auditors and consumers of our reports’ fidelity and, most importantly, reduce the risks associated with unprotected data.