[arin-ppml] Does this apply to Transfers too?

Ted Mittelstaedt tedm at ipinc.net
Tue Apr 21 15:40:34 EDT 2009 

 

> -----Original Message-----
> From: arin-ppml-bounces at arin.net 
> [mailto:arin-ppml-bounces at arin.net] On Behalf Of Craig Finseth
> Sent: Tuesday, April 21, 2009 11:28 AM
> To: michael.dillon at bt.com
> Cc: ppml at arin.net
> Subject: Re: [arin-ppml] Does this apply to Transfers too?
> 
> 	...
>    I don't expect any corporate officer to sign off on this
>    kind of attestation until after the stock of IP addresses
>    is audited by someone competetent, i.e. an accountant who
>    has audit training. This means that if you work in a network
>    group that has been flying under the radar for years,
>    managing IP addresses as some minor netops technical detail,
>    life is about to get interesting.
> 
>    And don't bother sneering at those accountants and making
>    smart remarks about how little they understand networks.
>    They don't need to. They will want to see your records,
>    understand your recordkeeping procedures, and make sure that
>    you really do know how many IP addresses are in use, how
>    many are unavoidably wasted for technical reasons, and how
>    many are in limbo due to customer churn or network redesign.
> 
>    In fact it would be useful if ARIN would produce some documentation
>    targeted at CPA auditors, that explains how to audit IPv4 
> addresses.
> 	...
> 
> I am excerpting and repeating this message from Michael 
> Dillon because it is all but impossible to underemphasize how 
> important it is.
> 
> If you're operating with full ITIL-level processes and 
> complete recordkeeping, you're fine.  This will cover about 
> 10 organizations out there.
> 
> If you're like the rest of us, your IP address management is 
> not up to par.  You're going to spend a lot of time with 
> auditors going over what you are doing and why you are doing it.
> 
> Also, when was the last time you audited your routing tables 
> against your IP address management database (err, 
> spreadsheet)?  Yup, you get to do that, too.
> 
> And I would like to underscore the request for ARIN to 
> produce the documentation for auditors.  It will help us all 
> immensely.
> 

Many years ago I worked in A/P in a publically-held corporation and
WAS under auditing.  This was pre-SOX but the fact of the matter is that
SOX really only codified what any GAAP-compliant and well-run
publically-held company was already doing.  It really is no big deal
if your corporate culture already demands accountability.

I also feel compelled to point out that all those US banks that
we bailed out with TARP last year were under Sarbanes-Oxley for the
last 6 years and yet they still had to be bailed out due to outright
lying and cheating on their financials.  And how many convictions
have we seen from the SEC to any of those CEO's?

I would like to believe that the requirement will cause the rest
of the crowd who are under SOX but aren't compliant with it to
clean up their IP act, but I think the reality is that it's not
going to make a difference.

Ted

More information about the ARIN-PPML mailing list