- From: Shane M Wiley <wileys@yahoo-inc.com>
- Date: Wed, 19 Nov 2014 17:12:33 +0000 (UTC)
- To: Walter van Holst <walter.van.holst@xs4all.nl>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <1976654005.1719531.1416417153807.JavaMail.yahoo@jws10057.mail.ne1.yahoo.com>
Walter, The IAB guidelines are specific to a financial audit process and therefore are necessary by law and have very strict boundaries and well known and understood accounting quality measures. Your approach is open ended and not tied to anything specific and therefore is unhelpful/useless. I don't believe anyone disagrees with the concept of auditability but rather we have issue with the non-specific approach you're taking that could unintentionally cause confusion and uncertainty among implementors. - Shane Shane Wiley VP, Privacy & Data Governance Yahoo From: Walter van Holst <walter.van.holst@xs4all.nl> To: public-tracking@w3.org Sent: Wednesday, November 19, 2014 7:06 AM Subject: Re: ISSUE-235 (Auditability requirement for security) On 2014-11-19 01:57, Nicholas Doty wrote: > Separate as to whether this auditing requirement is a good idea for > the recommendation, I'd propose a couple small, friendly amendments to > the language, as per below. > >> For the purposes of this recommendation, auditable is understood as >> having sufficient records of access and use of data retained such that >> an independent auditor would have a reasonable level of confidence >> that the data retained is exclusively used for the permitted uses or >> that breaches of this can be detected ex-post. For example, an auditor >> might use a similar level of confidence to that required for the >> organization's financial records. > > > (Use independent instead of third-party, as the document has a > separate definition for third-party. Use "recommendation". "Example" > rather than "yardstick".) I'm reasonably comfortable with this amendment. For the purpose of the conversation on the necessity of all this, I'd like to point at this document: http://www.iab.net/media/file/Global_meas_guidelines.pdf For audience measurement purposes industry groups are perfectly happy with process audit requirements (see paragraph 4, sub 2) for ad measurement, which reads as: 4. Auditing Guidelines General – Third-party independent auditing is encouraged for all ad-serving applications used in the buying and selling process. This auditing is recommended to include both counting methods and processing/controls as follows: 1. Counting Methods: Independent verification of activity for a defined period. Counting method procedures generally include a basic process review and risk analysis to under- stand the measurement methods, analytical review, transaction authentication, validation of filtration procedures and measurement recalculations. Activity audits can be executed at the campaign level, verifying the activity associated with a specific ad creative being delivered for performance measurement purposes. 2. Processes/Controls: Examination of the internal controls surrounding the ad delivery, recording and measurement process. Process auditing includes examination of the adequacy of site or ad-server applied filtration techniques. Strangely enough, in this group all of a sudden none appears to understand the meaning of auditable in the context of DNT:1 data retained for purposes exempted under this standard? What I am asking for is not substantially different and definitely not more burdensome then what IAB suggests for ad measurement. We're simply talking about an analog to the process/controls audits mentioned above. Regards, Walter
Received on Wednesday, 19 November 2014 17:15:21 UTC