I wonder what qualifies as a robocall. Is it just something dialed automatically? Is it still legal if a human dialed the call, but an AI-generated voice speaks?
The law here bans both the use of autodialers and "artificial or prerecorded voices" in calls to cell phones (along with a variety of other types of phone numbers like emergency lines, other types of lines where you might pay for the incoming call, etc.).
Separately, it bans artificial/prerecorded voices in calls to residential lines.
Both provisions have carveouts for emergencies or when the party being called has given their prior consent.
In my experience PDFs are mostly used to ensure what you're seeing is what everyone else is seeing. If I sent out a Word or Powerpoint doc, I could be 90% sure someone would have a formatting issue. Maybe their default margins are different or they don't have the same fonts installed. It's a better format for the reader when they don't require edit access.
Google Docs + MS Office has probably figured this out by now, but there's also ton of historical momentum keeping it in use.
As a financial auditor I remember being baffled how people would go out of their way to create paper processes. A spreadsheet that requires confirmation would be printed, signed, stapled to another piece of paper - all so I can remove the staples and scan it to track digitally in our audit software. At least I knew sending them a PDF would come back looking the same...
My favorite part of this post is the distinction between writing and posting. Picking an audience is important for me when I write. If a post is mostly self reflection for yourself, it’s ok to not post it.
Really excited to see new spreadsheet products pop up. Coda seems like the most broad solution. Most products are centered around a particular use-case like financial planning (https://golayer.io/).
Another interesting approach is to bring Git like diffs and collaboration to spreadsheets. XLTrails for example https://www.xltrail.com/.
I wish someone could figure out how to make Git work well with spreadsheets. It would really unlock so much collaboration and sharing. I think one of the main reasons you can't just find good well maintained templates for simple tools is because of poor collaboration tools around spreadsheets.
There’s probably a subreddit where you can pose the question. Though, submitting a landing page proposes a solution. You should perhaps be focused on chatting with people who have the problem to validate if your solution is right.
Never did a security audit, but I did regulatory and financial audits of banks. Most of our work involved looking at last year's work, re-performing it and changing dates. Writing reports + financial statement notes followed a similar process.
Exceptions are immediately escalated to the audit committee and sometimes end up as a small footnote in the public reports. Most of the time it says "we were unable to collect sufficient evidence" to provide assurance. Almost never "this was done wrong".
This is a good call-out. The software security field uses the term "audit" in a deeply weird way. A real audit, like the kind done in a SOC2 assessment, really is about the report, and is more like 90% paperwork than 50%.
Here we're talking about software pentesting, and consulting firms have historically used the word "audit" to elevate that work. But these engagements almost never follow the shape of a real audit; there's no spelled-out audit criteria, there's no reconciliation against previous results, and the focus of the engagement is almost purely the exceptions, with little to no documentation of the tests completed without findings.
You've noted elsewhere in the thread that pentesting has the concept of a "retest". A retest purely examines the findings of some original earlier report. Any other vulnerabilities are out of scope, no matter how serious.
This seems like a better match to the regulatory audit model, but it's a bad match to the problem people would like to think of audits as solving, which is determining "are there any problems?".
The normal pentesting use of "audit" draws on that intuitive meaning of the word; the concept is that you answer whether problems exist. But it's deeply weird anyway, because the answer can't be known, only guessed.
I seem to remember PCI being called out as a very different report type from the usual, closer to the regulatory audit model at least in that the process was heavily regulated and old problems had to be fixed and retested. I never did a PCI report; don't hold me to anything.
Yes, exactly. There is a weird conflict of interest thing happening with a lot of public-facing security assessment work. The client wants a clean bill of health. The delivery consultants can't honestly sell that, at least not without a huge project scope stretching into double-digit person/months. But the firm wants to sell engagements, and public reports are a condition of the engagement.
So we have this phenomenon of "audit reports" that are really anything but that. Very few people in the industry know how to read them (for instance, how to locate and evaluate the scope of the project). But they're effectively used as seals of approval by clients. Which creates an even bigger incentive for firms to sell them, to the point where there are firms that almost specialize in doing them.
PCI is closer to the audit model, and yet even less effective than the pentest model, because the standardized delivery model created a race to the bottom effect in the market.
My oddball position on this stuff: firms shouldn't do external reports at all, and clients should just be able to post their internal reports.
This is super cool. I would only consider using a self hosted open-source version of this since I am sending you sensitive info via email. Enterprise or business users will probably be in the same boat.
True that these may not be the most appropriate for corporate emails.
If there’s sufficient interest in this, I could enforce login on emails sent to a different email inbox such as private@moogle.cc. That way, only the sender would be able to see the attachments. I’ll have to think this thru though.
Congrats on the launch! This looks super helpful. I've found in previous roles that formalizing processes in something more rigid vs. excel actually makes things much more efficient. How do you see yourself differ from something like https://www.workiva.com/ or https://golayer.io/?
Thanks! We agree with you. It's about finding the right level of flexibility for the stage of your business.
From what I understand, workiva is an awesome product focused on the data preparation phase of analysis and reporting. We focus on the next part in the process - modeling, analysing and forecasting, using tools made specifically for FP&A teams
From what I understand, Golayer is a great product built on top of your existing google sheet or excel with collaboration happening around a spreadsheet. We approach things differently at Abacum, offering a native experience that scales with your business, where collaboration happens within a platform full of Abacum tables, embedded excels, supporting screenshots, new forecasts, etc.
