Skip to content

SARBANES OXLEY & JSOX COMPLIANCE – How to pass your SOX Audit using FREE tools


SOX auditing is great fun, especially when you have a senior auditor sat on your shoulder – it’s living life in the fast lane.  In this article, I’ll work backwards from actual JSOX auditor questions to the free IT tools that will answer those compliance questions for you.

Think of an audit as 3 questions….that test how robust your security processes are.

1. RED LIGHT – Is this data Accurate?

2. AMBER LIGHT – Are you sure?


1. List of Auditors Questions

Here are actual auditor questions that I’ve been asked to “prove” with system generated evidence.  Auditors will ask you:

1. How many users have been created in the last year?

2. How many user accounts have been deleted in the last year?

3. How many admin accounts have been created in the last year?

4. How many VPN’s have been created?

Remember if you’ve created 5 VPN’s – the auditor can then ask for the signed authorisation forms for EVERY VPN.  The auditor is hunting down RETROSPECTIVE AUTHORISATION ie you were asked to create a VPN – you did, but the signed paperwork arrived a month later.  Watch your back – retrospective authorisation is a DEFICIENCY.  This will appear in the final auditors report.


The Auditor is looking for EVIDENCE next… so here we go – on the hunt for evidence.


2. AD Info – Free auditing tool

This link will provide much of the free evidence that you’ll need – several tools are listed here:

AD Info

AD Info will answer the auditors questions regarding:

* How many users are ENABLED on the system? or

* How many users are DISABLED?

ad info users

* How many users were deleted in the last 12 months?

* How many admin users exist

* How many accounts have the “password never expires” setting or do not require a password?  These are major weaknesses in security, so they’ll be audited.

ad info passwords

*Password Complexity Rules – via GPO – the auditor will want to have full evidence of the password settings.

ad info gpo

These checks can answer the auditor with EVIDENCE. The auditor will then cross reference these results with your authorised paperwork – if the system has 100 admin users – they’ll want to see authorising paperwork as this is a major security risk.


The auditor will look at the DATE the account was requested > authorised > created.  Normally in the flux of real life, the dates are out of sync… this is a dagger in your back.  The process says 1. Request 2. Authorise 3. Create… and normally the real world sequence is flawed, and authorisation FINALLY arrives… a month late.  This is delightful for the auditor to find…


 2. AD Scripts (instead of tools)

On each OU, prepare an AD script that will provide answers to these checklist questions – and double check the results with free auditing tools.

1. How many users are enabled in each OU.

2. How many users are disabled in each OU

ad tidy

Remember to differentiate between ADMIN accounts and user accounts – as your auditor certainly will.

Get Local Admin Account Gui – Free Tool

local admins

Find local admins as well as domain admins.

AD Audit Tool – 30 days FREE trial

Use this 2 weeks before the external auditor turns up – as after the 30 day trial it will revert to the free edition.  Your initial logon will be username = admin, password = admin.



3. AD Permission Reporter

Download AD Permissons reporter…

ad permissions



4. Change Management

You must raise paperwork before a change – and log this into your daily checks.  It also ensures that managers are aware of the changes – as they’ve signed off the daily checks, so can’t claim they didn’t “know about it”.

The auditor will look for “changes” on one of the 15 specific dates… and then will ask for the signed paperwork that authorised the change.  You need to make sure of PRIOR APPROVAL.. not retrospective approval.


 5. Hardware Audits

1. How many PC’s have you issued in the last 12 months, and to whom?

Use Ad Info – Computers Tab

ad info computersDouble check your “inventory” results with NMAP scans, or OpenVAS scans – which are free tools.


6. Software Audits

1. How many Windows machines do you have on site – and versions.

2. What different software are your users using?  How often is it audited?

3. What software licenses do you have?

There are software auditing applications, such as SNOW – this will advise the range of software on your network and whether it’s licenced.  Try to use open source as much as you can, as this side steps the licensing issue.

TIP: Office does have a “variable site licence” that can run using SNOW – this will automatically adapt your licensing to make you legal.  Lazy, but effective.

You are expected to monitor your software licenses in order to ensure that no illegal copies are running on your system.

7. AD Auditing Report – AD SCRIPTS

The auditor will ask you to generate scripts on your AD domain controller – as they want “system generated information” regarding users and computers.


 8. Additional Tips

Who in HR or Personnel cross checks the enabled users list?

Remember HR stops the payroll of a leaver, but many managers may “forget” to tell IT.  Run out a print out of all enabled users for Personnel each month – and make them sign it that there are no leavers who still exist on the system.  This is EVIDENCE of the due diligence of IT – we’ve done our bit, and asked HR to sign off our monthly enabled users.  As far as the auditors are concerned, IT is now off the hook.



Excel Spreadsheet – for Daily Checks

The Auditor will provide you with 15 to 20 random dates (one or two per month) and ask you to provide evidence of all incidents or changes on those 15 days.  So how to make this easy on yourself?

Create an excel spreadsheet with a column for each day of the month, and a worksheet for each month.

List critical systems in the first column – and log in and check each critical system for failures or errors EVERY SINGLE WORKING DAY.

Critical servers include your DC, backup DC, backups, exchange server, SQL server etc – anything that’s mission critical to the business.

jsox excel

TIP: Where an error is found eg backups failed then log the fault, and get a helpdesk ticket number – place this ticket number into your spreadsheet of critical failures.  The auditors will you to list all faults by date – and this provides this evidence along with easy to find ticket numbers.  They may roll call a list of daily status checks – and here it is.

If you have to make a change – log the change – get it authorised and then place the ticket number into the spreadsheet (for the day the change will take place, eg 31st December).

TIP: Sign this spreadsheet with your initials as the daily checks are completed.  Auditors will look for this – they LIKE this!!

Provide the monthly sheet to your IT Manager to counter sign each month – this means management are notified of major changes, major failures each month.  If there’s a reoccurring problem – this will show up.

TIP – Auditors will pick up if the monthly checks are NOT signed off by a manager – as I learnt from real experience.  So get the Finance Manager or IT Manager to sign the document…  you MUST PROVE that you’ve made managers aware of the status of the system.

9. Mindset

Auditors are looking for legal EVIDENCE.  This means that you check and double check what you’re saying… and you will be asked to prove it!!  Do all your paperwork trails BEFORE the auditor is sat on your shoulder – as you’ll be so glad that you did!!

A standard helpdesk system may log the REQUEST – but where is the original request?  Who made it… who approved it, and who in the IT department actually created these accounts.

Remember the “DOCTRINE OF THE SEPARATION OF DUTIES”.. the requestor must NOT the authoriser.  Your helpdesk ticket will log the initial request – and who authorised it.

Facing an audit is terrifying, unless your processes are robust.  The accuracy of your data is just the first step… you must double check the accuracy and finally be prepared to prove it, with evidence.  Good luck!




Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: