SARBANES OXLEY & JSOX COMPLIANCE – How to pass your SOX Audit using FREE tools
SOX auditing is great fun, especially when you have a senior auditor sat on your shoulder – it’s living life in the fast lane. In this article, I’ll work backwards from actual JSOX auditor questions to the free IT tools that will answer those compliance questions for you.
Think of an audit as 3 questions….that test how robust your security processes are.
1. RED LIGHT – Is this data Accurate?
2. AMBER LIGHT – Are you sure?
3. GREEN LIGHT – Now PROVE it!!
1. List of Auditors Questions
Here are actual auditor questions that I’ve been asked to “prove” with system generated evidence. Auditors will ask you:
1. How many users have been created in the last year?
2. How many user accounts have been deleted in the last year?
3. How many admin accounts have been created in the last year?
4. How many VPN’s have been created?
Remember if you’ve created 5 VPN’s – the auditor can then ask for the signed authorisation forms for EVERY VPN. The auditor is hunting down RETROSPECTIVE AUTHORISATION ie you were asked to create a VPN – you did, but the signed paperwork arrived a month later. Watch your back – retrospective authorisation is a DEFICIENCY. This will appear in the final auditors report.
The Auditor is looking for EVIDENCE next… so here we go – on the hunt for evidence.
2. AD Info – Free auditing tool
This link will provide much of the free evidence that you’ll need – several tools are listed here:
AD Info will answer the auditors questions regarding:
* How many users are ENABLED on the system? or
* How many users are DISABLED?
* How many users were deleted in the last 12 months?
* How many admin users exist
* How many accounts have the “password never expires” setting or do not require a password? These are major weaknesses in security, so they’ll be audited.
*Password Complexity Rules – via GPO – the auditor will want to have full evidence of the password settings.
These checks can answer the auditor with EVIDENCE. The auditor will then cross reference these results with your authorised paperwork – if the system has 100 admin users – they’ll want to see authorising paperwork as this is a major security risk.
The auditor will look at the DATE the account was requested > authorised > created. Normally in the flux of real life, the dates are out of sync… this is a dagger in your back. The process says 1. Request 2. Authorise 3. Create… and normally the real world sequence is flawed, and authorisation FINALLY arrives… a month late. This is delightful for the auditor to find…
2. AD Scripts (instead of tools)
On each OU, prepare an AD script that will provide answers to these checklist questions – and double check the results with free auditing tools.
1. How many users are enabled in each OU.
2. How many users are disabled in each OU
Remember to differentiate between ADMIN accounts and user accounts – as your auditor certainly will.
Get Local Admin Account Gui – Free Tool
Find local admins as well as domain admins.
AD Audit Tool – 30 days FREE trial
Use this 2 weeks before the external auditor turns up – as after the 30 day trial it will revert to the free edition. Your initial logon will be username = admin, password = admin.
3. AD Permission Reporter
Download AD Permissons reporter…
4. Change Management
You must raise paperwork before a change – and log this into your daily checks. It also ensures that managers are aware of the changes – as they’ve signed off the daily checks, so can’t claim they didn’t “know about it”.
The auditor will look for “changes” on one of the 15 specific dates… and then will ask for the signed paperwork that authorised the change. You need to make sure of PRIOR APPROVAL.. not retrospective approval.
5. Hardware Audits
1. How many PC’s have you issued in the last 12 months, and to whom?
Use Ad Info – Computers Tab
6. Software Audits
1. How many Windows machines do you have on site – and versions.
2. What different software are your users using? How often is it audited?
3. What software licenses do you have?
There are software auditing applications, such as SNOW – this will advise the range of software on your network and whether it’s licenced. Try to use open source as much as you can, as this side steps the licensing issue.
TIP: Office does have a “variable site licence” that can run using SNOW – this will automatically adapt your licensing to make you legal. Lazy, but effective.
You are expected to monitor your software licenses in order to ensure that no illegal copies are running on your system.
7. AD Auditing Report – AD SCRIPTS
The auditor will ask you to generate scripts on your AD domain controller – as they want “system generated information” regarding users and computers.
8. Additional Tips
Who in HR or Personnel cross checks the enabled users list?
Remember HR stops the payroll of a leaver, but many managers may “forget” to tell IT. Run out a print out of all enabled users for Personnel each month – and make them sign it that there are no leavers who still exist on the system. This is EVIDENCE of the due diligence of IT – we’ve done our bit, and asked HR to sign off our monthly enabled users. As far as the auditors are concerned, IT is now off the hook.
FILE THE SIGNED OFF USER LIST IN YOUR JSOX FILE – for the auditor to find.
Excel Spreadsheet – for Daily Checks
The Auditor will provide you with 15 to 20 random dates (one or two per month) and ask you to provide evidence of all incidents or changes on those 15 days. So how to make this easy on yourself?
Create an excel spreadsheet with a column for each day of the month, and a worksheet for each month.
List critical systems in the first column – and log in and check each critical system for failures or errors EVERY SINGLE WORKING DAY.
Critical servers include your DC, backup DC, backups, exchange server, SQL server etc – anything that’s mission critical to the business.
TIP: Where an error is found eg backups failed then log the fault, and get a helpdesk ticket number – place this ticket number into your spreadsheet of critical failures. The auditors will you to list all faults by date – and this provides this evidence along with easy to find ticket numbers. They may roll call a list of daily status checks – and here it is.
If you have to make a change – log the change – get it authorised and then place the ticket number into the spreadsheet (for the day the change will take place, eg 31st December).
TIP: Sign this spreadsheet with your initials as the daily checks are completed. Auditors will look for this – they LIKE this!!
Provide the monthly sheet to your IT Manager to counter sign each month – this means management are notified of major changes, major failures each month. If there’s a reoccurring problem – this will show up.
TIP – Auditors will pick up if the monthly checks are NOT signed off by a manager – as I learnt from real experience. So get the Finance Manager or IT Manager to sign the document… you MUST PROVE that you’ve made managers aware of the status of the system.
Auditors are looking for legal EVIDENCE. This means that you check and double check what you’re saying… and you will be asked to prove it!! Do all your paperwork trails BEFORE the auditor is sat on your shoulder – as you’ll be so glad that you did!!
A standard helpdesk system may log the REQUEST – but where is the original request? Who made it… who approved it, and who in the IT department actually created these accounts.
Remember the “DOCTRINE OF THE SEPARATION OF DUTIES”.. the requestor must NOT the authoriser. Your helpdesk ticket will log the initial request – and who authorised it.
Facing an audit is terrifying, unless your processes are robust. The accuracy of your data is just the first step… you must double check the accuracy and finally be prepared to prove it, with evidence. Good luck!