I was recently shopping for some tax preparation software, and I noticed that all of the products boasted new and enhanced audit support and/or audit risk meters to reduce the buyer's chances of getting audited.
I paused to imagine what it would be like if every time my Windows administrators were about to make a change they could run an "audit risk meter" to check for errors or determine the risk of doing something that was against my change management policy. I have a feeling I would have a lot fewer unauthorized changes and production errors. Better yet, if I wanted to verify that all of the Windows patches were tested and approved, I could go to the "audit support center" to pull the information.
Actually the concept of an audit risk meter or audit support center is exactly what most of us need to keep our change management process honest. Most of us have spent a lot of time developing a process. If we don't ensure that it is followed, then we will never reap the rewards.
So how do you build an audit support center? Here are three steps to set up an audit process to keep your change management process honest:
- Evaluate the process to define the scope.
- Collect the supporting information.
- Check for errors and make corrections.
Evaluate the process to define the scope
It is important that your audit support center is founded on and appropriately supports your change management process. Review your process and determine the key elements.
Here are a few examples of key elements in a change management process:
- All Windows updates are performed using WSUS.
- Server configurations meet the approved standards, and exceptions are documented and approved.
- Only authorized users have access to make changes and apply updates.
If the key elements are operating effectively, then your process is accomplishing its design purposes.
Collect the supporting information With your key elements in mind, ask yourself this question: "Where does the information reside?" Typically, it is buried in a system log, registry, Active Directory object or configuration. When figuring out where the source is, you can begin to leverage a multitude of scripts, tools and products to facilitate the periodic and ongoing collection of the information.
For example, a weekly report detailing all users in the domain admin group would help me quickly assess if I have unauthorized users with access to make changes. Here are some of my favorite tools. Some are better than others, depending on your needs, environment and budget:
Windows Management Instrumentation (WMI): This powerful tool provides quick access to user lists, machine information, processes and configurations. If you haven't used this before, just type Windows Management Instrumentation Command-line (WMIC) from the command line and, once installed, you can begin to extract information.
The following command gives you a list of local system accounts: C:\>wmic useraccount list brief
Another useful command is WMIC QFE. It lists all hotfixes, KB#, who was logged on to install them, and the date.
Enhancements in Windows Server 2008 facilitate the collection of information for your audit support center:
PowerShell enhances the functionality of WMIC, and that includes more than 130 pre-built commands. PowerShell is also available for Windows Server 2003 as a free download.
Active Directory Domain Services (ADDS) now includes better auditing – including what was changed on a specific object – and allows you to quickly see previous and current values. This provides more granular detail to see when an AD object was changed.
Snapshot Viewer allows you to mount and view snapshots. It's a great way to audit what was changed and when. It's also useful for backup/restore.
CSVDE and LDIFDE are typically used to import and export Active Directory data, but I have found them to be great tools for quickly auditing AD users and their group assignments.
To get a listing of your AD users, run this command from your Windows Server 2003 server: C:\>csvde -f c:\dump.csv -r "(objectCategory=person)" -l "whenCreated,cn,memberOf"
You can also dump groups: "(objectCategory=group)" –l Member. This is nice because there are a lot of managers/admins that have no idea who has been given rights to security groups. Many times, too many people have been given emergency access, and they have never been removed.
Some other tools include HFNETCHK, GPMC and building custom Active Directory queries. Microsoft System Center consolidates and facilitates a lot of the tools and has several reports that could contribute to your audit support center.
By using scripts and other reporting options, you can easily automate the collection of this information. Create or leverage an existing document repository location to store the information you are collecting – this will be the backbone of your audit support center.
Check for errors and make corrections
Now it is time to run your "audit risk meter." Take your key process elements and compare them with what you have collected from the production environment.
Does the information you are collecting support your defined process? If not, reevaluate either your process or the information you are collecting. Correct your errors and repeat the process.
With your audit support center established, you can proactively monitor your change management process and prepare yourself for an outside audit.
Russell Olsen is the CIO of a Healthcare Technology company and has previously worked for a Big Four accounting firm performing technology risk assessments and Sarbanes-Oxley audits. Olsen is a CISA, GSNA, and MCP.
This was first published in March 2008