When auditors need to identify and understand IT controls, they search the company intranet, review policies, look for Github repositories, review inventories, schedule meetings, and analyze IT asset data.
I stumbled on a better way to get insight into the IT controls in my company, and I didn’t have to email anyone, do any research, or frankly, anything outright. The IT controls came after me.
Fortunately, the IT controls were blind to the fact that I am an IT auditor. To them, I was just an ordinary bloke. But that didn’t last long (more on that later).
It Began a Few Years Back
It all started a couple years ago when I was building the infrastructure required to support our data analytic efforts in internal audit.
First, we need a place to run our analytic projects. We were using a network drive that only our department had access to, and we kept using up all the available space, which frustrated the rest of the department.
I got the drive’s space quota raised a couple times, but in a few months, we’d run out of space again. So I stuck my neck out and requested a separate network drive with 1 TB of space, the largest option on the IT request form.
I documented on the form that we were running huge analytic projects and kept running out of space on the department’s network drive. I explained we were analyzing transactions for fraud and performing other analytic procedures.
To my surprise, they granted 1 TB on a new network drive (I think the person who kept increasing the original network drive just got tired of dealing with me).
A year later, I had 2 other network drives added, as the number and size of our projects began to grow, and we started creating libraries for our scripts, procedures, reports, graphics, and documentation.
During that time I also requested 2 Windows servers to run analytic software, which resulted in separate admin IDs/passwords being assigned to me and the other server admin.
One of those applications required a firewall rule exception, so I requested and received that.
I also requested 2 SQL databases and added a number of virtual workstations that auditors could use to run tests as well as analytics, mainly to take the processing load off of their laptops.
As I started to automate some of the data pulls and the processing of several automated scripts and programs, I needed a generic ID that would be granted access to sensitive data and folders, access that is not granted to regular users like myself (I was not given the password to this ID).
Some of the data pulls contained extremely sensitive information, so now I had to obtain extra training and awareness of certain regulations.
Once I got the ability to call the generic ID to access data and applications, I needed to request/create some automated jobs to run the scripts and programs using that generic ID. The security & risk management teams approved that also.
Where’s the Beef?
So what does all of this have to do with gaining a better understanding of IT controls?
As I obtained these assets, I start getting all kinds of emails and meeting invites notifying me of upcoming changes to or requests for the following:
- Servers: patches, OS upgrades, new applications for monitoring server functions, moves to another VM host (the servers, of course, were virtual).
- Admin IDs: I and the other server admin were required to change those admin passwords on a scheduled rotation.
- Virtual Machines: Updates to the VMware power tools, and things like moving the virtual hard drive storage to different hardware
- Inventory validations: I had to verify that I still needed and was using the network drives, servers, firewall rule exception, databases, virtual workstations, automated jobs, and the generic ID.
- Access validations: I had to certify that the access granted to the network drives, servers, databases, virtual workstations, automated jobs, and the generic ID was still valid; I was also asked to confirm that no one on my team had access to the generic ID password.
- Regulatory training and certifications: annual refresher training on regulations; I was asked to certify that I was in compliance with the regulations associated with certain sensitive data.
So instead of chasing and testing these IT controls, I was living them; I was subject to them; I was suffering under them. It gave me a whole new perspective regarding the time and ability required to keep up with it all.
My experiences also gave me real evidence of when controls were working and when they weren’t. It provided places to dig a little deeper
Now that I’ve been through the IT control cycle a couple times with all the infrastructure that I’m responsible for, I better understand why some of the processes don’t work as well as others. I’ve also noted the following, some which were control failures:
- Servers are patched regularly. Test servers first, then production. All servers are automatically rebooted if required, unless reboots are restricted; in that case, the application team reboots the server instead of the patch team.
- New applications for monitoring servers get put in frequently, or they change them frequently, or both. Seems strange.
- The firewall rule was moved from one firewall to another. I was notified in advance and asked to test it after the change occurred. Everything went well. But a couple months later, the vendor that the rule was associated with changed their network and notified me in advance. When I requested an update to the firewall rule, I was told that the rule was no longer valid, so I didn’t need to make any changes. I eventually learned that they dropped the rule altogether when the firewall switch was made: the new firewall didn’t require that kind of rule, but they never told me. My applications still works fine, but the explanation is too complicated to include here, so let’s leave it at that.
- After notification of a major change in how users exit a virtual workstation, half of the workstations changed, and half did NOT, causing major confusion for my users, I screamed loudly, and they backed out the change. They keep saying they will make the change sometime in the future, but that was 1.5 years ago.
- After requesting an access change to one of my network drives, I noticed that one of the Active Directory groups assigned to the drive was incorrect. Evidently the help desk person accidentally added the requested group and the one below it (not requested). Oops.
- During an access change to the original network drive (the one we kept running out of space on), I requested removal of an ancient Active Directory group that was applied years prior, and no one knew anything about it, not even the owner of the group, who did not reside in our department. Because that owner refused to approve the removal of that group from our network drive (that contains 30 users outside of our department), the help desk refused to remove it. I escalated the issue, stating that as the owner (me) of the asset (the network drive), I had more authority over the removal of access than the group owner, who is outside the department, especially when no one can provide any reason for the access. Days later, the help desk agreed with us, and the group was removed (everything continued to work fine).
- Almost every change requested for my virtual workstations (add hard drive space, add RAM, load 64-bit office, etc.) is done wrong, even when the supervisor is monitoring the work. One time I requested 1 of the workstations get upgraded to a new operating system, but 2 workstations were upgraded. They couldn’t show me an approved ticket for the second workstation. Oops.
- Notification of an upcoming database change indicated that I owned all 40 databases on a particular server not owned by me, and I was requested to confirm whether making the change on a specific date would cause any problems. I replied that I owned only 2 databases on that server, not all 40, and I wasn’t sure where they were getting their information from, but it was wrong, and they need to change it and notify the REAL owners prior to making the change. I received a reply that the change would be postponed from that server until corrections could be made.
What’s the Point?
If you’re still wondering what the point is, either I haven’t made it very well, or you need a second cup of joe, or perhaps both.
Anyway, the point is that by consuming IT assets, I have learned a lot more about how IT operates firsthand, especially when they don’t know an auditor is looking over their shoulder. And how they make mistakes. And fix them.
Most of the items that I cited above have given me great insights into how our company functions and what regular users (those without a technical background, who are NOT used to verifying changes, and don’t know when they are sometimes being intentionally misled) go through day in and day out as they simply try to do their jobs using the infrastructure and software they are provided by IT.
And these sneaky insights are regularly applied to our audits.
If you use similar infrastructure, make sure you pay attention to how YOU are asked to manage your department’s IT assets. Otherwise, you are missing many great opportunities.