This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.
I looked at the third page of the handout and asked, “What is this?”
“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”
The auditor continued, “We will be reviewing the access related to Process X, so I thought I’d look up all the related groups.”
I read through the group descriptions, which were mostly cryptic. “Do you know what these groups are for, how they are applied to the system, and what assets and access rights are related to those groups?” I wondered.
No one looked me in the eye. “Not yet,” was the reply. “We aren’t sure which ones are important. We downloaded the group and members, and sent the listings to the business contact. We asked her what each group is f0r. We are waiting for an answer.”
“So before you knew whether these groups were relevant to your audit, you took time to download the lists?”
Before the lead auditor could send the junior auditor a signal, the junior auditor replied, “Yes. This didn’t take that much time.”
The other auditors looked down at the floor.
“While it was smart of you to try to identify any groups related to this process and ask how they are used, next time I would wait until you get an answer so you know which groups are pertinent to your audit objectives. Then download the members,” I stated.
I continued, “Wouldn’t that have made more sense and been less work for both you and your business contact?”
Looooong silence.
“OK,” I said, changing the subject. Let’s talk metrics.”
See Part 4
ITauditSecurity 