A way of describing IT audit

You know how your day goes? You know how you use all of these widgets and doohickeys, and that’s how you usually converse or get any information? It’s my job to keep all of that stuff working (at least, I would like to). I’m not talking about just making Windows work on your computer, or troubleshooting your iPhone. I’m talking about the systems and processes which are used by those devices. You see, there are complex processes at very large companies which must keep running. You can’t send text messages? You can’t buy stuff off Amazon? You can’t watch cat videos? Something has gone wrong in those services, and it’s up to guys like me to prevent that from happening.

So I’ll check that the servers which provide the videos can still function when they’re running at full tilt, or when there’s barely a trickle coming in.  Regular phone calls and text messaging have complex systems which must  be checked to ensure they’ll do their job every single time. This includes gathering evidence, and assuring that what management claims about the workings of their systems is true. Has the system administrator updated the server’s OS to its latest patches? Did they test to ensure that the patches wouldn’t break anything? Are change controls in place to ensure that they even check that these patches wouldn’t break the system? How about security procedures? Have they been followed? Has the system been hardened to identified threats? These are some of the things IT auditors have to check.

This is not just about checking the hardware, though. Has management performed its due diligence and made sure that the data they have is backed up? How do they know whether the data that was backed up could be restored? Who is in charge of checking that the data is backed up and stored properly? If the servers go down, who’s job is to ensure that they all go up again? More questions can be asked, but I’m sure you get the gist of it.

So you may have heard of company’s getting their data breached, or have announced new services they will provide. However, it’s up to someone at these companies to ensure that governance practices have been followed, that the company can actually provide this service, that the service won’t expose the company to risks (e.g. litigation, huge losses, or data breaches), and will actually be a benefit to the company. And usually, it’s someone who knows about IT audit.

Auditing a charity’s network, and finding something out of place

For the past six months or so, I have been helping a local charity with its I.T. needs. This includes updating their computers, designing and setting up a kiosk for its volunteers, and helping other charity members with their IT needs. Now I’m trying to map their network, and help the director of I.T. to ensure that all devices (desktop computers, printers, external hard drives, etc.) are accounted for.

About two or three weeks ago, I used nmap to do a quick scan of the local network, and check the devices on the network for what they were broadcasting, what ports were open, and just what that exact machine is. After finishing that, I met with their director of I.T. to discuss my findings. He verified most of what I found (we had a problem with one of those Western Digital MyCloud hard drives, but that was soon cleared up). But there was one part which baffled the both of us.

Just like many other small organizations, they use old phones. The ones they use are Avaya IP phones (i.e. voice over internet protocol [VoIP] phones), model 1616. I don’t know when they got these phones, but they’re old. When I scanned these phones, I only got their IP addresses; there was no hostname. However, on one particular phone, I found a hostname. It’s not a hostname you would find on any of the other computers on the network (they had hostnames that ended in “.local”). This one had the hostname “6lfb7c1.salmonbeach.com”. How it got this hostname, I am not entirely certain.

At first, I thought these were phones with a few features (voice mail, call fowarding, conference calls, stuff like that). As I have found out, these phones are fully featured, and have upgradeable firmware. The phone in question, the model 1616-1 BLK, gets its firmware from the local Avaya phone PBX server. Since it gets its firmware from the server, how can the hostname be changed? In the settings for the phone, the hostname can’t even be changed. One of the members of the charity’s administration said that they had problems months ago with the voice mail system. But I doubt that’s related to this problem.

So how should I approach this? Has it been hacked? Is it just a software glitch? Hopefully it’s nothing serious. The I.T. director said that he bought a bunch of these old phones on the cheap years ago, and he’ll look into flashing the firmware on the phone. So let’s hope that’s the last we’ll hear of it.

Newer Ways of Audit Reporting on Third Party Companies

I went to a recent meeting of the North Texas chapter of ISACA, and there was a presentation on SSAE 18.  For those of you who don’t know, SSAE 18 supersedes SSAE 16, and consolidates Service Organization Controls reporting into something more manageable.  Here, I’ll talk about what I’ve learned about SSAE 18, SOC 1, and SOC 2.

In SSAE 18, more emphasis has been put on testing the design of controls for subservice organizations (e.g. third parties for which the organization has contracted out some process) and whether they are doing what they are suppose to be doing.  The auditor, through Service Organization Control (SOC), has to report on the effective use of these controls.  In the case of a SOC 1 report, they would assist in testing the controls as they pertain to the financial statements.  With SOC 2, the auditor reports on the controls with regards to security, availability, integrity, and confidentiality.

Now the auditor has to look for things such as complementary user entity controls, which are the controls that are assumed to be in place for users.  The auditor will have to look at reports from the subservice company to the main organzation.  They will have to see whether the organization is actually verifying the information in the report.  For instance, the auditor will have to see system-generated reports are being validated by the users of these reports.  The processing integrity principle will be used heavily in this situation.

This audit will look at how management has chosen the suitable criteria for the control, and how well they’ve measured the subject matter (note that “subject matter” means the risk relevant to entities using the subservice company).  So an auditor will look at whether the risk is something related to the entity’s business with the subservice company, then check the metrics of the current control, and see whether they are actually related to the control.