Internal Controls
Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.
60
0%
Current Internal Controls
0
0%
New Internal Controls
0
0%
Updated Internal Controls
Actions
|
Title | Objective | Audit Methodology | Audit Success Criteria | Maintenance Task | Policies |
---|---|---|---|---|---|---|
Active Directory User Reviews
|
Ensure that those employees that have left the organisation have no valid account in the AD and that his/her last login is previous to its last day in the office.
|
Input:
- HR needs to provide the list of employees that left the company since the beginning of the year and their last day in the company as columns A and B. The name of the employee must be its login name (john.foo) - AD team needs to provide the list of disable accounts (column A) the date they were disabled and their last successfull login as column B and C. Analysis: - For each row in the list of employees verify if the account has been disabled and no logins existed after its last day of work. Output: - A merge of both spreadsheets showing all accounts are disabled and no logins occured after the last login. |
All accounts have been disabled before the employee left the organisation.
|
NA
|
Account Management Procedures | |
AD Group Reviews
|
Ensure AD groups have been managed according to our policies.
|
Input:
- List of critical AD groups; group name in column A - Members for each group; column A group name; column B group member login name - Tickets for AD management queue - Logs from the central collector with all AD changes Analysis: - Review that all AD changes have a ticket assigned; if they do not have a ticket check mark the item - Review all tickets and ensure they have followed the standard procedure; if not check mark the item. Output: - Spreadsheet Analysis |
All AD changes have a ticket and all tickets have followed our standard procedures.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards Change Management Procedure | |
CRM Application - Account Reviews
|
Ensure that each user account in CRM belongs to the correct area and that each role has been granted for a ticket
|
Input:
- System logs that indicate account creations at the CRM system - List of all tickets for CRM account management since the last audit Analysis: - For each log identify a ticket - Review the ticket has followed our account management process Output: - Spreadsheet with analysis |
All account creations have followed our procedures.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards | |
Database Administrator Account Reviews
|
Ensure the database user logins on the following systems: CRM; ERM; Acme Drupal have not received login attempts from other sources than the application that they serve.
|
Input:
- Connection log for these three systems obtained from the central log collector - DB account names used by the applications that use these databases Analysis: - For each log line; ensure no other account than the ones used by the application has successfully logged on the DB. Output: - Spreadsheet validating each database connection; a check mark if a fault is identified. |
Only system applications service accounts have connected to the database.
|
NA
|
Account Management Procedures Hardening Standards Logging & Monitoring Standards | |
Employee Account Provisioning and Deprovisioning Review
|
This control ensures that the provisioning and deprovisioning of accounts on systems have followed our procedures in detail against our Active Directory which authenticates all user login attempts at all systems in the company. Additional reviews are performed on key systems.
|
Evidence:,
- List of employees that joined and left the company since the last audit, - List of active AD user accounts, , Analysis:, - Review no former employee has an active AD account, - Review that new employee accounts have the Change Request ticket number as a description on their AD account, then review the ticket has followed the process on Service Desk including approvals, , Output:, - Spreadsheet with the analysis, - All dumps (employee and AD) |
- No former employee has an account,
- The provisioning tickets reviewed have all followed the process |
NA
|
Account Management Procedures Change Management Procedure | |
Google Apps 2-Factor
|
|
Input:
- Google apps account security report Analysis: - Ensure all accounts use 2-factor Conclusion: - Screenshots |
Everyone must use 2factor
|
NA
|
Account Management Procedures Hardening Standards | |
High Privilege Service Accounts
|
Ensure that passwords are kept confidential.
|
Input:
- Passman logs from the central log collector - List of tickets for the Passman queue; column A ticket number; column B date Analysis: - For each log ensure there is a ticket; if not check mark the item - For each ticket; ensure the process for privilege account has been followed Output: - Spreadsheet with analysis |
All access to privileged accounts have a ticket and all tickets have followed our standard procedures.
|
NA
|
Account Management Procedures Change Management Procedure Logging & Monitoring Standards | |
Service Accounts Reviews
|
Review service accounts to ensure they are still valid and were created following standard procedures.
|
Input:
- List of AD accounts where the "password expiration field" is set to "never"; account name on column A; creation date on column B. - List of tickets for all AD changes Analysis: - For each account ensure there is a valid ticket; check mark the item if it has no valid ticket. Output: - Spreadsheet with analysis |
No service accounts without a valid ticket and expiration
|
NA
|
Account Management Procedures Change Management Procedure Hardening Standards | |
User Access Maintenance Request
|
Ensure all requests for creation and amendment of user access to systems and data is appropriate and approved.
|
|
|
|
Account Management Procedures | |
XERO Account Reviews
|
Make sure XERO accounts and roles are correct
|
Input:
- List of XERO Accounts - List of roles and permissions for each role Analysis: - Ensure only "esteban.ribicic" has "admin" role - Ensure only our accountants have "accounting" role - Ensure "Accounting" role can not create invoices - Ensure Maintenances tasks (review with accounting employees that left) have been completed Conclusion: - Screenshots and spreadsheet with the analysis |
Permissions and account %100 correct
|
Check with our accounting firm if all listed XERO accounts are still needed
|
Account Management Procedures |