Internal Controls

Internal Controls explain the activities we perform at our organisation to deal with Risks and Compliance Requirements. We document what they do, how we test them and what Policies, Standards and Procedures govern them.

58

0%
Current Internal Controls

0

0%
New Internal Controls

0

0%
Updated Internal Controls
Actions
Title
Objective
Audit Methodology
Audit Success Criteria
Maintenance Task
Policies
Active Directory User Reviews
Ensure that those employees that have left the organisation have no valid account in the AD and that his/her last login is previous to its last day in the office.
Input:
- HR needs to provide the list of employees that left the company since the beginning of the year and their last day in the company as columns A and B. The name of the employee must be its login name (john.foo)
- AD team needs to provide the list of disable accounts (column A) the date they were disabled and their last successfull login as column B and C.

Analysis:
- For each row in the list of employees verify if the account has been disabled and no logins existed after its last day of work.

Output:
- A merge of both spreadsheets showing all accounts are disabled and no logins occured after the last login.
All accounts have been disabled before the employee left the organisation.
NA
Account Management Procedures
AD Group Reviews
Ensure AD groups have been managed according to our policies.
Input:
- List of critical AD groups; group name in column A
- Members for each group; column A group name; column B group member login name
- Tickets for AD management queue
- Logs from the central collector with all AD changes

Analysis:
- Review that all AD changes have a ticket assigned; if they do not have a ticket check mark the item
- Review all tickets and ensure they have followed the standard procedure; if not check mark the item.

Output:
- Spreadsheet Analysis
All AD changes have a ticket and all tickets have followed our standard procedures.
NA
Account Management Procedures Hardening Standards Logging & Monitoring Standards Change Management Procedure
CRM Application - Account Reviews
Ensure that each user account in CRM belongs to the correct area and that each role has been granted for a ticket
Input:
- System logs that indicate account creations at the CRM system
- List of all tickets for CRM account management since the last audit

Analysis:
- For each log identify a ticket
- Review the ticket has followed our account management process

Output:
- Spreadsheet with analysis
All account creations have followed our procedures.
NA
Account Management Procedures Hardening Standards Logging & Monitoring Standards
Database Administrator Account Reviews
Ensure the database user logins on the following systems: CRM; ERM; Acme Drupal have not received login attempts from other sources than the application that they serve.
Input:
- Connection log for these three systems obtained from the central log collector
- DB account names used by the applications that use these databases

Analysis:
- For each log line; ensure no other account than the ones used by the application has successfully logged on the DB.

Output:
- Spreadsheet validating each database connection; a check mark if a fault is identified.
Only system applications service accounts have connected to the database.
NA
Account Management Procedures Hardening Standards Logging & Monitoring Standards
Employee Account Provisioning and Deprovisioning Review
This control ensures that the provisioning and deprovisioning of accounts on systems have followed our procedures in detail against our Active Directory which authenticates all user login attempts at all systems in the company. Additional reviews are performed on key systems.
Evidence:,
- List of employees that joined and left the company since the last audit,
- List of active AD user accounts,
,
Analysis:,
- Review no former employee has an active AD account,
- Review that new employee accounts have the Change Request ticket number as a description on their AD account, then review the ticket has followed the process on Service Desk including approvals,
,
Output:,
- Spreadsheet with the analysis,
- All dumps (employee and AD)
- No former employee has an account,
- The provisioning tickets reviewed have all followed the process
NA
Account Management Procedures Change Management Procedure
Google Apps 2-Factor
Input:
- Google apps account security report

Analysis:
- Ensure all accounts use 2-factor

Conclusion:
- Screenshots
Everyone must use 2factor
NA
Account Management Procedures Hardening Standards
High Privilege Service Accounts
Ensure that passwords are kept confidential.
Input:
- Passman logs from the central log collector
- List of tickets for the Passman queue; column A ticket number; column B date

Analysis:
- For each log ensure there is a ticket; if not check mark the item
- For each ticket; ensure the process for privilege account has been followed

Output:
- Spreadsheet with analysis
All access to privileged accounts have a ticket and all tickets have followed our standard procedures.
NA
Account Management Procedures Change Management Procedure Logging & Monitoring Standards
Service Accounts Reviews
Review service accounts to ensure they are still valid and were created following standard procedures.
Input:
- List of AD accounts where the "password expiration field" is set to "never"; account name on column A; creation date on column B.
- List of tickets for all AD changes

Analysis:
- For each account ensure there is a valid ticket; check mark the item if it has no valid ticket.

Output:
- Spreadsheet with analysis
No service accounts without a valid ticket and expiration
NA
Account Management Procedures Change Management Procedure Hardening Standards
User Access Maintenance Request
Ensure all requests for creation and amendment of user access to systems and data is appropriate and approved.
Account Management Procedures
XERO Account Reviews
Make sure XERO accounts and roles are correct
Input:
- List of XERO Accounts
- List of roles and permissions for each role

Analysis:
- Ensure only "esteban.ribicic" has "admin" role
- Ensure only our accountants have "accounting" role
- Ensure "Accounting" role can not create invoices
- Ensure Maintenances tasks (review with accounting employees that left) have been completed

Conclusion:
- Screenshots and spreadsheet with the analysis
Permissions and account %100 correct
Check with our accounting firm if all listed XERO accounts are still needed
Account Management Procedures