Читать книгу Practical Guide to Auditing SAP Systems - Martin Metz - Страница 13

The detailed audit steps require an understanding of methods for obtaining the necessary data/information and for analyzing it. Not all testing methods are feasible in every environment; therefore, an auditor must carefully select from the following:

 Document review (i.e., manuals, meeting minutes, system logs, configuration tables)

 Interviews

 Observations (including walkthroughs or the reperformance of controls)

Once the information has been collected and prioritized, methods are applied to test and analyze the information. Such methods might be:

 Sampling

 Computer-assisted audit techniques (CAAT)

Assessment of a PAM audit

For the PAM audit, diverse activities were defined to test the operational effectiveness of controls concerning the risks of inappropriate access management, credential management, and other risks. One risk is that the solution is not comprehensive enough and does not cover all privileged accounts in Oracle databases. This could mean critical accounts not being managed, the password being subject to a cyberattack, and systems being exposed to privilege escalation. Controls are in place to address this risk, such as:

 Standard operating procedures that require all Oracle admins to onboard privileged accounts in the PAM solution

 An automated scan of accounts and systems in scope

 Automated onboarding procedures

 Reconciliation runs to compare managed accounts with all existing accounts

To test the effectiveness of these controls, an auditor can request reports from both the PAM system and the Oracle databases and compare all privileged accounts covered by PAM with those available in the databases. Specific tests may confirm the correctness of these accounts. The SQL statements for creating the report are validated as well as the listed accounts themselves. If there are unmanaged accounts (not connected to PAM), this would be a gap in the solution and would mean that the controls are not effective. The root cause might be:

Organizational: e.g., the operations unit centrally responsible may not manage all Oracle databases; the policy may not cover diverse administrators.

Processual: e.g., new administrative accounts within databases are not detected or automatically onboarded into PAM.

Technical: e.g., not all accounts can be managed through PAM or not all Oracle databases can be onboarded into PAM; the scan does not detect all systems or accounts.

By analyzing documents like the PAM policy, analyzing reports, and taking samples, as well as interviewing some of the administrators, an auditor obtains the information needed to evaluate control effectiveness and efficiency.

Before data can be used, its validity must be confirmed. Completeness and correctness are central elements of this confirmation.

By testing hypotheses, the auditor proposes a hypothesis and assumes a particular situation. By collecting evidence and using mathematical rules of probability, an auditor can then either confirm or discard a hypothesis.

The results of the data collection, prioritization, validation, and testing through different methods are called findings. Findings are the deviations from standards and ineffectiveness in controls that an auditor has identified by applying appropriate techniques and has supported with evidence.

An auditor must support every finding with evidence and make sure that the information underlying the finding is as valid as the methods used to test and analyze it.