The added value of an operating system audit to an IT General Controls audit

Transcription

1 Thesis: The added value of an operating system audit to an IT General Controls audit S.A.H. Cobelens MSc September 6, 2013 Vrije Universiteit Amsterdam

2 The added value of an operating system audit to an IT General Controls audit 2 Abstract The threat of information leakage, financial misstatements or fraud from financial IT solutions is imminent. Accountancy firms have to trust on information coming from these systems and deal with a world where new cyber-attacks are daily news. Accountancy firms continuously develop their audit approach to mitigate (new) risks in a more effective and efficient way. Auditors are often unsure of whether to include a thorough operating system parameter check in their IT General Controls audit approach. This thesis explores the added value of an operating system parameter check to an ITGC audit. This is done by inspecting a best practice, testing it at three companies and creating a risk analyses per parameter category.

3 The added value of an operating system audit to an IT General Controls audit 3 Acknowledgements I would like to thank my thesis supervisor Rene Matthijsse for helping and guiding me through the whole thesis process. Besides that I would like to thank my colleagues for their import and thought on the subject. Last but not least I thank my family and friends for their support.

4 The added value of an operating system audit to an IT General Controls audit 4 Table of contents Acknowledgements Introduction Introduction Research question Contribution Academic Relevance: Managerial Relevance: Research design: Thesis structure Theoretical Background A brief history of IT audits IT General Controls ITGC in the financial statement audit The structure of IT General Controls Auditing of the ITGCs Information security Hypotheses Conceptual Framework Hypotheses Control Variables Case study methodology Research Methods Observation Preliminary information gathering Theory formulation Hypothesizing Further scientific data collection Data analysis and conclusion Sample selection Case study findings Company profile... 30

5 The added value of an operating system audit to an IT General Controls audit Company A Company B Company C Outcome Analysis of results Accounts Audit policy Detailed Security Auditing Event log Windows Firewall Windows Update User Account Control User Rights Security options Terminal services Internet Communication Additional security settings Other factors Costs of the operating system parameter check Type of operating system(s) in use No extra comfort Politics and time Validation of hypotheses WH1: An operating system parameter audit will only give comfort over the operating system layer WH2: Operating system comfort is essential for reliance on application controls Conclusions Limitations and further research References Appendix I: Detailed results... 45

6 The added value of an operating system audit to an IT General Controls audit 6 List of tables and figures Figure Figure Figure

7 The added value of an operating system audit to an IT General Controls audit 7 1. Introduction 1.1 Introduction Companies use a variety of software solutions for their financial administration. These financial software solutions (e.g. SAP, Oracle, PeopleSoft and Navision) have been implemented in thousands of companies worldwide. Software solutions often have a client-server architecture which means they can be reached within a network and are therefore likely to be a target for people with the wrong intentions (Albornoz Mulligan, 2007). The machines that run these financial software solutions need to be hardened in order to respond to the increasing amount of risks from the connected world. There are best practices available for the setup of the system environments and there are tools to check them. The threat of information leakage, financial misstatements or fraud from financial IT solutions is imminent and it is a complex matter where there is no single control that mitigates all the risks. For example, users with broad privileges in a financial system can bypass controls like the 4-eyes principle to make unauthorized adjustments, database administrators can edit tables and change user information, and system administrators can get access to the database and the software. This shows that multiple levels of computer system security need to be taken into account for a company in order to be able to trust its businesses processes to such financial software. Its accountants need to obtain comfort about the completeness, accuracy and validity of the data coming from the system in order to do their work. Accountancy firms, who sign off the financial statements, rely heavily on data coming from these systems and therefore need to be sure of the completeness, accuracy and validity of the data it generates. In order to gain this comfort an IT General Control (ITGC) audit is performed as part of the financial statement audit. This is an audit on all controls that apply to relevant system components, processes, and data of the IT environment (ISACA, 2013). Accountancy firms continuously develop their audit approach to mitigate (new) risks in a more effective and efficient way. Auditors are often unsure of whether to include a thorough operating system parameter check in their ITGC audit approach. This thesis explores the added value of an operating system parameter check to an IT General Controls audit.

8 The added value of an operating system audit to an IT General Controls audit Research question A company uses an operating system baseline security scan as part of their ITGC audit. This security scan checks the system settings of the operating systems against a best practice published by the Center for Internet Security (CIS). The outcome of the scan is an overview of the many system settings and their compliance against the best practice. Audit teams are often not aware what the added value of such a baseline scan is for their ITGC audit and when they can or should use it. What comfort does this security baseline scan give the IT auditor regarding the ITGCs and when should an auditor consider performing such a scan? How does a baseline security scan on operating systems parameters add value to an ITGC audit? In order to answer the research question, several sub questions have to be answered: What is the place of operating system parameters in the IT General Control environment? What kind of comfort and assurance can result from an operating system parameter baseline scan to the ITGC audit? Under which conditions should an ITGC auditor consider using an operating system parameter baseline scan? 1.3 Contribution Academic Relevance: This research tries to add academic value to both topics making the choice for auditors more sound as whether to use an operating system baseline security scan for their IT General Control work. There exist a lot of best practices but not much academic literature is regarding ITGCs and operating system security baselines Managerial Relevance: A business unit tries to sell baseline scans as part of an IT audit (ITGC). Audit teams are sometimes unsure and are wondering what comfort they will get with a baseline scan and how it can make impact at the client. Several baseline scans have been done. It is important for IT audit

9 The added value of an operating system audit to an IT General Controls audit 9 processes to understand what the most common and notable findings are and what is their impact is on the IT General Controls. 1.4 Research design: This research intends to study the use of an operating system parameter baseline scan as part of an IT General Control audit, how the operating system parameters can be linked the IT General Control environment, what kind of comfort an auditor would get doing an operating system parameter audit and when it would be a viable audit approach. The link between the ITGC environment and the operating system parameters will first be determined by a literature study. Based on the outcome an operating system parameter check will designed and performed in a case study environment. Based on the theoretical background and results from the case study the impact to the ITGC audit will be determined and recommendation will be formulated and documented. 1.5 Thesis structure The structure of this thesis can be broken down into three main parts. The first part consists of a general introduction concerning what will be researched as well as the theoretical ations of the thesis. Furthermore all relevant literature concerning operating system parameters and ITGCs will be discussed. The second part is about the methodological aspect of the thesis. In this section, a conceptual framework is constructed based on the research questions and literature review. Moreover, the methodology of this research is explained. This section will also elaborate on the design and execution of the case study. Finally, the last part of this thesis will consist of the presentation of results, discussion of the results, limitations and future research and conclusion.

10 The added value of an operating system audit to an IT General Controls audit Theoretical Background 2.1 A brief history of IT audits Over the course of the years businesses have become more and more dependent on information coming from IT systems. In the 60 s one of the first frauds using IT systems was detected at the Equity funding Corporation of America. Also in The Netherlands auditors became aware that information systems more and more became part of the business and therefore needed to be taken into account for the audit. This shift in thinking had a great impact on accountants and the financial statement audit. Accountants formed ideas about information systems, their place in the administrative organization and how to audit them. Some accountants started to specialize in the audit of information systems which meant the birth of the IT auditor. When the 3270-terminal was released on the markets in the 70 s it allowed mutations to be entered real-time on the computer. This replaced the physical processes and controls that were used with the so called ponskaarten. Because now anyone could make mutations, the accountants had no comfort over the reliability of the information generated by the system. In order to mitigate the risks associated to such information systems the segregation of duties principle and authorization matrixes were introduced. In the 80 s the field of IT audits was further developed. Data centers and IT projects became a focus point for IT auditors. In 1988 the Dutch National Bank released a memorandum that stated that IT is an essential part of a business that supports its solvability and liquidity. This confirmed that the IT environment is essential for the financial statement audit. The 90 s introduced the client/server architecture which replaced a lot of main frames and was adopted in many projects. Next to that new IT developments methodologies were developed based on the client/server architecture which promised more efficient projects with shorter durations. Because of an increase in computer systems and applications best practices like ITIL were developed to manage the new IT infrastructure. The 00 s marked the introduction of further integration of IT with the business, development of best practices and continuously new challenges for the control of the IT environment. New upcoming technologies and initiatives like Cloud-computing and Bring Your Own Device challenge management and auditors to find a way to implement these advances in a controlled manner (Comte, 2009).

11 The added value of an operating system audit to an IT General Controls audit IT General Controls From the ing thoughts about administrative organizations it is said that proper internal controls need to be in place to ensure the reliability of information processed by information systems (Starreveld, 2002). These controls can be divided into organization, logical and physical controls. In accounting and auditing, internal control is defined as a process affected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's resources are directed, monitored, and measured. It plays an important role in preventing and detecting fraud and protecting the organization's resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks) (COSO, 2013). Because of the increasing reliability on IT systems, controls were developed and best practices formed to control the IT environment. Two control frameworks have been devised to assist both management and auditors in designing and assessing controls in computerized environments. One is the Information Technology Control Guidelines (IT Guidelines), first published by the Canadian Institute of Chartered Accountants (CICA) in 1970 (in its 3rd edition in 2011). The other is the Control Objectives for Information and related Technology (COBiT) developed by the Information Systems Audit and Control Association (ISACA) (GFS, 2013). IT controls are a subset of the internal controls of an organization. In literature (Jenkins, 1992) internal controls are often divided into User controls; manual controls Application controls; programmed controls ITGC; general IT management controls User controls are defined as manual internal controls. The goal of user controls is to generate reliable information for the input into information systems, to take action based on information or signals from an information system and to control an information system in a proper manner. Manual elements in internal control may be less reliable than automated elements because they can be more easily bypassed, ignored, or overridden and they are also more prone to simple

12 The added value of an operating system audit to an IT General Controls audit 12 errors and mistakes. Consistency of application of a manual control element cannot therefore be assumed. Application controls can be defined as programmed controls in applications. The goal of application controls is to create segregation of duties in applications and to ensure the reliability of the data. IT general controls (ITGC) are controls that apply to all system components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations (ITGC, 2013). 2.3 ITGC in the financial statement audit Accountants need to be sure that the published financial statements are being prepared reliably. Also called Financial Statement Line Items (FSLI), they give an overview of the financial figures and position of the organisation (Berger, 2003). The controls in the ITGC are an aid to mitigate IT risks that the company faces in the preparation of the financial statements. The IT risks need to be identified and appropriate controls need to be in place to mitigate these risk. IT risks can be divided into two types: IT-dependent and IT-specific risks (PwC Audit Guide, 2012). The ITGC mitigate the IT-dependent and IT-specific risks IT-dependent risks are risks that directly stem from comfort that the ITGC should provide the organization. There are three types of IT dependent risk areas: Automated Control Integrity (ACI), Report Integrity (RI) and Access Integrity (AI). Access Integrity is the risk area about controls that can be bypassed to gain unauthorized access to systems and applications. Risks in the Automated Control Integrity area are risks coming from automated application and system functions that haven t been properly tested and implemented. Report Integrity risks are the risks associated with the reliability of the system generated reports. IT-specific risks are risks that are inherent to IT-systems such as hardware/software changes outside of the normal business processes. The primary risk areas Direct Data Access (DDA), Data Integrity (DI) and Applications Controls in Computer Operations (ACCO). Direct Data Access risks involve all the risks that can lead to unauthorised access to data, to the change of data and to the destruction of data. Data Integrity risks involve all the risks that can lead to

13 The added value of an operating system audit to an IT General Controls audit 13 damaged or lost data. Applications Controls in Computer Operations risks involve errors in batch jobs or interfaces leading to incomplete or unreliable (financial) data. Effective ITGCs ensure the continued effective operation of application and automated accounting procedures that depend on computer processes. ITGCs are also important when manual controls depend on application-generated information. Figure 1 The figure above depicts how ITGCs link indirectly to the achievement of the financial statement assertions. Transaction level controls are control activities over the initiation, recording, processing and reporting of transactions designed to operate at a level of precision that would prevent, or detect and correct on a timely basis, misstatements related to one or more relevant assertions for a FSLI/business process. Transaction level controls can be either detective or preventive in nature and they often include manual application, automated application or ITdependent manual controls (PwC, 2013).

14 The added value of an operating system audit to an IT General Controls audit The structure of IT General Controls Although there is no detailed control set for ITGCs the general areas are described. They are generally divided into the following domains: Access to programs and data Program Changes Computer Operations Program Development IT Control Environment Each domain has certain IT -dependent or IT-specific risks associated to it. We can map these risks to the IT-dependent or IT-specific risks. Table 1 Domain Associated risks Type of risk Access to Programs and Data Application Access Database/Data File Access Operating System/Network Access IT-dependent - Access integrity IT-specific - Direct data access Program Changes Changes to Application Programs Changes to Application Configurations Changes to Operating System/Network IT-dependent Auto control/ report integrity IT-specific - Data integrity Computer Operations Computer Operations IT-specific - Data integrity IT-specific - Application controls in computer operations Program Development Program development IT-dependent Auto control/ report integrity IT-specific - Data integrity IT Control Environment Organizational IT-dependent Auto control/ report integrity The most common ITGC controls are: Logical access controls over infrastructure, applications, and data. System development life cycle controls. Program change management controls. Data center physical security controls.

15 The added value of an operating system audit to an IT General Controls audit 15 System and data backup and recovery controls. Computer operation controls. (ITGC, 2013) Figure 2 shows the domains and associated controls. IT General Controls IT Control Environment Systems Development Computer Operations Program Changes Access to programs and data IT strategy Initiation, analysis and design Batch processing Specification and authorisation Application security administration Operating system powerful accounts IT organisation Contructing Interface processing Constructing Operating system security administration Network powerful accounts Risk management Testing Monitoring of computer processing Testing Network / connection security administration Database administration Data conversion Backups Implementation Application logical security Direct data access via App/Network/ OS/Util. Implementation Computer centre operations Documenting and training Operating system logical security Documentation and training Segregation of duties Network logical security Segregation of duties Report integrity Application powerful accounts Figure 2 (PwC, 2013)

16 The added value of an operating system audit to an IT General Controls audit 16 For an organization to be in control of their IT they need to identify the IT risks and implement a tailored ITGC control framework. A control framework exists of at least of risk, a control objective and a control activity. Control objectives are the "aim or purpose of specified controls at the service organization which address the very risks that these controls are intended to effectively mitigate" (SSAE16, 2013). Control activities are the activities that occur within a control (University of Washington, 2013). Risk CONTROL Risk Risk Properties Control Objectives Key control ref. no. Control Activity Operator / Owner Control Properties Preventive/ Detective Evidence Freq. Unauthorized access to the IT systems because of weak password policies All passwords are based on a password policy based on best practices AM-1 An up-to-date password policy is available and applied to key applications ICT manager Preventive Password policies Annual In the example framework above the risk, control and control activity can be seen. In order to make the control more SMART an owner, type of control, evidence and frequency is added. A control framework can be used by internal and external auditors. 2.5 Auditing of the ITGCs Accountancy firms have defined their own ITGC framework and audit these controls in an organisation. The IT auditor need to form an opinion about the ITGCs by testing these controls. The auditor needs to design his audit activities based on the type of organization that is being audited so to be efficient and effective. Sufficient appropriate audit evidence needs to be obtained to be able to draw reasonable conclusions on which to base the auditor s opinion. Most of the auditor s work in forming the auditor s opinion consists of obtaining and evaluating audit evidence. Audit procedures to obtain audit evidence can include inspection, observation, confirmation, recalculation, reperformance, and analytical procedures, often in some

17 The added value of an operating system audit to an IT General Controls audit 17 combination, in addition to inquiry. Reasonable assurance is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. The sufficiency and appropriateness of audit evidence are interrelated. Sufficiency is the measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by the auditor s assessment of the risks of misstatement (the higher the assessed risks, the more audit evidence is likely to be required) and also by the quality of such audit evidence (the higher the quality, the less may be required). Appropriateness is the measure of the quality of audit evidence; that is, its relevance and its reliability in providing support for the conclusions on which the auditor s opinion is based. The reliability of evidence is influenced by its source and by its nature, and is dependent on the individual circumstances under which it is obtained (International Standards of Auditing, 2009). 2.6 Information security The term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and Availability, which means ensuring timely and reliable access to and use of information. Which is often depicted in the CIA triad as seen below (Cornell, 2013).

18 The added value of an operating system audit to an IT General Controls audit 18 Figure 3 In order to ensure the confidentiality, integrity and availability of information and information systems companies often implement an access management, change management, business continuity and risk management process. Access to protected information must be restricted to people who are authorized to access the information. The ation on which access control mechanisms are built start with identification and authentication. Identification is an assertion of who someone is or what something is. Authentication is the act of verifying a claim of identity. Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Change management is a formal process for directing and controlling alterations to the information processing environment. This includes alterations to desktop computers, the network, servers and software. The objectives of change management are to reduce the risks posed by changes to the information processing environment and improve the stability and reliability of the processing environment as changes are made. Business continuity is the mechanism by which an organization continues to operate its critical business units, during planned or unplanned disruptions that affect normal business operations, by invoking planned and managed procedures. Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value

19 The added value of an operating system audit to an IT General Controls audit 19 of the information resource to the organization (CISA, 2006). These four processes are also part of the ITGC audit as described in paragraph 2.4 (Information security, 2013). 2.7 Operating System security Businesses store their financial information on computer systems. These computer systems enable employees to access, modify and delete information. The operating system is the heart of the computer system that allows hardware and software applications to communicate with each other and share resources as can be seen in the multiple definitions of an operating system. Software designed to control the hardware of a specific data-processing system in order to allow users and application programs to make use of it. (Answers, 2013) The collection of software that directs a computer's operations, controlling and scheduling the execution of other programs, and managing storage, input/output, and communication resources. (Dictionary, 2013) An operating system (OS) is software, consisting of programs and data, which runs on computers and manages the computer hardware and provides common services for efficient execution of various application software. (Wikipedia, 2013) For example consider a program that allows a user to enter her password. The operating system provides access to the disk device on which the program is stored, access to device memory to load the program so that it may be executed, the display device to show the user how to enter her password, and keyboard and mouse devices for the user to enter her password. Of course, there are now a multitude of such devices that can be used seamlessly, for the most part, thanks to the function of operating systems. The most used operating systems by businesses are Microsoft Windows and the different UNIX variants. Ensuring the secure execution of all processes depends on the correct implementation of resource and scheduling mechanisms. First, any correct resource mechanism must provide

20 The added value of an operating system audit to an IT General Controls audit 20 boundaries between its objects and ensure that its operations do not interfere with one another. For example, a file system must not allow a process request to access one file to overwrite the disk space allocated to another file. Also, file systems must ensure that one write operation is not impacted by the data being read or written in another operation. Second, scheduling mechanisms must ensure availability of resources to processes to prevent denial of service attacks. For example, the algorithms applied by scheduling mechanisms must ensure that all processes are eventually scheduled for execution. These requirements are fundamental to operating system mechanisms. A lot of people, or at least lots of addresses, web sites, and network requests, want to share stuff that aim to circumvent operating system security mechanisms and cause computers to share additional, unexpected resources. The ease with which malware can be conveyed and the variety of ways that users and their processes may be tricked into running malware present modern operating system developers with significant challenges in ensuring the security of their system s execution. There s an ongoing battle between operating system developers and hackers to secure and breach operating systems. The term secure operating system is both considered an ideal and an oxymoron. Systems that provide a high degree of assurance in enforcement have been called secure systems, or even more frequently trusted systems. However, it is also true that no system of modern complexity is completely secure. The difficulty of preventing errors in programming and the challenges of trying to remove such errors means that no system as complex as an operating system can be completely secure. (Jaeger, 2008) Because an operating system plays such a vital role in an information system its security has a direct impact on applications and their data as can be seen in figure 3. All data that comes from outside the system needs to pass the operating system layer.

21 The added value of an operating system audit to an IT General Controls audit 21 Figure 3 Operating system settings are highly customizable in order to be tailored to the needs of the user. This means that the user is also responsible for a secure implementation of configurable settings. 2.8 Operating System configuration for Windows Server 2008 Apart from the inherent design of the operating system the configuration of parameters also plays a role in the secureness of the operating system. There are many types of operating systems that can be configured in a variety of different ways. Researching all these operating systems would be too exhausting for this thesis. This research will therefore look at the settings for one of the most used operating systems for servers, Windows Server 2008 (Wikipedia, 2013). Windows Server 2008 was released by Microsoft on February 27, It is the successor to Windows Server The Center for Internet Security (CIS) helps organizations improve their security posture by reducing risk resulting from inadequate technical security controls. One way of doing

22 The added value of an operating system audit to an IT General Controls audit 22 this is by publishing security configuration benchmarks for operating systems. The security configuration benchmark for Windows Server 2008 was released on September 30 th, 2011 and includes many parameter settings recommendations (CIS, 2011). Each recommendation contains a description, rationale, remediation, audit, default value and reference. For example for the enforce password history control we see the following recommendation. Description Rationale Remediation Audit Default Value References Enforce password history This control defines the number of unique passwords a user must leverage before a previously used password can be reused. For all profiles, the recommended state for this setting is 24 or more passwords remembered. Enforcing a sufficiently long password history will increase the efficacy of password-based authentication systems by reducing the opportunity for an attacker to leverage a known credential. For example, if an attacker compromises a given credential that is then expired, this control prevents the user from reusing that same compromised credential. To establish the recommended configuration via GPO, set the following to the value prescribed above: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. 24 passwords remembered CCE There are more than a hundred recommendations like this for Windows Server This shows one of the complexities of securing the operating system. It is always a balance of security versus usability. All these settings can be broken down and ordered into the following categories or controls. Category Accounts Audit Policy Detailed Security Auditing Event Log Windows Firewall Windows Update Settings Password and account settings. These settings all contribute to the logical access security. Settings regarding the logging of events and changes to the operating system. For example the logging of access attempts and changes to user rights and policies. These are more specified auditing settings like the logging of changes to the security state of the system, when a register object is accessed or whether the results of a validation test are logged These settings are about the retention of the system logging and some technical settings. Settings in this area are about the setup of the Windows Firewall that is part of operating system. Settings regarding the installation and download of new patches

23 The added value of an operating system audit to an IT General Controls audit 23 User Account Control User Rights Security Options Terminal Services Internet Communication Additional Security Settings Settings regarding the behaviour of the operating system when operations are being performed that require elevated privileges Defines which type of users can do certain types of actions like logon, shutdown or change the system time. Specific security settings fall in this category like interactive logon, Microsoft network client, network access and system settings. Remote desktop settings Settings regarding the use of local resources over a network connection like printing or publishing files. Additional settings like disable remote desktop sharing, turn of autoplay and registery policy processing. Most of the categories would fall under the ITGC domain Access to programs and data except for the Windows Update category which would fall under Computer operations. 2.9 Influence of operating system settings on the IT General Controls As can be seen in previous paragraphs the operating system is only one of the parts that together can form a secure information system environment. Logically it protects the applications, data and system resources but once a program or user is allowed access it cannot control the implications of that access. For example the operating system cannot control the behaviour of a user within an application or the content of data that is being send and received. Nevertheless it is an essential part of the security because it does protect data from external and internal threats in a way that applications cannot do. There is not one setting that determines how secure an operating system is and therefor an auditor always has to look at combination of settings. Some settings can have a higher impact than others. being able to rely on the operating system for access to programs and data controls undermines the application controls. In practice most operating systems including Windows Server 2008 have a basic level of security configured which means that reliance on the operating system is not binary and can be partial. Financial statement audits always have a time period in scope. In order for an auditor to get some comfort over the operating system settings for a certain period the changes to the settings need to be logged. Which means an auditor either has to rely on the change management process or has to inspect the event logs that the server generates (if this logging is enabled).

24 The added value of an operating system audit to an IT General Controls audit Hypotheses 3.1 Conceptual Framework There are different operating systems and types of audits that need to be identified and researched. This research will only look at Microsoft Windows Server 2008 for the financial statement ITGC audit in order to keep focus. To visualize the research question and give a clear overview of which variables are involved and how they are interlinked, the research idea of this thesis can be visualized in a Conceptual Framework seen below. T0 Inherent Operating system security design Operating system parameters T3 Operating system comfort ITGC comfort T4 T1 Operating system paramater configuration There are five main variables that can be distinguished in this framework. The Independent Variables Inherent operating system security design and Operating system parameters, the Moderating Variables Operating system configurations, the Dependent Variable Operating system comfort and the Dependent Variable ITGC comfort. The meaning of these variables will be explained next. First, the independent variables Inherent operating system security design and Operating system parameters stands for all the possible operating systems and there inherent security design. There are many different operating systems build for different purposes and thus have a

25 The added value of an operating system audit to an IT General Controls audit 25 different security design. A company has to think about this when they choose the operating system for their applications. Next to the inherent design they also have to make sure that the operating system is setup and configured according to their security needs Secondly, Operating system configuration is the moderating variable in this framework. It entails the actual configuration of the operating system. This variable influences the dependent variables based on parameter configuration. The forth variable Operating system comfort is one of the dependable variables in this framework. It entails the combination of security design and configuration leading to a level of comfort that can be placed on the operating system. Finally, the dependent variable ITGC comfort is about the contribution of the Operating system comfort to the IT General Controls audit. If an audit looks at application controls, Operating system comfort must be obtained. 3.2 Hypotheses With the conceptual framework set up, specific working hypothesis can be set up to test the framework. Working hypotheses (WH) are a provisional, working means of advancing investigation ; they lead to the discovery of other critical facts (Dewey, 1938). Working hypotheses are linked to exploratory studies (Shields, 2006). They are never proven but are supported by empirical evidence. Building on the research questions the working hypothesis will explore the subject in more detail. Based on the literature background the following working hypothesis were created. WH1: An operating system parameter audit will only give comfort over the operating system layer As depicted in Figure 3 the operating system is the layer between applications, data and the network. Auditing the operating system parameters will therefor only give comfort over the implementation of information security on the OS layer.

26 The added value of an operating system audit to an IT General Controls audit 26 WH2: Operating system comfort is essential for reliance on application controls Because the operating system manages system resources and data the systems needs to be secured in a way that minimizes the risk of unauthorized use of the system resources. Using an application, even in a client/server architecture, requires some form of operating system access and thus exposes the application and data to certain threats. 3.3 Control Variables In order to answer the research question and the sub-questions the relationships between the main variables have to be tested. The formulated working hypotheses can then be, based on the results either be supported or not. However, it is possible that the results of this study are influenced by other variables that were not included in the framework. For this study it will be hard to exclude all the other variables that might influence the Dependent Variable ITGC comfort and thus influence the outcome of this study. The Inherent Operating system security design is a variable that greatly influences the Operating system comfort but is tricky to measure. As (Jaeger, 2008) argues that no operating system of great complexity can be completely secure a feeling of its security can be obtained by looking at its history of secureness and design philosophy. Although the methodology for performing an IT General Control audit tries to be as objective as possible there is still a lot of room for an auditor s opinion and so called professional judgment. Companies are almost never 100% alike, technology develops fast and there are many variables that influence IT security, yet auditors often work on a tight time schedule with limited budget. Therefore an auditor has to form an opinion as best as possible and can only give reasonable or limited assurance.

27 The added value of an operating system audit to an IT General Controls audit Case study methodology 4.1 Research Methods The purpose of this research is to find out what the added value of an operating system audit is for the IT General Controls. In order to do this, this study tries to find out the theoretical place of an operating system in the IT General Control framework and audit methodology. Secondly, an operating system parameter audit is performed and the added value to the ITGC audit is discussed. The methodology used for exploring the hypothesizes is a case study. This study uses the hypothetico-deductive method that according to (Sekaran, 1992) involves seven research steps: observation, preliminary information gathering, theory formulation, hypothesizing, further scientific data collection, data analysis and logically deducing conclusions from the results obtained Observation By being a professional auditor for a big firm and studying IT-audit the researcher is aware of discussions and hot-topics in the field of IT-audit. The company the researcher works for has been using a tool the last couple of years to audit operating system parameters and the results of these settings are being sent back to audit teams. It was observed that auditors often do not know how to interpret the results and what the added value to the audit is. They noticed that it makes an impact at the client if they present the results but the exact meaning and impact for the ITGC audit as part of the financial statement audit is unclear. The researcher felt like this was an interesting area that lacked enough academic or pragmatic literature and needs to be clarified Preliminary information gathering Preliminary information gathering is the search for information in order to build up the researchers understanding towards the area (Sekaran, 1992). In order to do so a research proposal was written. Google, work experience and the PwC audit guide were the basis for further preliminary information gathering. The topics of financial statement audits, IT General Controls, auditing and operating systems were explored. Most concrete information was in academic literature but in white-papers and best-practices.

28 The added value of an operating system audit to an IT General Controls audit Theory formulation The theory formulation is done by literature research and is necessary in order to get a good understanding of what is already known about the topic to save valuable time and make sure the wheel doesn t get invented for the second time. only operating system and IT General Control literature is relevant for the theory formulation but also related literature in order to develop a theoretical framework. The goal of this theoretical framework is to put the topic in perspective. Most of the literature research was done via Google and Google Scholar which can search through many (academic) databases. Beside online literature research the researcher has access to internal audit methodology material from PwC, one of the four big accountancy and consulting firms, in the form of the PwC audit guide. This guide describes the companies audit methodology in order to deliver high quality audits Hypothesizing From the theoretical framework educated guesses were made regarding the outcome of the research question. These working hypotheses are presented in chapter 3.2. They represent a tentative statement of a relationship between two variables that have yet to be empirically tested. This study will try to test these hypotheses and the empirical results will either hold and support the hypotheses or discard it Further scientific data collection In order to test the hypotheses further scientific data has to be collected. In order to find out about the added value of an operating system audit this study will perform an operating system audit at three companies that uses Microsoft Windows Server 2008 as platform for their IT environment The operating system design In order to get an understating of the inherent operating system security design, literature research is performed by looking at the builders design philosophy, responsiveness to security issues and global opinion.

29 The added value of an operating system audit to an IT General Controls audit The operating system parameters Based on the CIS best practice a parameter scan will be performed at a company. The researcher will use his professional network to find three companies willing to do an operating system parameter scan. The researcher will provide a script that companies need to run on their Windows Server 2008 Domain Controller. This script will check the parameters and output the results into a text (.txt) file. The results of this file be analyzed using a tool called Easy2Audit. Easy2Audit is a benchmarking website where you can upload the results of the script and it will generate a graphical representation of the results Data analysis and conclusion After all the scans are performed the case information per company will be stated and the results will be evaluated. The research will make use of Easy2Audit s benchmark tool to make a graphical representation of the results from whereon the researcher will further investigate. Next to that the parameters, baselines values and results will be put into a table. For the baseline, the recommended settings for an enterprise domain controller are used because we are testing the enterprise domain controllers. The other recommended settings in the CIS baseline are for Special Security Limited Function (SSLF) systems. The companies in our sample do not have a higher than average risk profile so it was chosen not to use the recommended SSLF settings. 4.2 Sample selection The samples used in the research are companies that run a Microsoft Windows office environment that is managed by Active Directory and the domain controllers run on Microsoft Windows Server Domain controllers distribute the companies IT policies and configuration settings to all computers that are in the office network. This means that a domain controller is a key system in a network and needs to be secure. The configuration of the domain controller does not necessarily apply to the computers in the domain but it can indicate the level of thought that was given to security. If a domain controller is compromised a hacker has the potential to access all systems that are part of the Active Directory network.

30 The added value of an operating system audit to an IT General Controls audit Case study findings Three Dutch companies participated in this study which are anonymized for privacy and security reasons. This study took place between January 2013 and June The system administrators first tested the scripts on their test environment before running them on the production. It took each administrator about an hour to test the scripts, run the scripts on the production environment and send the results. 5.1 Company profile Company A The first company is a medium sized company with about 500 employees active in the food industry. Their ERP system, SAP, is used primarily for sales, purchasing and finance. They run a Windows environment which is administrated by two domain controllers. There is no single sign-on so in order to login to SAP a separate username and password have to be used Company B The second company is a small company operating in the gambling machine market. They use Exact for their enterprise resource planning and run a Windows environment Company C Company C is a medium sized software company operating in the supply chain logistics industry. Their ERP system, SAP, is used primarily for sales and purchasing. They run a Windows environment which is administrated by two domain controllers. There is no single sign-on so in order to login to SAP a separate username and password have to be used. 5.2 Outcome Compliance overall:

31 The added value of an operating system audit to an IT General Controls audit 31 Company A: Company B: Company C: The more detailed results can be in Appendix I.