Has anyone come across similar to what our auditors are up against – and if so is there a protocol to adhere sort of the auditee’s code of conduct?
Our audit section has an agreement with a 3rd party partner who host some of our servers that we can audit them as and when as its essentially “our data”. The agreement states we must give them 2 weeks prior notice with some form of scope on what areas will be reviewed before we can come in to audit whatever system. In this case there is an audit of a new payroll application; they also want to look at the security of the DB server (SQL server on Windows 2008 server – virtual box).
One of the checks they wanted to run would identify all software installed on the server – they said as they don’t currently have a test server they have serious concerns about running tools on the live server – so as it is a virtual machine they will clone it and then run the tool on the test instance. However, in cloning the system – they have gone through an exercise to remove unsupported or unnecessary software, close certain ports – and patch 3rd party software that was un-patched. Which is all well and good – but issues the auditor would have flagged up.
Another of the checks they wanted to run was to test for weak passwords associated with local admin passwords on the server. The IT section responsible for this server state that this server has known weak passwords associated with local admin accounts – as this is how the application developers configured the server. They know its an issue and will take it up with the app owners to determine the impact in strengthening the passwords. However they state as it’s a know issue there is no need for the auditors to flag it in their report?
Would appreciate your input into both debate 1 and 2 and your take on it. This is very frustrating for the auditors. Is it ok for the company being audited to use the cloning of a live system to change all the settings so the auditors don’t find anything?