UNIX (Technical Reference Manual) - Control-External Audit

Integration
The information in this database has been screened by These documents are for E&Y internal use only; they are
subject matter specialists. However, it is the the property of E&Y and are not to be removed from the
responsibility of users to exercise their professional firm. Any information that would identify a client is not
judgment and perform their own reviews of the to be shared outside the firm.
appropriateness of the information in the documents
before using them.

Object Content
Object Title: - UNIX (Technical Reference Manual) - Control-External Audit Integration

Object Summary

What issues does this object address?

Abstract:
This document is one of a series of Technical Reference Manuals (TRMs) designed to assist Ernst
& Young IT audit professionals in the evaluation of system controls over particular technologies
during an engagement by:
Providing an overview of a technology to help practitioners familiarize themselves with how the
technology works in a computing environment; and
Providing best practice statements on key controls to enable the practitioner to properly evaluate
each unique client environment.

The content of this series is similar to the technical reference series published by Ernst & Young in
the mid-1990s. This series has a different format; the content is matched with the established
configuration standards to make it easier to find applicable best practice statements.

Note that the IT controls detailed in each TRM may be applicable to other versions of the
technology. However, the applicability of certain IT controls to previous versions of the technology
will be dependant on specific changes, and should be discussed with appropriate IT professionals
with specific skills in the technology.

IT Audit Control Framework

For any one technology there are up to 150 applicable security configuration standards. However,
not all the configuration settings need to be reviewed for the purposes of the financial statement
audit or other internal control reviews. To properly determine which configuration settings would
be appropriate to review in most situations, five audit areas of focus were developed, called the IT
Audit Control Framework. These five areas consist of the key concerns applicable to the audit while
performing an assessment of IT controls, and are based on a combination of industry control
standards.

For this technology the configuration standards were evaluated and the applicable settings were
categorized into one of the five areas of the Control Framework. The best practice statements
contain configuration standards, and are grouped under the applicable control area. This allows
engagement teams to evaluate and utilize the controls relevant to the audit needs and client
situation.

The following list contains the description and objective of each IT Audit Control Framework area:

A. User Accounts and Groups Configuration and Maintenance. This refers to a client’s
processes employed to restrict access to sensitive system functions. The process activities include
defining user accounts and groups, determining the level of system privileges to be associated with
those accounts and groups, and ensuring that accounts and groups are removed when no longer
needed. Additionally, configuration and maintenance includes any measures taken to ensure that
persons or systems do not access accounts or groups that they are not authorized to access.
B. User Access and Permissions to Directories and Files. The objective of this area is to
determine whether access to relevant application and associated data files and directories is
restricted to only those persons (or systems) who require the access in the course of their jobs. A
process should be in place to identify the relevant application and associated data files and
directories, determine the owner of them, and then compare the results with a list of who within the
organization actually should have the ability to read, write, and update those files and directories.
Additionally, the application and data files should be adequately protected by encryption or some
other means.
C. User Access and Permissions to Operating System (or Database) Utility Programs and
Network Resources. Access to configure and use administrative tools and network resources
should be adequately restricted. Those administrative tools and network resources include the
ability to access and update program defaults, the ability to control network services, and the ability
to create, view, and clear activity logs generated by the network. Measures to authenticate requests
for access to the network resources should be controlled for both direct and remote access
connections for all users, including client employees, contractors, suppliers, customers, or others.
D. Operations Monitoring. Operations Monitoring includes the processes and standards used by
the client to monitor critical system events, and to take appropriate actions whenever unusual or
suspicious activities are noted.
E. Configuration Management. The purpose of Configuration Management is to prevent the
degradation of controls and operations in an adequately controlled environment. This covers both
when changes are introduced to that environment, as well as the ability to recover critical business
systems in the event of a system fault. These changes could be in the form of system upgrades,
system replacements, system consolidations, changes to account or security structure, or changes in
account or security policies, among others. Configuration Management also encompasses a client’s
process for installation of vendor-provided security or other patches to its systems.

As mentioned previously, the IT controls detailed in this document are not an exhaustive list of all
IT controls for the technology; it is a list of controls to be generally considered applicable to a
financial audit or other assignments of a similar scope. A comprehensive analysis of the technology
may require additional information or additional resources depending on the engagement. This
reference should be used as a guide for the evaluation of the IT control environment.

Content and Format

Each Technology Reference Manual has the following content:
 Introduction. This section introduces the document and the IT Audit Control Framework and is
consistent through the series.
 Technology Overview. This section gives an introduction of the technology that includes key
concepts of the technology and how they impact the audit.
 Best Practices. This section lists a summary of the controls relevant to the audit, grouped by the
IT Audit Control Framework sections. This section also lists the detailed best practices for each
configuration standard, and includes the following fields:
− Control Name – the name of the configuration standard;
− Control Description – the description of the control;
− Control Risk Statement – the business risk of not implementing the IT control; and
− Statement of Best Practice – the statement of how the IT control should be addressed in order to
meet recommended best practice.

Technical review procedures are not contained in this reference series. A work plan detailing step-
by-step IT audit review procedures for each technology has been prepared to supplement this
document. These work plans have been written to assist practitioners in performing the review
procedures to verify if an IT control is in place.