This is the second in a series of posts about how to survive an audit. These posts will include some basic guidelines I have learned over the years as well as how to get the information I have been asked to provide.
Having worked for both a casino and a publicly traded company, audits have been a big part of my job for quite a few years. These audits come in many different shapes and sizes, however there are some things that they all have in common, the auditors want evidence!!! And lots of it!
Surviving an audit and passing an audit are two distinctly different things. While this blog post is more about surviving, many of these same tools can also be used to help you pass an audit. To me surviving an audit is more about keeping your sanity and being as relaxed as possible.
Please keep this in mind as your read this post. This is solely based on my experience of working with auditors. You may have different experiences that might be a bit outside what I am going to talk about here.
Before getting into these useful tools, I want to cover a few basics that I have followed for a number of years.
Get auditors out ASAP
The longer the auditors are in your environment the more opportunity there is for them to find something. While we all work very hard to do things the right way, we are human and we do make mistakes. We just don’t want the auditors to find our mistakes. You might be wondering, how can to accomplish this? The best way to do this is to have the evidence readily available.
Don’t volunteer information
Only provide the evidence they are asking for, nothing more. You want to avoid giving them things that they do not ask for. By doing so, you might expose something that you don’t want them to see. The last thing you want to do, is give them a reason for documenting a finding. Another thing to remember is the audits have a defined scope.
Be honest
Don’t attempt to hide something from the auditors. They will find what ever the issue is eventually. Most importantly, we don’t want them thinking we are hiding something from them. If the auditor doesn’t trust your work it is NEVER a good thing.
Auditors don’t want to hear what you are going to do, they want to see what you have done
If you find something that you feel might be an issue during an audit, start the steps to rectify the situation. Sometimes if you can show the auditors that you have already taken steps to address the issue, they may be more understanding and things might work out a bit better for you and your company.
Do the right thing every day.
Sadly, doing this might make your job a bit more difficult on a daily basis, but it will make audits much easier to get through. When the auditors walk in the door, it is too late. Any thing that might need to be fixed will more than likely not be able to be addressed before they find the issue. However, if we do the right thing daily, there won’t be much for them to find.
Address Issues in a timely manner
Things fail, that is a reality that we must except. Many times the audits I have been part of, the auditors not only look for documentation that the issue was addressed, but also the it is addressed in a timely manner. It is important to document what you do, including timestamps.
Remember they are just doing their jobs
Just like you, auditors are held accountable by their management. While audits can be challenging, it is important to remember that the auditors are just simply doing their jobs.
Over the years auditors have asked for lots of information. Sometimes this information is very easy to get, sometimes it might be a bit more challenging. What I have found that works for me is to have a process already defined and the code ready to go.
So what types of things have auditors asked for? Below are a few of the common items I have been asked to present to the auditors over the years.. Of course there are a few more items, but these are the main ones that seem to be part of most of the audits I have participated in. I will go over each of these a bit more in depth in this post and in future posts.
-
-
- Key SQL Server job failures
- Backup history
- Orphaned Logins
- Orphaned database users
- Who has sysadmin rights
- Who has db_owner, DDLAdmin and DML rights on key databases
- Separation of duties
-
There are a number of tools that you can utilize to capture the required information. However the focus of this series of blog posts is to utilize native SQL Server functionality. Below are some of the tools that are available in the SQL Server environment.
-
-
- SQL Server Management Studio
- Azure Data Studio
- Azure Data Studio Notebooks
- Transact SQL
- Data Management Views
- SQL Server Audit
-
Backup History
On a number of occasions, auditors have asked for evidence that the financially sensitive databases were being backed up daily. Since an Agent job is usually what is used to back up the database, logic would say we could use the history of that job to demonstrate that the databases are being backed up. In some cases, that would be very accurate. However, let’s say there are 100 databases on the server and only one is under audit, it might be a bit challenging to use job history to capture the requested evidence for the auditor. It would all depend on the design of the job.
This is where T-SQL comes in handy. There are two tables in the MSDB database that we can utilize, backupset and backupmediafamily.
The backupset table has a single record for each successful backup. The key is successful backup. This table contains some great information, such as the following:
-
-
-
- Is it a COPY ONLY backup
- Backup Start time
- Backup End time
- Type of Backup
- Is backup password protected
- Backup size
- As well as many more
-
-
For our purposes, while much of the above is great information, our goal is to find the backup history. Having said that, many of the columns will not need to be added to our result set. However, you are more than welcome to add them if you like.
The second table we need is the backupmediafamily table. While this table is not technically needed, it does have a data point that could be useful. This is where we can find the destination of the backup.
SELECT s.database_name
, m.physical_device_name ‘DestinationLocation’
, s.backup_start_date
, CASE s.[type]
WHEN ‘D’ THEN ‘Full’
WHEN ‘I’ THEN ‘Differential’
WHEN ‘L’ THEN ‘Transaction Log’
END ‘BackupType’
FROM msdb.dbo.backupset s
INNER JOIN msdb.dbo.backupmediafamily m
ON s.media_set_id = m.media_set_id
WHERE s.backup_start_date >= ‘04/01/2020′
AND s.backup_start_date <= ’06/30/2020′
AND s.type IN (‘D’, ‘I’)
ORDER BY s.database_name, s.backup_start_date
Keeping in line with the suggestion to not volunteer information to the auditors, there are a number of columns that are not included that could be useful in other situations. These situations might include reviewing the duration of backups, looking for missing backups and the destination of backups.
Sometimes the above data night not be enough for the auditors. They may want to see the history of your backup jobs, success and failures. I have been able to show this in one of two ways. The first method is to use the code below. This will return all the backup job executions. You will have to enter the name of your backup job and change the two dates. This block of code removes the criteria for failed jobs.
SELECT dbo.agent_datetime(h.run_date,h.run_time) AS ‘Date Of Failure’
, j.name AS ‘Job Name’
, h.message AS ‘Error’
FROM msdb.dbo.sysjobs j
INNER JOIN msdb.dbo.sysjobhistory h
ON h.job_id = j.job_id
WHERE h.step_id = 0
AND dbo.agent_datetime(h.run_date,h.run_time) >= ’04/01/2020′
AND dbo.agent_datetime(h.run_date,h.run_time) <= ’06/30/2020′
WHERE j.name = ‘<<Insert name of Backup job’
ORDER BY dbo.agent_datetime(h.run_date,h.run_time) DESC
And even that might not be enough, so I have to go to the third method of showing backup history. In this case, using SQL Server Management Studio, right click on the job and go to view history.
What you might end up giving the auditors will looks something like the above image. Notice that the time of the screenshot is included but the date is not. This might not be enough, auditors usually have asked me to include the date as well. Something to be careful of is an accidental capture of information. Notice that there is some code to the right of the job history. While this particular screenshot might not reveal anything that would catch the eye of the auditors, the potential exists to do just that. So be careful and review the screenshot before giving it to them.
Thanks for visiting my blog!!!