How to Audit Authentication & Password Controls (Part 2)
Chinmay Kulkarni
Creating #1 Learning Hub for IT Auditors | Tech Risk Senior @ EY US | SOX, SOC 1 & 2 | CISA • CRISC • CCSK • ISO 27001 LA | I Simplify IT Audit for You
Last week, we explored the fundamentals of authentication controls—how applications authenticate users and how that defines your testing approach.
This week, we go one step deeper: How should you prepare for a walkthrough meeting for authentication and password management controls?
These meetings are where you move from theoretical understanding to real-world evidence.
Let’s break it down.
Three Types of Walkthroughs You Might Encounter
Over the years, I’ve experienced three types of walkthrough scenarios:
1. Evidence Provided Before the Meeting
In this case, the control owner has already shared authentication-related evidence through your request list.
Your job?
Review it in advance and prepare a list of targeted questions to clarify the process and validate the evidence live.
2. Live Walkthrough of the Authentication Process
This is my personal favorite.
You walk into the meeting, and the control owner takes you through the entire authentication process—step by step—right from the production environment.
You get to see how settings are configured, how users log in, and how the system handles identity validation.
This type of walkthrough is a goldmine for evidence and clarity.
3. No Evidence, No Context - Start From Scratch
You walk into the meeting with no documents, no access, and no idea how authentication works for the application.
If that’s the case, don’t panic.
Ask clear, structured questions. Treat it like reading a new book.
Your job is to understand the story from page one.
Start With the Password Policy
Before you walk into any meeting, your first step should always be to:
Walkthrough Approach for Each Application Type
1. Applications Authenticated via Active Directory
Step 1: Understand how Active Directory (AD) handles login
Step 2: Test the AD password settings: complexity, length, expiration, lockout, etc
Step 3: Compare settings to both the company’s policy and Microsoft’s AD configuration best practices
Step 4: Request a list of all applications using AD authentication
Step 5: Sample one user who is:
Step 6: Ask who can modify AD password settings
Step 7: Check if these changes go through a formal change request and approval process
Important! Confirm that evidence is from the production environment
2. Applications Not Tied to Corporate Network
Step 1: These applications allow login directly over the internet
Step 2: Inspect password settings configured within each application:
Step 3: Ensure these align with the organization’s security policy
Step 4: Sample a user who successfully logs in
Step 5: Ask:
3. Applications Managed by a Third-Party Vendor
While not the focus this week, remember: In these cases, you rely on SOC reports to validate password controls.
Key Takeaways for the Walkthrough Meeting
Next Week: How to Document This Control Effectively
In the next edition, we’ll walk through how to write a clear, effective workpaper for authentication and password controls so your testing reflects the real risk and the real design.
Until then, keep learning. Let your curiosity guide your questions and let your questions lead to evidence.
Until then, signing off
Chinmay Kulkarni
Aspiring Cybersecurity & Data Analytics Professional
3moThanks for sharing this! Very informative 🙌🏼
IT Audit and Risk Management | ITGC & SOX Audit Expert | Deloitte Alum | Social Media Strategist I Risk, Compliance & Content Strategy | Digital Thinker with Dual Expertise
3moYou explained it in a more practical way. Most valued insight
Cybersecurity Leader | Cloud & Risk Expert | Award-Winning Career Coach & Speaker | EdTech Founder | Advisory Board Member | Canada’s Top 100 Black Women to Watch
3moAuditors who prepare with clarity are better equipped to uncover the details that can make a difference. Your methodical breakdown of the process is key to ensuring that auditors don’t just show up but show up ready to make an impact. Keep sharing this valuable insight!
IT Auditor-Consultant at CP CAN. Consulting
3moGreat insights, thanks for sharing, Chinmay
CIA/MBA Executive HEAD OF OPERATION/HR AND OTHERS/CONTENTS WRITERS/ARTICLES ON DIFFERENT TOPIC TOP LINKEDIN VOICE EARNED BADGES
3moAuditing authentication and password controls is critical for assessing an organization’s security posture, ensuring compliance with standards (like ISO 27001, NIST, or CIS), and protecting sensitive information. Identify systems, applications, and networks that require authentication. Include user types: employees, contractors, customers, service accounts, etc. Evaluate the organization’s authentication policy, password policy, and access control standards. Identify gaps and prioritize based on risk (e.g., weak password storage = critical). Provide actionable remediation steps with timelines. Include a maturity score or benchmark against a framework (like NIST or CIS). Run vulnerability scans to identify weak or default credentials. Use password auditing tools (like CrackMapExec, Hydra, or L0phtCrack in legal environments) under strict controls. Consider user training on password hygiene and phishing awareness.