Introducing SAKITA: A Logical Access

Audit Tool
PwC is exploring the use of advanced technology to improve the quality and
efficiency of audits. SAKITA demonstrates our commitment to investing in
automation technologies to keep the audit fit for purpose and relevant for the
future.

What is SAKITA?
SAKITA provides PwC teams with automated scripts to be used to extract detailed logical
access information required for the financial audit.
The tool offers a simple way of extracting and formatting logical access listings required for our
IT engagements through a highly automated approach.

SAKITA will enhance your experience

SAKITA harnesses automation to provide a process of extracting data that is consistent,
repeatable and quick (taking approximately five minutes to run the script and return the output).
The tool creates efficiencies from collating privileged normal access user lists for databases,
networks and certain applications to support our audit and remove the lengthy time investment
associated with existing manual data extraction.

SAKITA enhances audit quality and consistency amongst PwC teams.

© 2021 PricewaterhouseCoopers LLP. All rights reserved.

What is expected of you?
You will be requested to run the SAKITA script(s) and authorise its use.You will be provided with
a file containing statements to illustrate the logical access setup of your Oracle database for
which SAKITA will extract an automated report from an Oracle database containing logical
access rights. This can be used for a number of tests in relation to logical access.

How safe is data when using SAKITA?

The statements in the SAKITA scripts do not modify your environment or the data stored in any
way. Use of the tool will also have no impact on performance. All scripts are built of statements
that will not modify the Oracle database.The statements will read their logical access setup and
save the output in a number of .csv files, subsequently joined together within a single .zip file.

SAKITA has undergone rigorous testing and evaluation of its technology to assess any risks
associated with the tool before it was cleared for use. No data is held within the tool at any
point.

Personal or Personal Sensitive Data - the data requested is a standard logical access user list
from client applications. This does include the first and last name of the user whom the user id is
assigned to. However, it does not contain any other personal data that could be attributed to the
user that is not required for the purpose of the audit.

Any personal data used as part of the audit is agreed via the standard audit engagement
letter terms as only to be used for the purposes of the engagement. This tool supports
the work the engagement team performs on the audit data as part of the audit service.

Oracle Analysis - What information is retrieved?

File generated Explanation and purpose of generated file

DbRolesSI.txt File which contains a list of all database roles and their
members within the Oracle database.

This information can be used to determine the roles for

every user, including the related rights.

DBUsersSI.txt File which contains a list of all users and their properties
like account status and creation date.

This information is used to determine whether users

have appropriate access.

© 2021 PricewaterhouseCoopers LLP. All rights reserved.

File generated Explanation and purpose of generated file

DefaultPwdSI.txt File which contains all users with a default password.

This information is used to identify all those users with a

default password, since that poses a security risk.

Encoding.txt File which contains our own byte order mark to

determine the encoding used by the database.

This information is used to make sure we can present

the output appropriately.

hashtotals.txt File which contains a list of hashes for every file

generated.

This information is used to determine the data integrity of

the files.

passwordVerifyFunctions.txt File which contains the function that is executed when

changing a password on the oracle server.

This information is used to determine what additional

password constraints may be in place.

ProfileResourcesSI.txt File which contains a list of profile resources.

This information is used to determine what profiles are

present on the Oracle database, including the settings
that are applicable for each profile (e.g. password
settings).

SystemInfoSI.txt File which contains information about the system like

name, version and remote authentication settings.

This information is used to make sure that the correct

logic is applied and important settings are identified,
depending on the Oracle database version.

SystemOptionsSI.txt File which contains system settings like audit settings.

This information is used to determine if the oracle server

is properly configured.

© 2021 PricewaterhouseCoopers LLP. All rights reserved.

 File generated Explanation and purpose of generated file

SystemPrivSI.txt This file contains a list of system privileges that have

been granted to users.

This information is used to determine what system

privileges are assigned to users.

TablePrivSI.txt This file contains a list of table privileges that have been
granted to users.

This information is used to determine what table

privileges users have on specific tables.

UserLastLogonSI.txt This file contains the last login date for each user.

This information is used to determine the active and

inactive users.

UsersTableOwnersSI.txt This file contains the table owner for each table in the
database.

This information is used to determine whether any

personal accounts are table owner within the database.

Has SAKITA been tested/piloted?

SAKITA is a multi-territory tool in use across a number of PwC network firms. It has been
substantially tested and approved for use on IT engagements in line with standard risk
consideration procedures.

© 2021 PricewaterhouseCoopers LLP. All rights reserved.