Protecting And Auditing Active Directory With Quest Solutions
Protecting and Auditing ActiveDirectory with Quest SolutionsWritten byRandy Franklin SmithCEO, Monterey Technology Group, Inc.Publisher of UltimateWindowsSecurity.comTECHNICAL BRIEF
2010 Quest Software, Inc.ALL RIGHTS RESERVED.This document contains proprietary information protected by copyright. No part of this document may bereproduced or transmitted in any form or by any means, electronic or mechanical, including photocopyingand recording for any purpose without the written permission of Quest Software, Inc. (―Quest‖).The information in this document is provided in connection with Quest products. No license, express orimplied, by estoppel or otherwise, to any intellectual property right is granted by this document or inconnection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS ANDCONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUESTASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED ORSTATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IFQUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes norepresentations or warranties with respect to the accuracy or completeness of the contents of thisdocument and reserves the right to make changes to specifications and product descriptions at any timewithout notice. Quest does not make any commitment to update the information contained in thisdocument.If you have any questions regarding your potential use of this material, contact:Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comE-mail: legal@quest.comRefer to our Web site for regional and international office information.TrademarksQuest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix,AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch,BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, DesktopAuthority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin,Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe,LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool,NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, QuestCentral, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security LifecycleMap, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab,Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator,vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, VizioncorevAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, VizioncorevReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks ofQuest Software, Inc in the United States of America and other countries. Other trademarks and registeredtrademarks used in this guide are property of their respective owners.Technical Brief: Protecting and Auditing Active Directory with Quest Solutions1
ContentsExecutive Summary . 3Key Audit and Protection Requirements for Active Directory . 4Why Protect and Audit Active Directory . 4Key Components for Protection and Auditing of Active Directory . 4Change Tracking. 5Real-Time Monitoring. 6Reporting . 7Security Event Management and Correlation . 8Secure Audit Trail . 8Providing Comprehensive Audit and Protection for Active Directory . 9Introduction . 9ChangeAuditor for Active Directory . 10Intelligent AD Auditing. 10Quest InTrust . 14Integration of InTrust and ChangeAuditor . 15Summary . 16About the Author . 17Technical Brief: Protecting and Auditing Active Directory with Quest Solutions2
Executive SummaryActive Directory (AD) is the core of enterprise IT; for this reason, comprehensive protection and auditingof AD changes is critical. Together Quest ChangeAuditor for Active Directory and InTrust provide themonitoring, reporting and audit trail capabilities required to fulfill operational, planning, security andcompliance requirements for AD. ChangeAuditor tracks, monitors and reports on core changes; InTrustprovides a long-term, secure audit trail and correlates AD data with other enterprise IT activity.Technical Brief: Protecting and Auditing Active Directory with Quest Solutions3
Key Audit and Protection Requirementsfor Active DirectoryWhy Protect and Audit Active DirectoryOn many levels, Active Directory (AD) is the core of enterprise IT: AD is where you find user accounts,groups for access control, encryption policies, certificates and CRLs, network IPSec polices—the list goeson and on. Moreover, nearly every system component integrates with AD, from databases to applications,UNIX systems and wireless access points to VPNs, as well as business partners and cloud servicesthrough federation services.Because AD is critical to your business operations, comprehensive protection and auditing of changes isa must. One unauthorized or accidental change to AD can have devastating cost, security, downtime andcompliance consequences. For instance, group policy objects (GPOs) provide centralized and automatedconfiguration control of all computers on your network; a poorly edited GPO can spread a configurationchange to thousands of computers in minutes, possibly compromising the security or availability of yournetwork.In addition, AD must be managed by all-powerful domain administrators. Malicious actions by rogueadministrators can be deterred by a high-integrity audit trail that detects changes and enforcesaccountability.Key Components for Protection and Auditing of Active DirectoryMany monitoring, reporting and audit trail capabilities are required to fulfill AD’s operational, planning,security and compliance requirements. But as shown in Figure 1. The comprehensive protection andauditing components of Active Directory, the foundation is change tracking. It should supply real-timechanges and detailed event data to be consumed downstream monitoring, reporting and audit trailcomponents.Real-timeMonitoring Alerting Object protection Integration with systemsmanagement solutionsChange TrackingSecurity EventManagement(SEM) andCorrelationReporting Planning and analysis Compliancedocumentation Forensic analysis andsecurity incident response Operational accountability Directoryintegration/synchronization monitoringSecureAudit Trail Long-term and highintegrity Admissible as evidence Accountability over ADadministratorsFigure 1. The comprehensive protection and auditing components of Active DirectoryTechnical Brief: Protecting and Auditing Active Directory with Quest Solutions4
Change TrackingAll objects in Active Directory (e.g., users, groups, computer accounts, OUs and group policy objects) arestructured according to AD’s schema of object classes and properties. Therefore, in general, AD changetracking can be implemented using a uniform process that works no matter what type of object ischanged. The key elements to any AD change event should include the:Time of the changeObject modifiedUser that modified the objectOperation performedIf applicable, properties modified and their values before and after the changeDomain controller where the change was madeIP address of the workstation or client machine from which the change originatedAD includes built-in auditing that might, at first glance, seem to be a viable option for tracking changes.However, the native AD audit log has architectural limitations that prevent it from satisfying audit andprotection requirements. This is detailed in the Architectural Limitations of the Native Active DirectoryAudit Log inset below. Moreover, the native audit log fails to audit the following critical types ofinformation:Nested group changes – Although the basic, schema-based change tracking engine of ADnative auditing tracks first-level group membership changes, nested membership changes gounnoticed. For instance, if John is a member of the group Directory Services Engineers which is amember of Enterprise Admins (an all-powerful forest-level group), native AD auditing will notgenerate any event alerting you that John now has Enterprise Admins authority.Group policy settings – Unlike other AD objects, GPOs have only a pointer (or ―stub‖) objectstored in AD; the actual configuration settings comprising a GPO reside in the file system of eachdomain controller. Simple schema-based tracking like the native AD audit log only monitorschanges to the ―stub‖ of the GPO, such name changes or deletions. At best, the native audit logcan tell you that a GPO was modified, but not which of the thousand settings was defined or thesetting’s values before and after the change.Permission changes – In Windows Server 2003, the native audit log can report only that theDiscretionary Access Control List (DACL) of an AD object was modified—not which permissionswere added or removed for which users or groups. In Windows Server 2008, the native audit logreports the before and after values of the entire DACL—but it uses cryptic security descriptordefinition language )S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD).Cryptic AD schema – The native AD audit log reports the actual class and property names asdefined in AD’s schema. These names are sometimes highly cryptic, which can make itimpossible to understand what was actually changed without significant research in the ADschema. For instance, a change to a user’s last name is reported as a modification of the ―sn‖property.Comprehensive auditing and protection of Active Directory requires an intelligent change tracking enginethat monitors all modifications to Active Directory, looks for subtle impacts such as nested groupmembership changes, and translates cryptic data into information that IT, security, and compliance staffcan understand and act upon. ChangeAuditor for Active Directory’s sophisticated change tracking enginemeets these requirements, as explained in greater detail later in this tech brief.Technical Brief: Protecting and Auditing Active Directory with Quest Solutions5
Architectural Limitations of the Native Active Directory Audit LogBecause Active Directory monitoring and auditing is so important, Windows Server providessome native functionality for auditing changes and other high-priority AD events. Despite thevaluable functionality provided by the Windows security log, significant gaps and limitationsremain. The following limitations compromise an organization’s ability to fulfill security andregulatory requirements for monitoring and auditing Active Directory:Audit data scattered among domain controllers - While directory information isreplicated between domain controllers, security logs are not. Each domain controller hasits own security log, which contains only the events associated with operationsperformed against that particular domain controller. Therefore, an organization’s overallaudit trail is fragmented across many domain controllers within the AD environment.No reporting or alerting - Windows Server provides no real reporting or analysiscapabilities for the Windows security log. The one native tool for viewing security logactivity is the Event Viewer Microsoft Management Console, which provides only basicfiltering capabilities. The task triggering capability introduced in Windows Server 2008could provide some rudimentary alerting but would require significant scripting andmanagement effort.No protection from administrators – Since the audit data remains on the domaincontrollers, it cannot be used as a reliable audit trail of administrator actions becauseadministrators can erase or modify any file on the system.High volume of audit data - Because of the low-level, generalized nature of theDirectory Service Access category, the Windows security log can produce hugeamounts of data when used to audit AD changes. With each domain controllerproducing potentially hundreds of megabytes of audit data every day, locating criticalevents is like looking for a needle in a haystack—and vast storage is required to archivethe audit data.Performance risks - Given the huge amounts of audit data and the arcane nature ofpolicy definition, it is easy to define AD audit policies that may overwhelm any amount ofdomain controller hardware.For a full discussion of AD’s native audit log, its limitations and impact on compliance with keyregulatory requirements please see the white paper ―Overcoming Active Directory Audit LogLimitations‖ available at estdefid 26188.Real-Time MonitoringProtecting Active Directory requires real-time monitoring that identifies high impact, suspicious orprohibited changes and automatically takes appropriate actions, such as reversing the change orinforming appropriate personnel.Alerting – Administrators need to be able to define changes that may not necessarily beprohibited but are suspicious or high- impact. These changes need to be reviewed immediately todetermine an appropriate response. For instance, when a group policy object is modified,potentially thousands of computers or users could be impacted. At the same time, oncestabilized, most GPOs are fairly static and seldom need modification. Therefore, administratorsshould be able to designate stable GPOs and receive immediate notification of any modifications.Upon such notification, administrators can confirm that the GPO change was approved andexecuted in compliance with the organization’s normal configuration change control process.Technical Brief: Protecting and Auditing Active Directory with Quest Solutions6
Integration with system management solutions - While direct e-mail notification may beappropriate in some situations, enterprises need the ability to receive alerts generated by ADmonitoring directly into systems management solutions such as System Center OperationsManager (SCOM) or Tivoli via SNMP traps or other interfaces.Object protection – Some changes should not be allowed at all. For instance, administratorsmay create an organizational unit (OU) that holds critical objects intended for emergencies, ThisOU may contain an emergency administrator account to be used if all other administratoraccounts are deleted, locked out or unavailable, possibly due to a denial of service attach. Or atop level group policy object may ensure certain critical security policies are deployed to allcomputers. In both cases, an organization needs the ability to lock down such objects to preventany modification that could jeopardize their purpose – even by administrators.ReportingMost AD changes are not severe enough to generate an alert or object protection response, but neededto be reported. Organizations need to report Active Directory changes to fulfill a wide array of analyticaland documentation needs, including:Planning and analysis – Because enterprises are constantly changing, they need to be able toanalyze historical data to predict future capacity requirements. They also need to determine howfrequently certain changes are made to assess the benefit of automating certain processes or theimpact of modifying an operation. For instance, an organization considering adopting a selfservice password reset solution needs to know how often accounts are locked out due toforgotten passwords and how many corresponding calls are made to the help desk for passwordresets.Compliance documentation – To satisfy regulators and auditors, organizations must not onlydemonstrate that a certain security process or control is in place, but also produce documentationthat the process is being used in specific cases. For instance, organizations need to documenthow promptly accounts are disabled after employee terminations and when group membership isrevoked in due to job changes.Forensic analysis and security incident response – When a system intrusion or other securityincident occurs, analysts may be hampered without an audit trail of all relevant AD changes.Analysts need to be able to search the audit trail left by the intruder or malicious insider using avariety of sorting and grouping techniques.Operational accountability – The dire consequences of erroneous changes to Active Directoryhas already been discussed in this document. When an operational mistake is made,management must be able to determine how the mistake was made, by whom and when. Withoutthis information, the enterprise can’t prevent the problem from happening again, nor can it assignresponsibility or take appropriate action against policy violations.Enterprise activity correlation – AD changes are only a portion of the overall IT activity thatorganizations must be able to monitor and analyze. Other typical sources of event data includelogon and authentication auditing, network connection, and access to applications and resources.Analysts frequently need to correlate events from these different kinds of log data to see thecomplete picture of what is happening on the network. Therefore, ultimately AD change trackingdata needs to be aggregated with the rest of an organization’s log data into a single repository fordetailed analysis.Directory integration/synchronization monitoring – To improve security, operationalefficiency, organizational responsiveness, and compliance, organizations are increasinglyintegrating or synchronizing directory information between systems to automate identity andaccess management. Debugging and managing the flow of identity information between ActiveDirectory can be complicated, and engineers need visibility into changes made bysynchronization processes.Technical Brief: Protecting and Auditing Active Directory with Quest Solutions7
Security Event Management and CorrelationActive Directory changes are only one channel of the wider stream of security activity. Informationsecurity analysts must correlate AD changes with related activity such as AD authentication events andWindows server security events. Ultimately AD audit events need to be aggregated with the rest of theorganization’s security monitoring.This is especially important in larger enterprises where AD administrators are separate from informationsecurity staff. AD change events must be merged into their overall view of enterprise-wide securityactivity.Secure Audit TrailMost organizations ultimately depend on audit logs as evidence for internal investigations and legalproceedings. For audit logs to be admissible as evidence, organizations must produce the original auditlogs and demonstrate that they were not altered. Because audit data tends to be both voluminous andredundant, organizations may reduce storage requirements by normalizing audit data into different tables.However, such restructuring of the data can create the perception that audit record has been modified,rendering it inadmissible. Furthermore, normalization can create indexing problems and performanceissues at insertion and query time. Unfortunately, the dynamic accessibility and block-oriented format ofdatabases means they do not function well as an unalterable repository for large amounts of redundantdata.Most reporting and analysis processes require that AD audit data reside in a relational database forefficient query capability. However, security and compliance requirements demand that audit logs beprotected from modification and stored for long periods of time. So while a relational database may berequired for temporary storage of audit data for reporting and analysis, audit logs must ultimately bepreserved in a high-integrity repository that supports digital signatures and compression.This repository must also be segregated from AD’s operational administrators, because a database withinthe forest is accessible to all forest administrators and can be modified or even erased. Therefore, todeter or detect unauthorized changes, the permanent copy of any audit data must reside in a repositoryoutside of the jurisdiction of its administrators.Technical Brief: Protecting and Auditing Active Directory with Quest Solutions8
Providing Comprehensive Audit andProtection for Active DirectoryIntroductionBy combining ChangeAuditor for Active Directory (CAAD) with Quest InTrust, Quest Software providescomprehensive audit and protection for Active Directory:ChangeAuditor provides core change tracking, monitoring and reporting.InTrust provides a long-term, secure audit trail and correlates audit data with other IT activity.Change TrackingReal-timeMonitoringSecurity EventManagement(SEM) andCorrelation Alerting Object protection Integration with systemsmanagement solutionsReportingChangeAuditor forActive Directory Planning and analysis Compliance documentation Forensic analysis andsecurity incident response Operational accountability re AuditTrail Long-term and highintegrity Admissible as evidence Accountability over ADadministratorsQuest InTrustFigure 2 - ChangeAuditor and InTrust provide comprehensive auditing and protection for AD.Technical Brief: Protecting and Auditing Active Directory with Quest Solutions9
ChangeAuditor for Active DirectoryChangeAuditor monitors Active Directory domain controllers in real time, preventing unauthorizedchanges to protected objects and recording allowed changes for specified objects, users and actions. Italso provides advanced alerting and reporting.ChangeAuditor’s architecture is comprised of three components. These work with the SQL Serverrelational database that contains ChangeAuditor’s audit data and torAgentAgentAgentChangeAuditorClientDomain ControllersSQL AuditorChangeAuditorCoordinatorCoordinatorSMTP Email AlertsSNMPSystems Center Operations ManagerFigure 3 - ChangeAuditor architectureChangeAuditor Agent – ChangeAuditor’s change tracking engine resides in the ChangeAuditoragent, which runs on each domain controller. As the agent monitors any attempts to changevarious objects in AD, it compares each requested change to the object protection policiespreviously defined by ChangeAuditor users. If the change matches a prohibited combination ofuser, action and object, ChangeAuditor prevents the change from being made. Otherwise,ChangeAuditor records the event to the ChangeAuditor database according to the organization’sCAAD configuration policy that defines which objects, users and actions are audited.ChangeAuditor Coordinator – The ChangeAuditor Coordinator monitors new activity beinglogged to the ChangeAuditor database and generates SMTP e-mail alerts and SNMP traps. It canalso send events to SCOM, depending on the activity and ChangeAuditor’s configured alertpolicy. Additional ChangeAuditor Coordinators and a SQL Server cluster can be implemented forfault-tolerance.ChangeAuditor Client – IT staff use the ChangeAuditor Client to access and configureChangeAuditor, as well as run reports and conduct analysis. Reports can also be scheduled andautomatically delivered via SQL Reporting Services, which integrates directly with theChangeAuditor Client. With this client, staff can quickly determine who changed what, when thechange occurred, and where the change originated.Intelligent AD AuditingUnlike native AD auditing, which is limited to simple object/property schema-based auditing, theChangeAuditor agent provides intelligent auditing of AD changes. It addresses the specialized auditingrequirements arcane to Active Directory as described in the Change Tracking section earlier in thisdocument.Nested group changes fully expandedChangeAuditor intelligently monitors nested group memberships and faithfully reports indirect groupmembership additions. To use the example given earlier, if John is made a member of the groupTechnical Brief: Protecting and Auditing Active Directory with Quest Solutions10
Directory Services Engineers, which in turn is a member of Enterprise Admins, ChangeAuditor alerts youthat a new member has gained all-powerful Enterprise Admins membership.Scenario: User added to nested groupDirectory ServicesEngineersEnterprise AdminsNative ADaudit event:(none)ChangeAuditoreventFigure 4. Nested group membership changes are reported by ChangeAuditorTechnical Brief: Protecting and Auditing Active Directory with Quest Solutions11
Changes to group policy settings reported in detailAs explained earlier, a GPO’s configuration settings reside in the file system of each domain controller, sothe native audit log can tell you only that a GPO was modified, but not which settings were changed ortheir values before and after the change. ChangeAuditor, on the other hand, reports exactly whichsettings within the GPO were changed and provides the before and after values for the settings, asshown below:Scenario: Group Policy Object ModifiedNative ADaudit eventChangeAuditoreventTechnical Brief: Protecting and Auditing Active Directory with Quest Solutions12
Permission changes fully reported, without redundant notificationsAt best, native AD auditing can report only that there was some kind of permission change on a givenOU; moreover, it floods the security log with hundreds or thousands of additional notifications for eachchild object within that OU and its sub-OUs. ChangeAuditor, however, reports a single permission changeevent for the object where the permissions were actually modified, and specifies exactly which entrieswere deleted and/or added:Scenario: Active Directory permissions delegated for a given organizational unitNative AD auditeventChangeAuditoreventTechnical Brief: Protecting and Auditing Active Directory with Quest Solutions13
Plain language used instead of cryptic AD schemaWhile the native AD audit log reports changes using cryptic schema names for objects and properties,ChangeAuditor reports AD changes in plain language easily understood by IT staff:Scenario: Last name of user account changedNative AD auditeventChangeAuditoreventQuest InTrustWhile ChangeAuditor provides real-time monitoring and reporting, Quest InTrust provides the securityaudit trail and security event management (SEM) for comprehensive auditing and protection of ActiveDirectory. InTrust is a modular log management and change auditing platform with optional integrationwith ChangeAuditor for specialized monitoring functionality, and knowledge packs for expert analysis oflog and monitoring data.The InTrust platform provides log collection, alerting, archival and reporting. InTrust has built-in supportfor the common log formats, including Windows event logs and any type of text file log, as well as syslogstreams for support of UNIX, Linux and network devices such as routers and firewalls.In addition, InTrust provides a secure log-based repository that can securely and efficiently store largeamounts of audit data. This protects the data from tampering and keeps it separate from the operationalAD administrators, providing deterrence and detection control.Technical Brief: Protecting and Auditing Active Directory with Quest Solutions14
Integration of InTrust and ChangeAuditorIn larger enterprises where AD administrators are separate from information security staff, AD changeevents must be merged into one overall view of enterprise-wide security activity. Quest delivers this viewby integrating the ChangeAuditor auditor event stream into InTrust’s enterprise-wide security eventmanagement capabilities.ChangeAuditor agents can be
Directory with Quest Solutions. Technical Brief: Protecting and Auditing Active Directory with Quest Solutions 1 . Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, .
Chapter 05 - Auditing and Advanced Threat Analytics 1h 28m Topic A: Configuring Auditing for Windows Server 2016 Overview of Auditing The Purpose of Auditing Types of Events Auditing Goals Auditing File and Object Access Demo - Configuring Auditing Topic B: Advanced Auditing and Management Advanced Auditing
DNS is a requirement for Active Directory. Active Directory clients such as users computers) use DNS to find each other and locate services advertised in Active Directory by the Active Directory domain controllers. You must decide whether DNS will be integrated with Active Directory or not. It is easier to get Active Directory up and
An Active Directory forest is a collection of one or more Active Directory domains that share a common Active Directory schema . Most Active Directory environments exist with one Active Directory domain in its own Active Directory forest .
Module 4: Principles of Active Directory Integration This module explains how Active Directory can be integrated and used with other Active Directory Forests, X.500 Realms, LDAP services and Cloud services. Lessons Active Directory and The loud _ User Principle Names, Authentication and Active Directory Federated Services
Active Directory Recovery Planning Chewy Chong Senior Consultant Systems Engineering Practice Avanade Australia SVR302 . Key Takeaways . Backup utility, DNS Manager, Active Directory Domains and Trusts Microsoft Management Console snap-in, Active Directory Installation Wizard, Active Directory Schema snap-in, Active Directory Sites and .
1. AD and Azure AD change auditing and reporting 2. File server auditing (Windows, NetApp, EMC, Synology) 3. Group Policy settings change auditing 4. Windows server and member server auditing and reporting 5. Workstations auditing 6. User behavior analytics (UBA) 7. Privileged user monitoring www.adauditplus.com
of Auditing and Assurance-Introduction (Auditing 1) and Auditing and Assurance-Intermediate (Auditing 2). This course is designed to provide an introduction to auditing and assurance services. Level of Proficiency in Auditing 1: Foundation Subject Learning Outcome Upon completion of the subj
Our AAT Advanced Diploma in Accounting course is the intermediate level of AAT’s accounting qualifications. You’ll master more complex accountancy skills, including advanced bookkeeping, preparing final accounts, and management costing techniques. You’ll also cover VAT issues in business, and the importance of professional ethics - all without giving up your job, family time or social .
