In recent financial statement audits, we are seeing an increase in deficiencies related to user access in the IT environment. These deficiencies can increase the organization’s risk of fraud and errors as it relates to financial statement preparation, as well as exposing the organization’s IT system to internal and external threats. As a business owner or CFO, there is a tendency to leave these issues to the IT staff. However, there are five key areas related to user access that businesses need to understand in order to help protect the security and integrity of the organization’s IT systems.
1. Information Security Policy
Every organization should have a clearly written and understandable information security policy that defines information security objectives. The policy should be available to all employees and should address system administration, acceptable-use policies, and provide sanctions for not following the policy. At a minimum, the policy should include:
- Threat and vulnerability assessments,
- Vulnerability management and incident response,
- Strategy,
- Legal and regulatory,
- Policies and procedures,
- Business continuity and disaster recovery,
- Program governance,
- Education, training, and communication,
- Technology capability and evaluation, and
- Performance analysis and effectiveness.
2. User Access
Organizations should have procedures to ensure timely action related to requesting, establishing, issuing, suspending, modifying, and closing user accounts – including appropriate authorizations. Additionally, controls should be in place to ensure all users are identified uniquely. One of the most overlooked tasks in this area is ensuring user access is removed or disabled in a timely manner when employees are terminated.
3. User Access Rights
User access rights (network, application, and database) are granted on a need-to-know and need-to-do basis that considers appropriate segregation of duties. Segregation of duties is based on shared responsibilities in a key process that disperses the critical functions (authorization, recording, custody of assets, and reconciliation) of the process to more than one person in the process. For example, in the payroll process the following tasks should all be assigned to different users within the IT structure:
- Responsibilities and rights to set-up a new employee (including withholdings and direct deposit information),
- Recording payroll data and processing the payroll,
- Review and authorization of the payroll, and
- Reconciling payroll accounts.
Segregating these types of rights reduces the risk of fraud being perpetrated through the organization’s payroll process.
4. Access to Critical Data Folders
Access to critical data folders (outside of a database) should be properly protected and restricted. Many organizations rely on user-developed applications, especially spreadsheets. These spreadsheets typically start out as lists or simple calculations for tracking information but can quickly mushroom into complex calculations supporting critical parts of business operations and key decisions. The risk lies in the fact that these user developed spreadsheets are created outside of the control environment of the IT structure. Spreadsheets are subject to manual input and manipulation, which is difficult to audit and can lead to key decisions being made based on erroneous data.
5. Authentication and Access
Organizations should have documented procedures that are followed to maintain the effectiveness of authentication and access mechanisms (e.g. password length, password history, password expiration, and lockout for failed attempts). The best passwords are comprised of a minimum of 8 alphanumeric characters. The more complex the password is, the longer it will take someone (or more likely, some program) to crack it.
Finding Solutions
Understanding the fundamentals of user access and the role it plays in your IT environment–and more importantly the role it plays in your financial reporting–is vital to your business’ success. For solutions to all of your auditing, financial reporting, or information technology needs, contact the CRI team.
