author archive

Author Archive

So Why Is It So Important for My Audit Client to Have User Security Groups?

As auditors, it is sometimes hard to see exactly how technology could impact our audit. All of this talk of user groups is difficult to link to our audit assertions. What is the potential impact on my audit? What we should be asking is, “How secure is the financial data that I’m relying on?” I mentioned in my earlier post that I have seen five cases of fraud over the last eight years, and each one had a shortfall in security controls as the root cause. More specifically, each case related to users that had conflicting duties granted by their user security. This month we’ll cover the second of four topics:

  1. Password security
  2. User Security Groups
  3. Periodic User Reviews
  4. Administrator Access Rights

User Security Groups

With password parameters in place, we can now focus on whether or not a client is limiting what access a user has within the system.

  • Does the client set up security access based on the user’s job responsibilities? This is a critical area for the IT general controls. A common problem for clients is having users with security rights that create a segregation of duties conflict (e.g., CFO’s that can enter journal entries, an Accounts Payable user that can create vendors and pay invoices). We expect to see these conflicts in smaller organizations, and we have to look to other controls to mitigate. These other controls are typically some type of manual review which does not give us as much assurance. When at all possible, look for the segregation to be through the system security rights. It is much easier to audit and provides more assurance.
  • Has the client set up their users in groups? What do I mean by groups? When a user group is used, the group security rights can be adjusted, and all members of that group will be adjusted. This provides a much more efficient way of managing user rights. If it is easier to maintain, it is more likely to be right. Many times a client’s initial response is yes when asked if they use user groups. Upon further investigation, though, it often becomes apparent that this is not the case. Many clients will set up a user by giving them detailed specific system access, also known as “cherry picking.” The problem with this approach is that a change in access for a user must be made at the individual user level. Look for user groups. They are easier to audit, easier for the client to maintain and make the client’s periodic user access reviews much easier.

Passwords provide assurance that the right people are logging into the systems. Security groups help provide assurance that they are only able to perform the system functions we’d expect. These two areas are critical to security information in an organization’s financial systems.

Next time we’ll talk about periodic user reviews….

About the Author:

Tony F. Scott, CISA, is Founder & CEO of Technical Financial Solutions, LLC (www.TFSUS.com). TFS is a Georgia-based IT compliance audit firm with a national reach, serving clients across the United States. TFS specializes in IT general controls testing for Financial Statement audits as well as SAS70/SOCIII engagements. TFS also specializes in HIPAA security and HITECH Act security assessments, serving over 65 hospitals in the Southeast.

“Whatever you do, do it heartily, as to the Lord and not to men.” Colossians 3:23

 

Back to Our Blog

Share

What Does a Password Have to Do with My Audit?

As auditors, it is often difficult to see exactly how technology could impact our audit. All this talk of passwords, user setup and system security is difficult to link to our audit assertions. What is the potential impact on my audit? What we should be asking is, “How secure is the financial data that I’m relying on?” We’d like to think that everyone is always honest, but there are more financial pressures than ever in today’s economy, and we are all human. When security is not correct, it creates open doors to fraud. I have seen five cases of fraud over the last eight years, and each one had a shortfall in security controls as the root cause. Technically, greed was the root cause, but you know what I mean!  So what can we do, and how do we communicate the need to close these “open doors” to the client?  Here we cover the first of four topics:

  1. Password Security
  2. User Security Groups
  3. Periodic User Reviews
  4. Administrator Access Rights

Password Security

We need to cover the basic general IT controls during our audit. Let’s talk about one key area: password controls.

First, we need to test controls around user passwords and see that their password parameters are in line with common standards:

  • 6-8 character password – take a look at these statistics on how long it takes to hack a password that is just characters. The chart below shows the amount of time needed for a hacker to compromise a password with the stated attributes. I think the chart says it all!

Password Length

All Characters Only Lowercase
3 characters 0.86 seconds 0.02 seconds
4 characters 1.36. minutes 0.046 seconds
5 characters 2.15 hours 11.9 seconds
6 characters 8.51 days 5.15 minutes
7 characters 2.21 years 2.23 hours
8 characters 2.10 centuries 2.42 days


  • Complexity enabled – creating a password that requires both upper and lower case, numeric and symbols significantly increases the strength. Additionally, utilizing password logic such as using the first letter of phrases and symbols to replace certain letters makes a password very strong.
  • Password expiration every 60-90 days – password expiration is a passionately-debated setting.  Some will tell you that they would rather have a strong password that never expires, and some would say that they want to change it every 30 days. Somewhere in between is a more accepted answer. “Never expiring” settings increase the likelihood that others will obtain the password. Whereas, having the password expire too frequently will only increase the likelihood that the password will be found on a sticky note under the keyboard! An expiration of 60-90 days serves as a solid password life.
  • 3-5 passwords remembered – the password remembered is important so that when you have to change your password, it will prevent you from using the same one over and over.
  • 3-5 days minimum password age – a minimum-age setting prevents a user from changing the password 3-5 times (as prescribed in the previous bullet) in a row in order to get back to the original password.

The true point of a password is to ensure that the user logging in is really that user. If passwords are weak, it opens the doors to co-workers being able to process transactions as other users as well as allowing unauthorized users to gain access to the financial data we are relying on for our audit.

Next month we’ll talk about user security groups….

About the Author:

Tony F. Scott, CISA, is Founder & CEO of Technical Financial Solutions, LLC (www.TFSUS.com). TFS is a Georgia-based IT compliance audit firm with a national reach, serving clients across the United States. TFS specializes in IT general controls testing for Financial Statement audits as well as SAS70/SOCIII engagements. TFS also specializes in HIPAA security and HITECH Act security assessments, serving over 65 hospitals in the Southeast.

“Whatever you do, do it heartily, as to the Lord and not to men.” Colossians 3:23

 

Back to Our Blog

Share