author archive

Posts Tagged ‘user security groups’

So Why Is It So Important for My Audit Client to Have User Security Groups?

As auditors, it is sometimes hard to see exactly how technology could impact our audit. All of this talk of user groups is difficult to link to our audit assertions. What is the potential impact on my audit? What we should be asking is, “How secure is the financial data that I’m relying on?” I mentioned in my earlier post that I have seen five cases of fraud over the last eight years, and each one had a shortfall in security controls as the root cause. More specifically, each case related to users that had conflicting duties granted by their user security. This month we’ll cover the second of four topics:

  1. Password security
  2. User Security Groups
  3. Periodic User Reviews
  4. Administrator Access Rights

User Security Groups

With password parameters in place, we can now focus on whether or not a client is limiting what access a user has within the system.

  • Does the client set up security access based on the user’s job responsibilities? This is a critical area for the IT general controls. A common problem for clients is having users with security rights that create a segregation of duties conflict (e.g., CFO’s that can enter journal entries, an Accounts Payable user that can create vendors and pay invoices). We expect to see these conflicts in smaller organizations, and we have to look to other controls to mitigate. These other controls are typically some type of manual review which does not give us as much assurance. When at all possible, look for the segregation to be through the system security rights. It is much easier to audit and provides more assurance.
  • Has the client set up their users in groups? What do I mean by groups? When a user group is used, the group security rights can be adjusted, and all members of that group will be adjusted. This provides a much more efficient way of managing user rights. If it is easier to maintain, it is more likely to be right. Many times a client’s initial response is yes when asked if they use user groups. Upon further investigation, though, it often becomes apparent that this is not the case. Many clients will set up a user by giving them detailed specific system access, also known as “cherry picking.” The problem with this approach is that a change in access for a user must be made at the individual user level. Look for user groups. They are easier to audit, easier for the client to maintain and make the client’s periodic user access reviews much easier.

Passwords provide assurance that the right people are logging into the systems. Security groups help provide assurance that they are only able to perform the system functions we’d expect. These two areas are critical to security information in an organization’s financial systems.

Next time we’ll talk about periodic user reviews….

About the Author:

Tony F. Scott, CISA, is Founder & CEO of Technical Financial Solutions, LLC (www.TFSUS.com). TFS is a Georgia-based IT compliance audit firm with a national reach, serving clients across the United States. TFS specializes in IT general controls testing for Financial Statement audits as well as SAS70/SOCIII engagements. TFS also specializes in HIPAA security and HITECH Act security assessments, serving over 65 hospitals in the Southeast.

“Whatever you do, do it heartily, as to the Lord and not to men.” Colossians 3:23

 

Back to Our Blog

Share