Access Management risks and controls
One of the biggest risks to the integrity of ERP systems is that users may be granted inappropriate access, which can lead to unauthorized activities. Whether they are innocent mistakes or fraudulent acts, they can seriously disrupt your operations and incur financial loss. They will also affect the accuracy of your financial statements, so auditors will certainly test your access controls.
Best practice is to only grant users access to the applications that they need to carry out their jobs (often referred to as ‘least privilege’ or ‘need to know’). The most efficient way to achieve this is to implement and enforce Role-Based Access Control with a well-designed security model.
Access management risks and controls, as part of your application, include:
Improper role design or provisioning
Roles should be aligned with business processes rather than specific users or jobs, as this will make it easier to ensure that appropriate access is granted to all users. Poorly designed roles may lead to access issues such as too much or too little access being granted. It will also make it more difficult to manage and report on Segregation of Duties (SoD).
Auditors may randomly test the access granted to users. For example, our consultant auditor has seen situations where users had been assigned ‘Inquiry’ roles. But when he looked closer, it turned out that the so-called Inquiry roles, whether by error or design, actually gave users Add, Change and Delete capabilities! Remember that auditors don’t take things at face value and they will check the details.
Privileged users (super users, power users) are particularly risky. Some users, such as IT administrators, may have full access to everything. At some organizations, the same person will also be the database administrator and operating system administrator, which increases the level of risk even further. In that scenario, the admins has the ability to lock anyone or everyone out of the system and effectively hold the company to ransom.
You need policies and procedures documenting how you manage privileged access and you need to monitor those users very closely.
In general it is good practice to avoid granting anyone full access to everything, but if you can’t avoid it you need to put compensating controls in place to monitor their activity.
IT users provisioned with access to sensitive business applications
As noted above, some IT users, such as system administrators, developers or support staff, do need wide-ranging access. For example they need to be able to manage security to applications and operations – but they shouldn’t need access to business transactional applications.
If support staff need access for trouble-shooting, it is possible to set up Firecall or Firefighter IDs, which can be used for a specific period of time before the password expires or the account is disabled. Transactions carried out during that period can be logged and signed off for monitoring purposes.
End users provisioned with access to IT applications
Some business users may need wide-ranging access to business applications, but they shouldn’t have access to system configuration options or IT applications, especially security and the ability to assign themselves different roles.
In some organizations (particularly smaller ones with fewer staff), controllers or high-level business executives may be granted access to manage security or participate in change management. In some circumstances this may be unavoidable, but it does introduce risk which needs to be mitigated with compensating controls.
Generic User IDs
For full accountability during your audit, discourage the use of shared accounts or generic user IDs, as you won’t be able to prove exactly who did what.
You need well-defined procedures to cover the entire user lifecycle and you should keep an audit trail of all activity.
This includes adding new users; modifying existing users (i.e. granting new access and removing redundant access when responsibilities change); disabling users when they are no longer active and terminating users (i.e. removing them permanently from the live system when appropriate).
User Provisioning processes should include controls to ensure that appropriate personnel request, approve and assign the access, and these tasks should be segregated to make sure that one person can’t complete the whole process.
During the audit, be prepared to produce evidence of your user administration controls. Your auditor may come to you with a sample selection of tickets and ask to see who requested, approved and assigned the access, so if you use an external ticketing system, it will help if you log ticket numbers within your ERP system.
You also need to beware of risk when granting additional access to existing users. The new access may not be risky in its own right, but in combination with access that the user already has, it might create SoD issues, particularly in a Multiple Roles environment. Your policies should include proactive controls to avoid creating SoD conflicts when new access is granted.
Periodic Access Review:
You should have a process in place to recertify access regularly, often known as a Periodic Access Review.
This process ensures that appropriate business managers review and verify their users’ access privileges and identify any changes that are needed, such as removing redundant access when responsibilities have changed.
Although it can be a tedious and cumbersome process, the review helps you to resolve risks associated with inappropriate access and, if well documented, to demonstrate SOX compliance, where relevant. It is well worth investing in a specialized tool which streamlines the process, provides meaningful information for business managers to review, and automatically logs all review activity.
As well as verifying that their users’ roles are appropriate for their jobs, managers should also check that the access granted within the roles is appropriate for the job function.
The review process can also provide a useful means of checking system integrity to help you keep your system clean and identify any gaps before the auditor finds them; e.g:
- Users with no roles
- Roles with no security records
- Enabled users with expired roles.
System configuration access:
Access to system configuration options and constants is particularly sensitive as this data affects the way that your system works.
You need controls to restrict access to the applications which allow users to set up or modify system configuration options and auditors may check who has access to these functions.
Any changes should be subject to change management procedures, with documented and segregated requests and authorization.
You should also monitor for changes to key configuration data and maintain a full audit trail of who changed what and when, with before and after values.
In the next blog, we will discuss Segregation of Duties controls and the important part they play in preventing fraud and error.
The organizational importance of IT continues to grow each year, and the importance of change management in IT systems continues to grow along with it. There is a substantial body of evidence that change management contributes critically to the implementation of efficient, effective and secure IT operations. Because every change in an IT system creates a potential consequence to the company’s operations, executives must understand how to impose, enforce, monitor and improve change management thoroughly. Research from the IT Process Institute has shown that organizations that manage their technology well perform substantially better than organizations that don’t.
Simply stated, all IT changes need to be authorized and tested, and unauthorized or untested changes need to be prohibited (i.e., changes to a company’s IT infrastructure are a significant source of risk for every business). To protect the corporate crown jewels, robust change management practices are critical. The need for a positive control environment within IT and an unforgiving attitude regarding unauthorized IT changes cannot be overstated.
Strong change management means planned system implementations, proven (read: tested) solutions, scheduled upgrade windows where recovery is facilitated if needed and much more. To manage technology changes well, a change management program needs to be formally introduced to the organization.
Implementing a change management program means assigning responsibility for the various change activities involved in implementing new technology solutions.
AUDITING TECHNOLOGY CHANGE PROCESSES
An audit of change management should review IT results to identify key improvement opportunities. Auditors need to perform the following tasks during change management program audits:
- Understand the change management processes and procedures.
- Identify and assess key controls within the change management processes that ensure that all changes are properly authorized and tested prior to implementation.
- Determine the quality of the information generated by the change management program and assess whether it is enough to manage the change management process.
- Assess change management performance metrics for their existence, effectiveness, monitoring activities and responses to any program deviations.
- Evaluate whether risk management controls are preventive, detective or corrective and if a good balance has been implemented.
- Define tests to confirm the operational effectiveness of change management activities, including management and staff interviews, documentation and report reviews, and data analyses.
- Recommend opportunities for the improvement of change management activities.
INDICATORS OF POOR CHANGE MANAGEMENT
Unauthorized changes: Anything above zero is unacceptable. Establishing a tone at the top that clearly communicates the company’s intolerance of unauthorized changes is fundamental to the long-term success of change management programs.
Unplanned outages: System outages should be scheduled (planned) to reduce their impact on the organization’s operations. Predetermined “change windows” are where production systems should be updated. Unplanned outages are caused by system problems and encourage a reactionary environment (that is, firefighting), which is not how you stay on top of internal control systems.
Low change success rate: Good change management involves good testing. If changes must be “backed out,” it is an indicator of poor testing that failed to catch problems in the early stages.
High number of emergency changes: Again, emergencies should be emergencies and happen infrequently. Poor planning of changes results in a high number of emergencies.
Delayed project implementations: Delays in project implementation are a sign of unrealistic plans or poor resourcing decisions. Good change management practices encourage good planning and more achievable plans over time, resulting in fewer delays and cancellations of implementations.
An audit of change management should review the above risk indicators as a good measure of the likelihood that controls are or are not effective. Auditing IT processes can be very productive. Good business results happen due to the quality of the processes used to produce them. Reviewing the policies and procedures and related processes that have been implemented will help determine if your IT investments will be productive and worthwhile. Also, discussing with IT management how they do their jobs—their IT change efforts—will be extremely productive and help answer the fundamental question: Are changes being implemented in a controlled or haphazard manner?
When I look at the work some managers have done to test (that is, prove) that a change is working, I want to see four fundamental testing techniques: functional testing, stress testing, logical testing and path testing. It has been my experience that if the above system testing isn’t done, verified and approved by some independent validation unit (quality control, internal audit, outside consultants, etc.), then we have a problem with way too many implementations.
Finally, a robust “release management” process, in addition to strong change management practices, should be the goal. Rigorous practices for building, testing and issuing IT changes have a broad impact on individual IT results and overall performance of an organization. Therefore, while implementing a comprehensive change management program is important, establishing a strong release management process is vital.