control, and governance
A Holistic Approach to Access Reviews
IT auditors are increasingly challenged to better assist their organization in managing risk.
Chong Ee, CGEIT
Director of Compliance and Accounting Process
In uncertain economic times, internal audit has come under tremendous pressure to do more with less. Arguably, nowhere is this felt more intensely than in the world of IT audits where technology changes continue unabated and new risks emerge, and IT auditors are increasingly challenged to better assist their organizations in managing risk. Doing so requires revisiting IT auditing basics with an eye towards seeing the forest for the trees so that weaknesses and gaps are appropriately diagnosed, prioritized, and remedied. Access reviews provide opportunities for IT auditors to dig deep and look beyond easy assumptions to provide tangible value to their organizations.
Access reviews have become synonymous with IT audits. Whether performed as part of an application, operating system, network, or database review, an audit of user access rights has traditionally been useful in surfacing areas where access security may be compromised. Rather than contend with a laundry list of access findings, a holistic approach calls for IT auditors to go a step further to piece individual findings together to form the big picture. One way is to plot user access along two axes:
“Varying Access Across Applications” (below) depicts varying user access, most of which centers around read-to-write access for one to several applications in the lower left quadrant. There are a few outliers, such as superuser access for one application in the upper left quadrant, as well as read-to-write access for multiple applications in the lower right quadrant. The upper right quadrant shows no users with superuser access in multiple applications. In terms of risk, the upper right quadrant requires the most scrutiny.
The next step is to overlay the segregation of duties and any associated compensating controls. ”Varying Roles in Procure-to-pay Process” (below) identifies different user groups: procurement with access to a procurement Web application; accounts payable with access to the procurement Web application and a corporate enterprise resource planning (ERP) application; management with read access to both applications, presumably as a way to monitor key changes; and administrators with administrative access to either application. Other areas to consider include the type of interface between the procurement and ERP applications and whether the applications are third-party developed, off-the-shelf, or developed in-house.
In reviewing susceptibility to fraud, ”Varying Roles in Procure-to-pay Process” shows that no single group of users has end-to-end access in the procure-to-pay process. There is little opportunity where a single business user can initiate a requisition, create a purchase order, process an invoice, and record accounts payable. Likewise, administrators have superuser access to either but not both the Web-based procurement application and corporate ERP application. This picture changes in ”Impact of Change on Existing Roles” (below) when an administrator leaves.
In this scenario, the likelihood of fraud increases as the remaining administrator has the ability to initiate, process, and complete a payable transaction end-to-end across procurement and ERP applications. However, management does have read access to both applications. In bringing this finding to management’s attention, the IT auditor may recommend piggybacking on existing compensating controls such as adding key administrator activities to management’s periodic review. Like a jigsaw puzzle, the visual mapping of user access is useful not only in capturing the “as-is” current state, but also in assessing the impact should any interlocking piece change. This same visual mapping can be applied to a single application, but this time having the horizontal axis represent various levels — application, operating system, and database.
”Varying Administrator Access Across Systems” (below) depicts a scenario where the same administrator has both application and database levels of superuser access for a single ERP application. Here, the effectiveness of management reviews of application audit trails is diluted as the same application administrator has the ability to perform changes on the back end. In understanding the overall risks, the IT auditor may wish to investigate the nature of database administrator activities. Are they routine maintenance tasks such as backup, or do they include changes to transaction or master data in tables? Does the database administrator use a generic powerful system administrator login or an individual login name? Can database administrator activity logs be written to a separate write-once location for periodic reviews? These are some questions that can help the IT auditor peel back the layers to help management better address and manage risk.
By focusing on interdependencies, a holistic audit approach is instrumental in identifying any significant breaks in security whenever people, processes, or systems change. Rather than list a litany of individual textbook flaws resulting from a less than idealized segregation of duties, a holistic approach in access reviews requires IT auditors to work harder to understand the true nature of user access mapped against an internal landscape of varying applications, operating systems, and databases. In an economic climate of scarce resources, an emphasis on vulnerabilities with pervasive impact can go a long way in establishing targeted controls that mitigate associated risks.
To comment on this article, e-mail the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.