Relying solely on SAP Access Control is like having a heavy...
ERP Audit: Access Management Risks and Controls
As part of the ERP audit process, your auditors will test the general controls in your ERP system. The objectives of General Computing Controls (GCC), also known as IT General Controls (ITGC) are to ensure:
- the proper development and implementation of applications
- the integrity of program and data files
- the integrity of computer operations.
Access Management Risks and Controls
One of the biggest risks to the integrity of ERP systems is that users may be granted inappropriate access, which can lead to unauthorized activities. Whether they are innocent mistakes or fraudulent acts, they can seriously disrupt your operations and incur financial loss. They will also affect the accuracy of your financial statements, so auditors will certainly test your access controls.
Best practice is to only grant users access to the applications that they need to carry out their jobs (often referred to as ‘least privilege’ or ‘need to know’). The most efficient way to achieve this is to implement and enforce Role-Based Access Control with a well-designed security model.
Access management risks and controls, as part of your erp audit reporting, include:
Improper Role Design or Provisioning
Roles should be aligned with business processes rather than specific users or jobs, as this will make it easier to ensure that appropriate access is granted to all users. Poorly designed roles may lead to access issues such as too much or too little access being granted. It will also make it more difficult to manage and report on Segregation of Duties (SoD).
Auditors may randomly test the access granted to users. For example, our consultant auditor has seen situations where users had been assigned ‘Inquiry’ roles. But when he looked closer, it turned out that the so-called Inquiry roles, whether by error or design, actually gave users Add, Change and Delete capabilities! Remember that auditors don’t take things at face value and they will check the details.
Privileged Access
Privileged users (super users, power users) are particularly risky. Some users, such as IT administrators or CNCs, may have full access to everything. At some organizations, the same person will also be the database administrator and operating system administrator, which increases the level of risk even further. In that scenario, the CNC has the ability to lock anyone or everyone out of the system and effectively hold the company to ransom.
You need policies and procedures documenting how you manage privileged access and you need to monitor those users very closely.
In general it is good practice to avoid granting anyone full access to everything, but if you can’t avoid it you need to put compensating controls in place to monitor their activity.
IT Users Provisioned with Access to Sensitive Business Applications
As noted above, some IT users, such as system administrators, developers or support staff, do need wide-ranging access. For example they need to be able to manage security to applications and operations – but they shouldn’t need access to business transactional applications.
If support staff need access for trouble-shooting, it is possible to set up Firecall or Firefighter IDs, which can be used for a specific period of time before the password expires or the account is disabled. Transactions carried out during that period can be logged and signed off for monitoring purposes.
End Users Provisioned with Access to IT applications
Some business users may need wide-ranging access to business applications, but they shouldn’t have access to system configuration options or IT applications, especially security and the ability to assign themselves different roles.
In some organizations (particularly smaller ones with fewer staff), controllers or high-level business executives may be granted access to manage security or participate in change management. In some circumstances this may be unavoidable, but it does introduce risk which needs to be mitigated with compensating controls.
Generic User IDs
For full accountability during your ERP audit, discourage the use of shared accounts or generic user IDs, as you won’t be able to prove exactly who did what.
User Administration
You need well-defined procedures to cover the entire user lifecycle and you should keep an audit trail of all activity.
This includes adding new users; modifying existing users (i.e. granting new access and removing redundant access when responsibilities change); disabling users when they are no longer active and terminating users (i.e. removing them permanently from the live system when appropriate).
User Provisioning processes should include controls to ensure that appropriate personnel request, approve and assign the access, and these tasks should be segregated to make sure that one person can’t complete the whole process.
During the ERP audit, be prepared to produce evidence of your user administration controls. Your auditor may come to you with a sample selection of tickets and ask to see who requested, approved and assigned the access, so if you use an external ticketing system, it will help if you log ticket numbers within your ERP system.
You also need to beware of risk when granting additional access to existing users. The new access may not be risky in its own right, but in combination with access that the user already has, it might create SoD issues, particularly in a Multiple Roles environment. Your policies should include proactive controls to avoid creating SoD conflicts when new access is granted.
Periodic Access Review
You should have a process in place to recertify access regularly, often known as a Periodic Access Review.
This process ensures that appropriate business managers review and verify their users’ access privileges and identify any changes that are needed, such as removing redundant access when responsibilities have changed.
Although it can be a tedious and cumbersome process, the review helps you to resolve risks associated with inappropriate access and, if well documented, to demonstrate SOX compliance, where relevant. It is well worth investing in a specialized tool which streamlines the process, provides meaningful information for business managers to review, and automatically logs all review activity.
As well as verifying that their users’ roles are appropriate for their jobs, managers should also check that the access granted within the roles is appropriate for the job function.
The review process can also provide a useful means of checking system integrity to help you keep your system clean and identify any gaps before the auditor finds them; e.g:
- Users with no roles
- Roles with no security records
- Enabled users with expired roles.
System Configuration Access
Access to system configuration options and constants is particularly sensitive as this data affects the way that your system works.
You need controls to restrict access to the applications which allow users to set up or modify system configuration options and auditors may check who has access to these functions.
Any changes should be subject to change management procedures, with documented and segregated requests and authorization.
You should also monitor for changes to key configuration data and maintain a full audit trail of who changed what and when, with before and after values.
Managing and controlling access is key to any successful ERP audit, regardless of the application. Pathlock offers a host of modules that enable you to not just control access at the log in stage but also at the page, field and transaction level. Learn how we can help you become audit ready with automated risk analysis, access reviews, and audit reporting.
In the next blog, we will discuss Segregation of Duties controls and the important part they play in preventing fraud and error.