Financial Statement Audits – IT Lessons Learned | Part III: Access, Passwords, Configuration, and Change Management

IT lessons
Share Button

In today’s world, it is imperative that confidential information does not end up in the wrong hands. Only authorized users should be able to view and change information. Strong passwords are an essential component of effectively restricting access to deter compromise attempts from internal and external actors. Considering the confidential nature of financial data and related information, adequate controls are needed for access including passwords, and changes to the financial system including hardware, software and the supporting database. After a productive audit season in the field, Aronson has compiled a list of tips to help companies create a roadmap to a stronger control environment.

Develop Identity and Access Management (IAM) policy and procedures. These documents provide guidance on how access is provisioned, maintained, and disabled/deleted for the financial system. The process should establish the appropriate request forms, approvals, access permissions granted on the principle of least privilege, and demonstrate the timeliness of activities through the access management lifecycle. Without the required governance, access may be unauthorized or excessive. The scope should include standard end user and privileged access across all layers of technology to include network, server, database, remote, and administrator access. Third-party users should be accounted for as well.

Conduct periodic reviews of access (also known as recertification). The recertification procedures clearly describe how the periodic review of users with access to the financial system is conducted and documented. Maintain documentation in a manner that clearly proves the procedures were followed from start to finish. Without recertification, users may retain access that is no longer appropriate for their job role and duties.

Establish and enforce password policies. Password policies establish password composition requirements and expiration frequency. Ensure that the relevant financial systems have password settings that are configured to comply with policy requirements. In some cases, there may be a primary financial system with other related systems involved in financial reporting. All relevant systems should reflect the policy requirements and best practices. Without these policies, passwords may lack the strength and complexity needed to deter compromise attempts.

Develop Configuration and Change Management (CM) policies and procedures. Financial systems should have standard CM processes in place. These processes should ensure change requests to systems, servers, and databases are documented, approved, tested, and deployed appropriately.  Ideally, changes should be tested in a test environment prior to migration to the production environment. Without appropriate governance, unauthorized changes can be implemented in the production system, which adversely impacts the integrity of the financial system(s) and the financial reporting process.

For more information and questions, please contact Natasha Barnes at or Payal Vadhani at

Read Part I: Strategy & IT Governance and Part II: Risk Management in our series.

About Natasha Barnes

Natasha Barnes has written 4 post in this blog.

Natasha Barnes is an IT risk and compliance professional with a focus on IT audit readiness and remediation. She has led large scale remediation efforts for federal clients responding to IT findings from Financial Statement Audits. On these engagements, Natasha became well known for her diplomatic efforts in facilitating discussions with stakeholders across IT and Financial departments. She established an understanding of complex technical issues with these functional team members and helped them to collaboratively execute remediation plans. She has also been involved with establishing and facilitating continuous monitoring programs, which contributed to the closure and severity reduction of several IT findings. In addition, Natasha has experience with security risk analysis, disaster planning, and project management. She holds Certified Associate in Project Management (CAPM) and Certified Information Systems Auditor (CISA) credentials. Natasha has led teams in executing Office of Management and Budget (OMB) A-123 compliance assessments and she has contributed to a Statement on Standards for Attestation Engagements (SSAE-16) engagement. She also led a third party system audit readiness assessment based on National Institute of Standards and Technology (NIST) 800-53 in anticipation of upcoming audit scrutiny. Natasha has developed and instructed trainings for her clients and colleagues on subjects related to Financial Statement Audit IT protocol, Federal Information Security Management Act (FISMA), Federal Information System Controls Audit Manual (FISCAM), NIST, and OMB A-123.

Comments are closed.

View Archives

Blog Authors

Latest Webinar Videos