In today’s world, it is imperative that confidential information does not end up in the wrong hands. Only authorized users should be able to view and change information. Strong passwords are an essential component of effectively restricting access to deter compromise attempts from internal and external actors. Considering the confidential nature of financial data and related information, adequate controls are needed for access including passwords, and changes to the financial system including hardware, software and the supporting database. After a productive audit season in the field, Aronson has compiled a list of tips to help companies create a roadmap to a stronger control environment.
Develop Identity and Access Management (IAM) policy and procedures. These documents provide guidance on how access is provisioned, maintained, and disabled/deleted for the financial system. The process should establish the appropriate request forms, approvals, access permissions granted on the principle of least privilege, and demonstrate the timeliness of activities through the access management lifecycle. Without the required governance, access may be unauthorized or excessive. The scope should include standard end user and privileged access across all layers of technology to include network, server, database, remote, and administrator access. Third-party users should be accounted for as well.
Conduct periodic reviews of access (also known as recertification). The recertification procedures clearly describe how the periodic review of users with access to the financial system is conducted and documented. Maintain documentation in a manner that clearly proves the procedures were followed from start to finish. Without recertification, users may retain access that is no longer appropriate for their job role and duties.
Establish and enforce password policies. Password policies establish password composition requirements and expiration frequency. Ensure that the relevant financial systems have password settings that are configured to comply with policy requirements. In some cases, there may be a primary financial system with other related systems involved in financial reporting. All relevant systems should reflect the policy requirements and best practices. Without these policies, passwords may lack the strength and complexity needed to deter compromise attempts.
Develop Configuration and Change Management (CM) policies and procedures. Financial systems should have standard CM processes in place. These processes should ensure change requests to systems, servers, and databases are documented, approved, tested, and deployed appropriately. Ideally, changes should be tested in a test environment prior to migration to the production environment. Without appropriate governance, unauthorized changes can be implemented in the production system, which adversely impacts the integrity of the financial system(s) and the financial reporting process.