The inability to track user access across company’s business systems can result in compliance violations at a minimum and elevated risks of fraud. Learn more about system security, access rights, and unintended violations by employees.
Published by Fastpath
How Safe is Your Company from Risk?
We are not talking about outside threats from cybercriminals or employees being fooled by phishing scams, but rather, from actions by your own employees.
Companies are using multiple business systems to help them with their operations, including Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Human Capital Management (HCM), Warehouse Management Systems (WMS), and more – some of which run in the cloud, others on premise – but all interconnected and sharing sensitive company information with the other business systems.
Whether your company is public and gets audited, or private and does not, you want to be able to answer these basic questions:
- Can you identify the access privileges every employee has into each of these systems?
- Do any of these individuals have access to multiple systems?
- What level of access do they possess in each system?
- Do you know if there is a Segregation of Duties conflict with any of these employees?
- Do you know if there are any legal or regulatory violations, such as Sarbanes-Oxley?
Even though most business systems provide security and configuration options, very few companies have a central group dedicated to monitoring and administrating the access roles, rights, and privileges for all of them—“global” monitoring, if you will—and even fewer do so with a unified view of user access rights across the various business systems.
The inability to track user access across the spectrum of your company’s business systems can result in compliance violations, fines, loss of data, fraud, and loss of funds.
One obvious example is a Segregation of Duties (SoD) violation, where one person can enter a new vendor in the system and also have the ability to pay that vendor for a fictitious invoice.
While these malicious acts do occur in business, most risk and compliance issues are the unintentional result of a lack of global oversight across the business systems.
Some examples of unintentional compliance violations include:
- A company acquires another company, and with it their ERP system. Several members of the Finance and IT teams need access rights in the acquired ERP system, in addition to the access they currently have in the parent company’s ERP. The company does not have a standard process in place that ensures these employees will be granted the same privileges into both systems. This can potentially lead to a compliance or SoD violation.
- An employee in Finance is granted the authority to issue payments. The employee is promoted into another department that has nothing to do with his or her prior job in Finance. If the company fails to revoke this employee’s privileges in the ERP system, there will always be the potential that this person can still issue company checks.
- A programmer is testing a new customization for the ERP system. As part of the test, the programmer uses breakpoints to view the state of the variables and make changes if necessary. After the testing is completed, the code is moved into production without removing the programmer’s ability to stop the running of application and change system variables. Perhaps without even knowing it, the programmer can now use this code to access sensitive company data and even falsify records, putting the company at tremendous risk.
- The company’s ERP system is printing invoices incorrectly. It’s a simple fix, but the person who usually handles it is on vacation. Another employee can fix it but lacks the access rights to make the change. The administrator grants emergency access to that employee, and the problem is fixed. However, that employee’s access is never changed back, because there was never a record that the access was granted in the first place, and there was no subsequent review of everyone’s access privileges.
In each of these examples (and there are many more), there was no malicious intent. Yet, in each situation, the company was put at risk. Ultimately, intent is not the issue; the issue is that the violations existed in the first place.
The Need for Cross Application Controls
Companies must be able to balance the need to give an employee the access rights they require to perform their job, against the need to ensure they comply with security related rules and regulations. This starts with a central source of controls to enforce access roles and security rights for users across all business systems, including:
- Operational controls over business processes, application configurations and parameters, user access, SoD, and analytics
- Application security controls for authentication, user roles and privilege definitions, user management, and data security
- Governance and risk management to ensure audit compliance and reporting
A central source of access controls across all systems companywide makes it easy for the organization to quickly identify where access violations exist, take steps to mitigate the problems, and provide audit reports to help manage potential access control issues in the future.
Ultimately, controls are important for all companies public or private, big or small, regardless of industry. You can learn more about how to keep your company safe with our series of educational on-demand webinars which can be found at GRCDays.com.
|About Fastpath, Inc.|
Founded in 2004, Fastpath is a Gold Certified Microsoft Partner with deep expertise in audit, security, and compliance, with multiple Certified Internal Auditors and Certified Information Systems Auditors on the team. Fastpath Assure® is a cloud-based audit platform that can track, review, approve and mitigate access risks across multiple systems from a single dashboard. The platform comes with a pre-configured segregation of duties rule set specific to each business systemand works across a variety of ERP/CRM/HRM and other systems, including Microsoft Dynamics, NetSuite, SAP, Oracle EBS, Oracle Cloud, Sage Intacct, Salesforce, JD Edwards, PeopleSoft, FinancialForce, Zendesk, Jira, Workiva, Workday, Coupa, ServiceNow, Acumatica, as well as custom applications. With over 1,100 customers in over 30 countries, Fastpath supports small to enterprise sized organizations and their risk management efforts.