DOC PREVIEW
UNCW MSA 516 - What Every IT Auditor Should Know About Access Controls

This preview shows page 1-2 out of 6 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

What Every IT Auditor Should Know About Access ControlsBy Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA Volume 4, 2008Authorization vs. AuthenticationMeasuring the Level of RiskMeasuring the Strength of ControlsTest of ControlsConclusionEndnotesWhat Every IT Auditor Should KnowAbout Access ControlsBy Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPAVolume 4, 2008One of the more pervasive concerns of IT audits, whether associated with financial auditsor not, is the risk associated with IT general controls, such as access control. The increased usage of databases, the growth of access points on networks (especially remote connectivity) and wireless technologies have increased dramatically the risk associated with networks and access control. Once a person has gained access to a system, that person could potentially access data, financial reporting data, applications (e.g., journal entry software) and other high-risk functions. While each entity must be analyzed according to its individual characteristics, virtually all entities subject to audits have somerisk associated with access control.The most basic principle in assessing the sufficiency of access control is to verify the alignment of the level of protection (sophistication) of access controls with the level of risk; that is, the more risk, the stronger the controls should be. It is becoming increasinglynecessary to test more IT controls due to Sarbanes-Oxley requirements, the American Institute of Certified Public Accountants (AICPA)'s Risk Suite requirements and increased reliance on IT controls. This article demonstrates one methodology to assess the appropriateness of access controls using risk assessment, assess controls evaluation, and assess access control tests.Authorization vs. AuthenticationThe first area of understanding regarding access controls is the difference between authorization controls and authentication controls. Authorization controls basically provide the functionality to verify that a certain combination of ID and password has been granted authorization to access the network. Hopefully, that ID/password also has been granted access to a limited number of files, applications, or data and appropriate access rights (read/write permission) via some network technology. Authorization is the cornerstone of access controls, and absolutely necessary, but it should not be the only access control, except in the most basic of systems and circumstances (e.g., small companies, simple systems or low-risk situations). The key to the authorization aspect of access control is whether or not the entity employs best practices for password policy.Authentication becomes the second aspect, and more powerful in terms of mitigating risk.Authentication verifies that the login (ID/password) belongs to the person who is attempting to gain the access, i.e., users are who they say they are. Some examples include swipe cards, smart cards, USB devices, temporary PINs, specific and private information, and biometrics. There are various ways to implement a control with this objective, but there are times that the IT auditor would want to verify that some control for authentication exists (e.g., higher risk).Measuring the Level of RiskMost of the auditing profession today, regardless of the type of audit, uses a riskbased or top-down approach to the audit. The IT auditor will want to assess the level of risk associated with access controls, and the IT auditor working on a financial audit will probably limit the evaluation to risks associated with material misstatements, financial reporting, and financial data associated with risks of unauthorized access. That level of risk is escalated by a variety of circumstances.One of the issues is the size of the system(s) under review. Size is measured by the sheer number of workstations, servers and network components. Typically, smaller systems are found in smaller entities. Smaller entities have fewer resources for segregation of duties and IT staff. Usually this inherent constraint has a negative impact on the strength of the system of internal controls, especially automated or IT-dependent controls. Therefore, thesmaller the size, the more likely the IT auditor would assess access control risk at a higher level. That is not to say that large, complex systems, such as enterprise resource planning (ERP), do not have inherent risks as well—some most certainly do. But the risk associated with large ERP systems is more a function of complexity than size (number of users).Complexity, or sophistication, of the systems under review is correlated to risk—the morecomplex, the more risk, generally speaking. If all of the systems are the same platform, the risk is lower than if there are multiple systems, especially those affecting financial reporting and data, and different platforms. For instance, in frauds of the past, it is a common factor that fraudsters who have the authority will deliberately use different systems for different aspects of the accounting functions and financial reporting, including pulling data off the various systems into a spreadsheet and producing financial reports from offline spreadsheets in a smoke-filled back room. Thus, generally speaking, the more systems in use, and the more disparate platforms being used, the greater the risk assessed by the IT auditor. Access control across disparate systems is usually difficult to administer.If the entity has access to the source code, modifies code or generates code, then the access control risk is probably higher. Anytime people can affect the code being generated, there is a relatively high risk of error (which can be mitigated), and usually a moderate risk of fraudulent or malicious code. Therefore, if an entity has its own in-houseprogrammers, the risk is generally higher than one that uses strictly commercial off-the-shelf (COTS) software. Access controls can be thwarted by malicious code.Other issues relate to specific types of technologies or system architectures that inherently have higher risks. Some of them include wireless technologies, access to the Internet (i.e., the number of access points), shared files and databases, remote access, outsourcing of critical applications or system functions, and changes to infrastructure. These technologies or situations generally complicate the ability of the entity to adequately manage access control.The outcome of this evaluation process is some level of risk associated with


View Full Document

UNCW MSA 516 - What Every IT Auditor Should Know About Access Controls

Documents in this Course
Load more
Download What Every IT Auditor Should Know About Access Controls
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view What Every IT Auditor Should Know About Access Controls and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view What Every IT Auditor Should Know About Access Controls 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?