Some of the key requirements for successfully managing information technology (IT) user access are outlined in this article.
Does Milton still have access to your accounting system?
Many of us remember Milton Waddams as the guy with the red Swingline stapler in the 1999 film Office Space. Over Milton’s career at Initech, he was constantly moved from desk to desk until his final stop where he got a nice cozy cubicle in the basement. When his employer hired “efficiency advisors” to review the company’s operations, it was discovered that Milton was not even an official employee! Due to “a glitch in the payroll system”, he never stopped receiving paychecks when he was laid off. In the audit world, this problem equates to a number of potential scenarios in which a terminated employee still has access to any of the following: (a) financial software; (b) student information system; (c) banking system; or (d) VPN/remote access applications.
Some of the key requirements for successfully managing information technology (IT) user access are as follows:
- Change management policy should be established.
- Users should have the minimum privileges necessary to fulfill their roles and responsibilities.
- Requests for changes to user’s access should be formally documented and approved.
- System administrator accounts should be limited and granted only to select individuals in the IT department only.
- If possible, user access should be set to automatically expire at a pre-set date (ex: temporary employees or after a period of inactivity).
- Access rights should be immediately disabled when the employee is terminated.
- Access rights should be immediately modified when an employee changes position.
- Inventory of user access rights should be reviewed periodically for excess privileges or dormant accounts.
What Do You Mean by a Glitch in the Accounting System?
If we investigate the user access which helps separate the duties in the payroll and human resources (HR) departments, we know that an individual in the payroll department should not have access to create an employee or revise employee salary information. Let’s say a payroll clerk is awarded a job in the HR department. The HR department notifies IT of the change and additions to access rights are made. However, review for excessive privileges is not performed and the ability to process payroll checks is not removed. This opens up a world of possibilities for the guy with the red Swingline stapler.
Did You Get the Memo? First, review all current user access rights to ensure each employee’s privileges are appropriate. Next, review compliance with the key requirements above. Lastly, review the process of communicating employment changes between the HR and IT departments. Department heads should be in the workflow to review & approve user access for all position changes in their respective department. The communication of employment changes should be seamless to ensure there are no gaps between access rights and actual job duties. The communication of terminations should occur immediately. If your software does not provide the ability to create this type of workflow and/or maintain an audit trail of this activity, you may want to consider developing a separate form (ex: User Access Request Form). This form would include the approval of the department head or other authorized employee.
You Know What Would Be Great?
Finally, it would be really great if you could just review your procedures for managing IT user access. If you could also ensure all employee’s current access rights are appropriate, that would be great. You don’t want any problems leading to a fire you can’t put out.