Auditors, as part of the audit of ERP applications, examine the general controls in your ERP system. The General Computing Controls (GCC), also called IT General Controls (ITGC), aims to ensure the integrity of computer operations, the correct development and implementation of applications, and the integrity of the program and the data files.
Risks and Controls Associated with Access Management
One of the highest threats to the security of ERP applications may be a flawed access policy in which improper access might be granted to users, which can lead to unauthorized activities. It can have a significant impact on data protection and could result in financial loss. Auditors will certainly test management control over the access policy.
The best practice is to allow users access only to the applications they need to do their jobs (also known as ‘least privilege’ or ‘need to know’); a role-based access control with a well-designed security model can help you get that done.
Risks and controls pertaining to access management, as part of your ERP audit reporting, include:
An Inappropriate Role Design or Provisioning
Roles should be associated with business processes rather than with individual users or jobs, as this will make it easier to ensure that all users are given requisite access. Improper role design also makes SAP Segregation of Duties (SoD) challenging to implement.
Particularly risky are privileged users. Some users, like CNCs, or IT administrators, may have complete access to everything. In a situation where the same person is the administrator of the database and the administrator of the operating system, the CNC will lock anyone out of the system and essentially hold the business to ransom. It would be best if you have policies and procedures that document privileged access management, and you should track those users very closely.
End Users with Access to IT Applications
Some business users will need broad access to business applications. Still, they should not have access to system configuration options and IT applications, particularly security and the ability to assign different roles to themselves.
Using Generic User IDs
Discourage the use of shared accounts or generic user IDs to ensure complete transparency during the audit.
To cover the entire user lifecycle, you need well-defined procedures, and you should maintain an audit trail of all activities. It involves introducing new users, modifying current users, disabling, and terminating users no longer with the organization.
User provisioning procedures should have management control to ensure that the access is required, approved, and delegated by appropriate staff. Specific roles should be separated to ensure that one person cannot complete the entire process.
You may be asked by the auditor to provide proof of your user administration controls during the audit. If you use an external ticketing system, logging ticket numbers within your ERP system can help.
You need to be aware of the possible risks when granting current users additional access. Your access policy should provide proactive management control to avoid creating disputes over SoD when new access is granted.
Periodic Access Review
It will help if you have a mechanism in place to recertify access annually. This process is called Periodic Access Review. This procedure ensures that responsible business managers review and validate access rights for their users and identify any possible changes that might be required.
The analysis will help you overcome the risks associated with unauthorized access and, if well documented, demonstrate compliance with SOX, where necessary.
The review process may also provide a valuable way of tracking system integrity to help keep the system clean and find any loopholes that might exist.
System Configuration Access
Access to system configuration options is highly critical, as this affects how the system operates. You need controls to limit access to the applications that allow users to set up or alter configuration options for the system.
All changes should be subject to change management processes and should be documented appropriately. You can also track changes to crucial configuration data and keep a full audit trail of all changes.