Download Assessing Access Control Risks: A Comprehensive Guide for IT Auditors and more Lecture notes Accounting in PDF only on Docsity!
What Every IT Auditor Should Know About Access Controls
By Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA Volume 4, 2008
One of the more pervasive concerns of IT audits, whether associated with financial audits or not, is the risk associated with IT general controls, such as access control. The increased usage of databases, the growth of access points on networks (especially remote connectivity) and wireless technologies have increased dramatically the risk associated with networks and access control. Once a person has gained access to a system, that person could potentially access data, financial reporting data, applications (e.g., journal entry software) and other high-risk functions. While each entity must be analyzed according to its individual characteristics, virtually all entities subject to audits have some risk associated with access control.
The most basic principle in assessing the sufficiency of access control is to verify the alignment of the level of protection (sophistication) of access controls with the level of risk; that is, the more risk, the stronger the controls should be. It is becoming increasingly necessary to test more IT controls due to Sarbanes-Oxley requirements, the American Institute of Certified Public Accountants (AICPA)'s Risk Suite requirements and increased reliance on IT controls. This article demonstrates one methodology to assess the appropriateness of access controls using risk assessment, assess controls evaluation, and assess access control tests.
Authorization vs. Authentication
The first area of understanding regarding access controls is the difference between authorization controls and authentication controls. Authorization controls basically provide the functionality to verify that a certain combination of ID and password has been granted authorization to access the network. Hopefully, that ID/password also has been granted access to a limited number of files, applications, or data and appropriate access rights (read/write permission) via some network technology. Authorization is the cornerstone of access controls, and absolutely necessary, but it should not be the only access control, except in the most basic of systems and circumstances (e.g., small companies, simple systems or low-risk situations). The key to the authorization aspect of access control is whether or not the entity employs best practices for password policy.
Authentication becomes the second aspect, and more powerful in terms of mitigating risk. Authentication verifies that the login (ID/password) belongs to the person who is attempting to gain the access, i.e., users are who they say they are. Some examples include swipe cards, smart cards, USB devices, temporary PINs, specific and private information, and biometrics. There are various ways to implement a control with this objective, but there are times that the IT auditor would want to verify that some control for authentication exists (e.g., higher risk).
Measuring the Level of Risk
Most of the auditing profession today, regardless of the type of audit, uses a riskbased or top-down approach to the audit. The IT auditor will want to assess the level of risk associated with access controls, and the IT auditor working on a financial audit will probably limit the evaluation to risks associated with material misstatements, financial reporting, and financial data associated with risks of unauthorized access. That level of risk is escalated by a variety of circumstances.
One of the issues is the size of the system(s) under review. Size is measured by the sheer number of workstations, servers and network components. Typically, smaller systems are found in smaller entities. Smaller entities have fewer resources for segregation of duties and IT staff. Usually this inherent constraint has a negative impact on the strength of the system of internal controls, especially automated or IT-dependent controls. Therefore, the smaller the size, the more likely the IT auditor would assess access control risk at a higher level. That is not to say that large, complex systems, such as enterprise resource planning (ERP), do not have inherent risks as well—some most certainly do. But the risk associated with large ERP systems is more a function of complexity than size (number of users).
Complexity, or sophistication, of the systems under review is correlated to risk—the more complex, the more risk, generally speaking. If all of the systems are the same platform, the risk is lower than if there are multiple systems, especially those affecting financial reporting and data, and different platforms. For instance, in frauds of the past, it is a common factor that fraudsters who have the authority will deliberately use different systems for different aspects of the accounting functions and financial reporting, including pulling data off the various systems into a spreadsheet and producing financial reports from offline spreadsheets in a smoke-filled back room. Thus, generally speaking, the more systems in use, and the more disparate platforms being used, the greater the risk assessed by the IT auditor. Access control across disparate systems is usually difficult to administer.
If the entity has access to the source code, modifies code or generates code, then the access control risk is probably higher. Anytime people can affect the code being generated, there is a relatively high risk of error (which can be mitigated), and usually a moderate risk of fraudulent or malicious code. Therefore, if an entity has its own in-house programmers, the risk is generally higher than one that uses strictly commercial off-the- shelf (COTS) software. Access controls can be thwarted by malicious code.
Other issues relate to specific types of technologies or system architectures that inherently have higher risks. Some of them include wireless technologies, access to the Internet (i.e., the number of access points), shared files and databases, remote access, outsourcing of critical applications or system functions, and changes to infrastructure. These technologies or situations generally complicate the ability of the entity to adequately manage access control.
One way to accomplish that objective is to have a second login control with a different ID and password for the more sensitive access (e.g., network access is the first level of access, but a second ID and password are required to gain access to the payroll application software). Another way to accomplish that objective is to add something other than a login, e.g., a smart card, temporary PIN or biometric fingerprint.
The common framework for multifaceted access controls is something you know (e.g., ID and password, mother's maiden name, personal facts), something you have (e.g., smart card, temporary PIN) or something you are (i.e., biometric). Obviously, these controls are listed in order of strength or design effectiveness.
Thus, a bank that is assessed with high level of risk associated with access control, because of online banking risks, and that requires a login (ID and password) and mother's maiden name for secure login does not employ a level of effectiveness sufficient for a high level of risk associated with online banking; that is, the fit is not appropriate. That level of effectiveness is most likely low to medium at best. But the bank that requires two questions on personal information not easily attained from Internet search engines or other sources has stronger access control, even though the bank uses only the first level of multifaceted controls.
The stronger, more effective, approach is to add a second level of access control associated with the second level of multifaceted controls (e.g., temporary PIN sent via preestablished e-mail account), or even the third level: a biometric control.
The same would be true for a high level of risk associated with remote access and/or wireless access. A temporary PIN provided via a pager device or a smart card would strengthen the access controls to more appropriately fit the level of risk. For a high level of risk, the most effective multifaceted control is a biometric. For example, using a virtual private network for remote access is an effective control for the communications during the online session. But, how does the entity know users are who they say they are? How does the entity authenticate the user?
Therefore, using multifaceted password controls is not the same as having a sufficient authentication control. Many entities will use the private information of a user (college roommate, favorite "fill in the blank," etc.) as a substitute for authentication, and it may serve adequately as authentication. Likewise, the something the user has may be a surrogate for authentication, but it could be lost or stolen. A biometric is clearly the most effective way to authenticate the user, but not the only way.
Thus, IT auditors use these steps and information to seek alignment between the level of risk and the level of effectiveness of access control in their evaluation and audit procedures.
Test of Controls
The IT auditor should be able to develop appropriate audit objectives based on the assessed level of risk, best practices and the principle of alignment. For example, does the
entity sufficiently control unauthorized access of high-risk (sensitive) information, data and/or systems?
Next is the matter of how to execute, but execution is more complicated than it sounds. Often access controls and password policy are so spread out in the network system and software that there is no easy way to gather the appropriate information. However, sometimes it is possible to gather it fairly efficiently.
One way to illustrate the step of developing audit procedures is to use the access control information from risk assessments and best practices and assume the entity is using Microsoft Server and Active Directory. The IT auditor can access the network server and conduct some quick and effective tests against the evaluation process and results. Using a utility tool known as Dumpsec, the IT auditor can print out access users and access rights—something more cumbersome without Dumpsec. The Dumpsec tool gathers the users and permissions and creates a table of access from which the auditor can assess the effectiveness associated with such areas as "need to know," admin access and terminated employees (see numbers 4-6 in figure 1 ).
For this platform, the IT auditor would also want to dump permissions for shared folders. For instance, if the entity compiles data into a spreadsheet and manipulates them to generate financial reports, the folder containing those files should be restricted to a limited number of authorized employees and certainly not accessible by anyone in the entity. Sharing permissions would allow the IT auditor to evaluate quickly the effectiveness of existing access controls over those sensitive (i.e., high-risk) files.
Also associated with this platform is the ability to review password policies that were established by IT staff. That information can be compared to the best practices in figure 1 to evaluate the number of best practices being employed. That information can be accessed through the "admin" utility and "Permissions for Shares" function.
Perhaps one additional test would be to see if the IT auditor can log onto the network server using one of the default logins, such as (ID) admin and (password) blank.^1 This login is normally considered a high-risk access control because of the global access to permissions and the network. The IT auditor wants to gain some assurance that this login is strong and certainly not a default ID/password, which hackers and crackers know and use to carry out malicious activities.
The results of these tests are fairly easy to gather and evaluate and should enable the IT auditor to do a valid assessment of the effectiveness of access controls.
Conclusion
Like most of the audit procedures of today's audit world, IT audit procedures are risk- based, and IT auditors are assessing the appropriate level and scope of controls associated with the residual risks. Access control is one of the more common areas of IT audit concern. This article shows the basics of assessing the level of risk, assessing the effectiveness of controls, and verifying the level and scope of controls and their
