Appropriate access to finance system?

Hi all

I am having a debate in the workplace at the moment regarding access to an organisations finance system. I recently carried out an audit in an organisation and the Senior Finance Assistant was in charge of modifying access to the system so they would add/delete or modify users and set permissions. I raised an observation stating the organisation should investigate the use of audit trails in the Finance system to ensure any changes to system are logged and monitored. However I have been asked to raise a recommendation stating that the IT department should be controlling the access, not the Finance assistant. I disagree with this as I do not believe the IT department should have any access to the organisations financial data never mind having full access! Due to the size of the organisation I wasn't sure who would suit best to have administrative access and felt the Finance assistant was appropriate as long as there was a way of monitoring any changes..

Has anyone any thoughts on what the process should be?

Any suggestions much appreciated

Thank you all for your replies. The financial software is a cloud based solution and the support and any changes to the software back-end is provided by the vendor. So at the moment the IT department for this client do not support or get involved with this software. I think from above suggestions I will be raising the recommendation that any changes to system access must be approved at 2 levels at least and this should be documented as part of their financial policy/regulations. Also state that the client should contact their financial software vendor to ensure the audit function on the software is enabled and enquire whether alerts can be set up. So my observation has now been changed to a recommendation and I now believe I am on the right track here and have enough back-up if questioned. As I am still very much a novice at this audit game, the help of clear professionals is very much appreciated, thank you all for your time.

Replies

Christine Ballano January 5, 2015 17:33

For security purposes I would say no. A question arises when someone in your position is seeking access to secure data. Your job should be to insure that the system is not compromised.
Alexander Okoko December 25, 2014 17:01

I agree with the contributions made by various members. Just want to add that request for access has to be a collaborative effort of the finance function and the IT unit. Request need to come from say the the finance unit, approved by appropriate high level officer, before access is granted by IT Unit. Even like in the case of your client, it's only the vendor that grant such access, that request needs to come from the IT Unit to the vendor. IT's involvement is necessary because of the technical expertise required, and for proper segregation of dutied (to forestall management override of controls ). Also IT will be more disposed to maintain and monitor the access log, while the finance assistant will focus on his core function, which is to maintain proper financial records.
Ricky Meechan December 24, 2014 10:24

Thank you all for your replies. The financial software is a cloud based solution and the support and any changes to the software back-end is provided by the vendor. So at the moment the IT department for this client do not support or get involved with this software. I think from above suggestions I will be raising the recommendation that any changes to system access must be approved at 2 levels at least and this should be documented as part of their financial policy/regulations. Also state that the client should contact their financial software vendor to ensure the audit function on the software is enabled and enquire whether alerts can be set up. So my observation has now been changed to a recommendation and I now believe I am on the right track here and have enough back-up if questioned. As I am still very much a novice at this audit game, the help of clear professionals is very much appreciated, thank you all for your time.
George Abney December 24, 2014 5:48

Your suggestion would involve necessary IT expertise to accomplish. Because a Finance Assistant is an administrative function, it is doubtful he can perform the technical service of an IT specialist. Because both are necessary functions in a corporation, its a no-brainer that a compromise is necessary to advance this important security protocol and system modification. Many corporations have qualified security access overlaps permitting necessary division interaction without which it would be impossible to serve company policies. These overlaps involve shared access during which each division closely monitors the actions of others needing access to their work do their jobs. Each person signs a confidentiality agreement as a condition of their employment. Silo syndrome is not conducive to good business and must be rooted out to avoid damage to corporate harmony between divisions. Cooperative interaction makes it work.
Burton S. Liebesman December 23, 2014 21:00

This is an issue common in most companies. You have a Silo between finance and IT. This one of the many silos in a typical organization.

My recent book entitled "Competitive Advantage: Linked Management Systems" presents the value of removing the silos in an organization.

I believe IT should have access in conjunction with finance (ie, working together). IT should have the expertise to effectively analyze the data

and should work with Finance to interpret the results. One of the reason for having an IT organization is to analyze data.

I'll be happy to discuss this further. Sandford Liebesman, ASQ Fellow
Tom Hansen December 23, 2014 18:14

Any changes to the system should have at least two levels of approval (CFO should be final).

If lower level than the CFO, the CFO should get a notice from the systems of any changes made to the financial system.

Really important for control. I also agree this is NOT an IT function.
Gary Patterson December 23, 2014 16:49

This sounds like a policy either is not understood or needs to be created on software and IT segregation of duties.
Doug Cooper December 23, 2014 16:43

Ricky

I am with you on this. Not an IT function to set access protocols however there should be checks and balances and one individual should not have the ability to make changes to critical systems in an organisation without some form of oversight. This is a clear separation of duties issue and should be treated as such. Either an alert or audit trail should be generated that is disseminated to a senior manager who understands the implications of any change.

Doug
Geary Sikich December 23, 2014 16:38

Suggestion: The CFO should be the ultimate approval authority with the Finance Assistant acting as administrator. IT should be utilzed in their capacity as a provider of services and not an adminstrator for the finance function.