Appropriate access to finance system?

Hi all

I am having a debate in the workplace at the moment regarding access to an organisations finance system. I recently carried out an audit in an organisation and the Senior Finance Assistant was in charge of modifying access to the system so they would add/delete or modify users and set permissions. I raised an observation stating the organisation should investigate the use of audit trails in the Finance system to ensure any changes to system are logged and monitored. However I have been asked to raise a recommendation stating that the IT department should be controlling the access, not the Finance assistant. I disagree with this as I do not believe the IT department should have any access to the organisations financial data never mind having full access! Due to the size of the organisation I wasn't sure who would suit best to have administrative access and felt the Finance assistant was appropriate as long as there was a way of monitoring any changes..

Has anyone any thoughts on what the process should be?

Any suggestions much appreciated

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Replies

  • For security purposes I would say no.  A question arises when someone in your position is seeking access to secure data. Your job should be to insure that the system is not compromised.

  • I agree with the contributions made by various members. Just want to add that request for access has to be a collaborative effort of the finance function and the IT unit. Request need to come from say the the finance unit, approved by appropriate high level officer, before access is granted by IT Unit. Even like in the case of your client, it's only the vendor that grant such access, that request needs to come from the IT Unit to the vendor. IT's involvement is necessary because of the technical expertise required, and for proper segregation of dutied (to forestall management override of controls ). Also IT will be more disposed to maintain and monitor the access log, while the finance assistant will focus on his core function, which is to maintain proper financial records.
  • Thank you all for your replies. The financial software is a cloud based solution and the support and any changes to the software back-end is provided by the vendor. So at the moment the IT department for this client do not support or get involved with this software. I think from above suggestions I will be raising the recommendation that any changes to system access must be approved at 2 levels at least and this should be documented as part of their financial policy/regulations. Also state that the client should contact their financial software vendor to ensure the audit function on the software is enabled and enquire whether alerts can be set up. So my observation has now been changed to a recommendation and I now believe I am on the right track here and have enough back-up if questioned. As I am still very much a novice at this audit game, the help of clear professionals is very much appreciated, thank you all for your time.

  • Your suggestion would involve necessary IT expertise to accomplish. Because a Finance Assistant is an administrative function, it is doubtful he can perform the technical service of an IT specialist. Because both are necessary functions in a corporation, its a no-brainer that a compromise is necessary to advance this important security protocol and system modification. Many corporations have qualified security access overlaps permitting necessary division interaction without which it would be impossible to serve company policies. These overlaps involve shared access during which each division closely monitors the actions of others needing access to their work do their jobs. Each person signs a confidentiality agreement as a condition of their employment. Silo syndrome is not conducive to good business and must be rooted out to avoid damage to corporate harmony between divisions. Cooperative interaction makes it work.

  • This is an issue common in most companies. You have a Silo between finance and IT. This one of the many silos in a typical organization. 

    My recent book entitled "Competitive Advantage: Linked Management Systems" presents the value of removing the silos in an organization.

    I believe IT should have access in conjunction with finance (ie, working together). IT should have the expertise to effectively analyze the data

    and should work with Finance to interpret the results. One of the reason for having an IT organization is to analyze data. 

    I'll be happy to discuss this further.   Sandford Liebesman, ASQ Fellow

  • Any changes to the system should have at least two levels of approval (CFO should be final).

    If lower level than the CFO, the CFO should get a notice from the systems of any changes made to the financial system.

    Really important for control.  I also agree this is NOT an IT function.

  • This sounds like a policy either is not understood or needs to be created on software and IT segregation of duties.

  • Ricky

    I am with you on this. Not an IT function to set access protocols however there should be checks and balances and one individual should not have the ability to make changes to critical systems in an organisation without some form of oversight. This is a clear separation of duties issue and should be treated as such. Either an alert or audit trail should be generated that is disseminated to a senior manager who understands the implications of any change.

     

    Doug

  • Suggestion:  The CFO should be the ultimate approval authority with the Finance Assistant acting as administrator.  IT should be utilzed in their capacity as a provider of services and not an adminstrator for the finance function.

This reply was deleted.

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question.   Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
16 Replies · Reply by GlobalRiskCommunity Mar 21
Views: 1108

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
4 Replies · Reply by Steve Diaz Jul 8, 2023
Views: 236

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 163

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
5 Replies · Reply by Prisha Singh Dec 26, 2023
Views: 372

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 106

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead