Segregation of Duties: Security Administration 518

  • Our Finance Dept. is currently performing the security administration role for our ERP system. As an auditor, I’m not comfortable with this, but we agreed that they could set it up this way as long as the individuals in this role did not have any day-to-day operational accounting responsibilities. Just wanted to get some other opinions on whether this would be viewed as an internal control weakness under SOX.

  • A security administrator is:
    Setting user clearances.
    Setting initial password.
    Setting other security characteristics for new users.
    Changing security profiles for existing users.
    Setting/changing file sensitivity labels.
    Setting security characteristics of devices and communications channels.
    Reviewing audit data
    If the finance Dept. is currently performing the security administration role for your ERP system, you do not have proper segragation of duties.
    It is true that many companies have no proper separation of duties and responsibilities.

  • The internal control weakness would emerge if whoever was performing the administration of the application also was a user of the application.
    If they did not enter data, make production data changes or even ran reports from the system, there is no weakness.
    If all they did was provide security administration within the application as lekatis stated there would not be an SoD issue. The administration doesn’t have to be in IT, or another department within the business. Look at any controls where the administrator cannot add/change/delete any production data within the app.
    Is there a reporting system within the app that shows the data changes made and who made them? The security administrator just needs to prove they have a valid request for those users making changes to actually have access within the app.

  • As an auditor, I’m not comfortable with this
    Then why did you allow it?
    If you are unsure, do a segregation of duties matrix. And, ensure that the people performing the security administration duties are not subordinate to those with day-to-day operational accounting responsibilities and do not have day-to-day operational accounting responsibilities themselves.

Log in to reply