Super User Controls and Application Control Testing. 982

  • We have just been told by our external auditors that because we do not have sufficient controls surrounding our super user / adminastrator accounts all application control testing performed prior to implementing such controls is not useable - we are a 9/30 YE with approx 90% of our application control testing complete. Can anyone share some arguing points we could use? %0AAny ideas would be greatly appreciated. HELP…

  • Although I am more into the Business Controls aspect of SOX, let me try to air my thoughts on this.
    Controls surrounding super user / administrator would be one set of application controls. There would be other key application controls over and above these. If you have performed the testing of the other key application controls, I do not think the auditors are justified in saying the testing is not usable.
    The lack of adequate controls surrounding super users would most likely be a design level deficiency that is to be remidiated and retested.
    You could argue that, just because there is a design deficiency around one of the significant controls does not mean that all the other key application controls are irrelevant. Consequently, the argument that the testing relating to the other key application controls is not usable is not justified at all.
    I do not claim to be an expert on IT controls. Any comments from people having greater knowledge on this subject would be appreciated.

  • You should consider exactly what superuser or administrator status allows people to access or do in your set-up. In some cases, these could enable the individuals concerned to make changes to applications or your infrastructure. This is turn could invalidate your change control. If you don’t have strong change control, this makes the rest of your testing invalid, as you can’t prove what you’ve tested.

  • I understand why they are saying it, and I have to agree to some point
    What the auditors are saying is that
    Between the testing of the application and restricting the administrator account, someone might have put a backdoor or something into one of the applications. That is why they want it retested, to make sure this has not happened
    To look at it another way:
    You reconcile the authorisation list against signature on invoices.
    That turns out fine.
    Next you check the when the autorisation list was updated.
    Obs… 5 years ago - people have quit, changed position / department / etc. - Failed.
    How can yo be sure that the first check you did against the 5 year old list is actually ok?
    You can’t without retesting.
    (Yes, I know - you first check the age of the authorisation list, but then it does not illustrate my example 😉 )

  • The auditor should be looking at this deficiency in light with the results of the application controls test conducted for the remaining application and also of business processes. If all the deficiencies together proove to lead to a material weakness then the auditor is correct in his judgement. To illustrate, the super user can create other users in the application. There is a formal user management process and as a part of that process, someone from the operations signs off on the active user list and the access granted to users after a predefined time. Additionally, the logs of modifications made to user access is also regulary reviewed. If the auditor found these 2 controls working, then he/she cannot make this call. Controls need not always have to be preventive.
    Hope this helps.

Log in to reply