Super User Controls and Application Control Testing. 982
kipper last edited by
We have just been told by our external auditors that because we do not have sufficient controls surrounding our super user / adminastrator accounts all application control testing performed prior to implementing such controls is not useable - we are a 9/30 YE with approx 90% of our application control testing complete. Can anyone share some arguing points we could use? %0AAny ideas would be greatly appreciated. HELP…
Arun70 last edited by
Although I am more into the Business Controls aspect of SOX, let me try to air my thoughts on this.
Controls surrounding super user / administrator would be one set of application controls. There would be other key application controls over and above these. If you have performed the testing of the other key application controls, I do not think the auditors are justified in saying the testing is not usable.
The lack of adequate controls surrounding super users would most likely be a design level deficiency that is to be remidiated and retested.
You could argue that, just because there is a design deficiency around one of the significant controls does not mean that all the other key application controls are irrelevant. Consequently, the argument that the testing relating to the other key application controls is not usable is not justified at all.
I do not claim to be an expert on IT controls. Any comments from people having greater knowledge on this subject would be appreciated.
CoolCat last edited by
You should consider exactly what superuser or administrator status allows people to access or do in your set-up. In some cases, these could enable the individuals concerned to make changes to applications or your infrastructure. This is turn could invalidate your change control. If you don’t have strong change control, this makes the rest of your testing invalid, as you can’t prove what you’ve tested.
IrquiM last edited by
I understand why they are saying it, and I have to agree to some point
What the auditors are saying is that
Between the testing of the application and restricting the administrator account, someone might have put a backdoor or something into one of the applications. That is why they want it retested, to make sure this has not happened
To look at it another way:
You reconcile the authorisation list against signature on invoices.
That turns out fine.
Next you check the when the autorisation list was updated.
Obs… 5 years ago - people have quit, changed position / department / etc. - Failed.
How can yo be sure that the first check you did against the 5 year old list is actually ok?
You can’t without retesting.
(Yes, I know - you first check the age of the authorisation list, but then it does not illustrate my example )
viky2cool last edited by
The auditor should be looking at this deficiency in light with the results of the application controls test conducted for the remaining application and also of business processes. If all the deficiencies together proove to lead to a material weakness then the auditor is correct in his judgement. To illustrate, the super user can create other users in the application. There is a formal user management process and as a part of that process, someone from the operations signs off on the active user list and the access granted to users after a predefined time. Additionally, the logs of modifications made to user access is also regulary reviewed. If the auditor found these 2 controls working, then he/she cannot make this call. Controls need not always have to be preventive.
Hope this helps.