Who is responsible for Finance System users and passwords? 1032

  • Our IT department has been told by auditors that the control of users and passwords within the financial systems should be carried out by IT staff and not finance staff quoting SOX good practice requires it.
    As a company we follow BS7799 controls and therefore segragate duties between IT and finance, i.e. IT are network administrators and are capable of deleting logs and so would be a risk if they were also administrators within the financial application and able to cover their tracks.
    I am not up to speed with SOX requirements. Could someone please verify if this is indeed best practice according to SOX.

  • It the same segregation of duties that has prompted your auditor to suggest that control of user names and passwords should be with IT. In general, IT is responsible for the administration. One of the activities of administration is user access management. Typically, finance would define the roles that are required within your finance application. IT would create the roles. Finance would nominate the users who would have access to the application and the role they should be assigned, IT would create the user. Taking this logic ahead, IT would be restricted only for user provisioning and management. Finance would be responsible for entering transactions and reviewing the logs. Thus, no one person has complete control of the system because IT cannot do transactions and finance can do transactions using the userid created by IT.
    In your environment, finance is responsible for the user names and passwords and also reviewing the logs, this is a conflict as a user id can be created, transactions executed and logs modified to reflect an inappropriate picture.
    Hope this helps

Log in to reply