Controller and full Admin access 2174

  • Hi everyone -
    I have a situation where a controller wants to have full access (i.e Admin access and group) in an ERP system (MFG/PRO-QAD). I will advise against it but was curious to know if anyone has encountered similar situation and what you’ve done to address it?
    We probably can restrict the different menus to make sure the controller doesn’t have administrative functions (add users/privileges, etc) but I am still uncomfortable that she will have other accounting functions that would allow her to do things without going through some kind of SOD.
    Am I wrong to feel uncomfortable about this??
    Any input you may have to share will be greatly appreciated.

  • You are not off base here at all. Will your controller tell you why she wants/needs full access? There may be other ways to get her the information that she needs. Do you have a small accounting shop such that your controller routinely makes entries into your financial accounting system?
    If she is granted full access, then I would identify compensating controls to review any transactions recorded by her in order to help ensure against fraud.
    SOD guidelines are just that - guidelines. In cases where there is inadequate SOD, you identify compensating controls. There are occasionally valid reasons for access that violates SOD conventions.
    I would also suggest discussing this with your external auditor.

  • Heard of something called ‘need to know’ basis?
    I guess your controller needs to know something about this. We did face this situation and what we did was to revoke/ deny the access.
    you can think of suggesting that as well

  • Agree with the others.
    I would feel very uncomfortable with the controller having this level of access.
    Potentially the controller could be regarded as the application owner but even then should not have admin access.

  • Agree with all these good comments 🙂
    – Maybe ‘read only’ access could be granted based on needs
    – Should not have ‘write’, ‘delete’, ‘create’, etc., capabilities inherient with FULL ADMIN access from a network security standpoint
    – Also, the same applies to application security, so that there are as few folks as possible who can perform start-to-finish transactions in an unchecked manner
    – This ain’t about trust, as most incidents in IT are a result of ERRORS and not fraud
    – I’m sure both internal and external auditors would object
    I feel the best solution is to interview the controller and make sure she has the right level security needed - balancing this with SOX management control requirements, so that the auditors won’t bring this up as ‘audit comments’. If there’s truly a need for some management of the application , maybe the comptroller can delegate these to one who has the proper authority so that ‘checks and balances’ are maintained.

  • Many thanks to your responses. I really appreciate that. I didn’t think I was off base for feeling uncomfortable and you all have helped supported that.
    I did ask IT to review what the controller’s requirements and assess what the needs are. Based on that, we’ll give her the access she requires but not full Admin access, since the Admin group has access to EVERYTHING (all the menus, files, etc).
    Thanks again for your input…

  • I would also be uncomfortable giving ‘full access’ within the ERP functionality to anyone. You would run into a number of SOD issues if the controller has access to (say) enter invoices, approve payments and post journals. That’s creating an environment that would allow both the execution and cover-up of fraud.

Log in to reply