Making auditors happy: Business software security and controls

auditing-security-governance-controlsHave you heard the phrase “risk is the new black”? It refers to the fact that what people thought was safe has now changed radically. As a result, organizations are now expected to provide investors, customers and regulators verifiable assurance that there are the necessary controls to manage risk, by ensuring segregation of duties, integrity of operations and auditability.

It is becoming increasingly common to hear auditors ask about:

  • Oversight and control over transactions and operations
  • Monitoring and documentation of information flows and business transactions
  • Detection and prevention of accidental, and purposeful, changes that would increase risk and compromise business operations.

Before you ask your auditors to do a governance, risk and compliance assessment for your business you should consider whether your software system has addressed some key security issues:

  1. Access
  2. Control
  3. Monitoring
  4. Auditing

Access
This is a standard tool for software that includes logins and passwords and should give you access security for various levels within the application. These levels are, from widest to most detailed:

  1. The system
  2. Company
  3. Program
  4. Transactions
  5. Activity
  6. Field

This means that a user’s access can be limited down to a fine level – not just to a program, but also to details of the data, such as specific warehouses, and branches.

Control
Your software system should be configured to suit your organization’s control requirements. These controls enable business to ensure a much greater level of accountability, to promote segregation of duties, and tom implement traceability of activities throughout the system.

Operator control enables security to be managed at the individual level. Operators can be put into groups and sub-groups to align security administration to organizational division, such as departments and teams.

You can streamline controls further with role-based security. A default organogram provides a starting point for role management which can then be customized for different hierarchies.

Business processes can be defined against a general ledger code to ensure the code is used for appropriate transactions only.

Electronic signatures (e-signatures) secure transactions by authenticating the operator that performs specific transactions. E-signatures also provide traceability of who performed a transaction and when.

Monitoring
Monitoring can be done via:

  • Event logging and management
  • Triggers and alerts
  • Role conflicts

These can be automated to provide continuous controls monitoring.

Events refer to activities on the system, whereas triggers and alerts can be applied in a client user environment. This functionality enables the identification of abnormal events which may potentially point to fraudulent activity.

Auditing
Does your system have a logging and recording facility which tracks when programs are accessed, and when changes are made to critical data, such as master file, company setup and operator information?

You don’t have to be a big or well established business to need good security and control. But you need to have a level of organizational maturity to effectively implement a proper governance and controls regime. The test is whether your auditors are happy that the necessary controls and standards are in place.

Have you asked your auditors to do a governance, risk and compliance assessment yet?

Be Sociable, Share!
This entry was posted in Business Software, Governance and Compliance, security and tagged , , , by Simon Griffiths. Bookmark the permalink.

About Simon Griffiths

My role at SYSPRO is Product and Industry Marketing Consultant, working in their Corporate Services division. I joined the company in 2007 after having interrupted a previous spell with SYSPRO to sell other ERP software. After completing a Masters degree in Climatology at University of the Witwatersrand in Johannesburg, my first job involved working on a mini-computer where I was taught programming by an ex-NASA engineer. In 1995 I spent some time in Silicon Valley where I got my first experience in high-tech marketing and soon after that entered the field of Enterprise Resource Planning (ERP). With over 20 years in enterprise IT, I have worked in programming, database management, project management, consulting, marketing and sales.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>