Application Security

Application security is a technical audit that is worth doing. It is essential for the department head who, as application stakeholder or data owner to know exactly what access is actually implemented at the application level for each of his employees by the application security administrator. This enables them to rely on the integrity of the data that is created and manipulated by the application.

For most applications, the security reporting functionality is far from robust. The reports that the data owner is likely to get only state the access provided to groups defined in the application, and then listings of employees that are members of these groups. While on the surface this appears adequate, often there is no way of knowing that a particular employee has been given additional access above and beyond the group access that may conflict with necessary separation of duties. When this occurs, the likelihood of fraud is substantially increased, and puts greater pressure on compensating, detective controls and their review process.

Over time, the access assignments tend to be “grandfathered” to new employees. And the risk is that the new employee will discover that they can perform both accounts receivable and accounts payable transactions, for instance, with little likelihood of immediate managerial discovery. Ultimately the detective controls vis-à-vis activity reconciliations would uncover discrepancies but only after a lengthy forensic effort. This risk can be eliminated with rigorous application security reviews, strong application security administration and monitoring procedures.

At the application security level, it matters not whether we are reviewing an SAP, Great Plains or custom application’s security. Ultimately the separation of duties will stipulate the functionality within a particular application that must be separated or not permitted at certain levels of responsibility. Each application has a security module where the application security administrator must select ‘permit’ or deny access to a person or group for the stipulated function or command. These selections can be in the hundreds of choices for a single application, which can make it difficult to summarize and communicate to the data owner. A detailed application security review will confirm the process and identify any access assignments that are contrary to policy and may in fact permit fraudulent transaction activity.

Typically, the best approach to application security is to first perform a separation of duties analysis to identify those commands and functions which need to be distributed across employees and perhaps different departments to ensure the likelihood of fraud is reduced to acceptable levels. For example, this is why when you open a new bank account, the Customer Service Representative (CSR) actually performs the new account transactions, but has to have the teller enter the initial deposit information into the new account. Bank management has separated these functions as they do not want the teller to be able to create new accounts, nor permit the CSR to perform deposit and withdrawal transactions.

Since application security administration is only as good as the change controls that confirm the authorization, implementation and monitoring of security assignments, the application security review is usually performed after the IT General Controls––of which change management is part–– has been completed, and the change management process has been confirmed as functioning and reliable.

For more information on how FDC Associates can be your IT Audit and Governance Solutions provider, complete an Information Request or Contact Us.