During my time as an auditor, I have had the privilege of working with many clients of all shapes and sizes. As clients prepare for an audit, especially a first-time audit, I often get asked for recommendations on how to help ensure a successful audit outcome. One of the most crucial areas related to security is access controls, since access-related issues can impact pretty much all the other controls in an audit.
I’ve participated in multiple audits where missing or ineffective access controls negatively impacted my clients. Sometimes, these control issues resulted in undesirable or qualified audit opinions. On other occasions, significantly more substantive work needed to be performed to gain sufficient audit assurance. Ultimately, these situations resulted in increased costs and stress for the clients. The motivation for this post is to share three basic principles and how they can be applied to different kinds of access controls to help avoid these situations.
Three Basic Principles for Audit Success
Although this list isn’t exhaustive, three general principles for audit success are provided as follows.
Principle #1: Documentation
Auditors rely on the availability of sufficient documentation to demonstrate the design and operating effectiveness of controls. Although other methods such as inquiry can sometimes be used, ultimately it is documentation that allows auditors to come to a conclusion about the effectiveness of controls. For example, user access reviews should be fully documented, including which applications were included, the detailed list of users and privileges reviewed, and any changes that needed to be made.
Principle #2: Authorization
Depending on the control, auditors often look for justification as to why actions were taken. In the context of access controls, this often comes in the form of authorization or approvals. A common example would be explicit, documented approval for new or additional user access.
Principle #3: Timeliness
The timeliness of taking necessary actions is something auditors evaluate. Just like the frequency of controls varies, what would be considered timely will vary from control to control. One of the most impactful applications of timelines is removing access when someone departs an organization.
Avoiding the Pitfalls Related to Access Controls
Having presented these principles, I will next list major access-related controls and common mistakes auditors often encounter for each. Check out our blog on access control management to learn more about the different types of access controls.
Onboarding
Onboarding includes the activities required to vet, hire, and grant sufficient access to new hires.
- Documentation mistakes:
- Failure to document access requests.
- Failure to document other onboarding activities (e.g. background checks, interview notes).
- Authorization mistakes:
- Lack of access approvals.
- Timeliness mistakes:
- Insufficient or incomplete hiring activities (e.g. missing policy acknowledgments, not providing required onboarding training).
- Other mistakes:
- Inconsistency in applying relevant controls depending on employee type (e.g. employee vs. intern vs. contractor).
Access Changes
When users change roles within an organization their access will often need to be adjusted.
- Documentation mistakes:
- Failure to document access modification requests.
- Authorization mistakes:
- Lack of access approvals.
- Timeliness mistakes:
- Adding new access but failing to remove access that’s no longer required.
- Other mistakes:
- Segregation of duties issues, particularly if new access is granted but old access is not removed.
Offboarding
Offboarding controls deal with the activities taken to remove access for people who leave an organization.
- Documentation mistakes:
- Failure to record the departure in the HR system.
- Timeliness mistakes:
- Failure to communicate the departure so offboarding activities can take place.
- Failure to fully remove access.
- Failure to remove access in a timely manner.
Access Reviews
Periodic user access reviews should be performed to help ensure existing access is appropriate and to compensate for failures in the controls above.
- Documentation mistakes:
- Failure to perform and document the review.
- Not including all in-scope applications and supporting systems in the review.
- Failure to document the changes that need to be made.
- Authorization mistakes:
- Having the review performed by someone who lacks sufficient knowledge to make the correct determination of whether access is appropriate or not, or what the various roles within an application mean.
- Timeliness mistakes:
- Not performing the review according to the frequency specified in the control (e.g. annual, quarterly, etc).
- Failure to make changes in a timely manner.
Conclusion
I hope that the simple principles I shared will resonate with the readers of this post and give them an understanding of how they can improve their processes in preparation for an audit. Even more, it is my hope that by sharing some of the common mistakes I see they’ll be better equipped to avoid these pitfalls.
If you have any questions or concerns about potential access control issues, or would like to learn more about the many audit services we provide, please reach out to our team of professionals at Linford & Co.
Tim Nackos joined Linford & Company, LLP in 2022. The first 5 years of his career were spent at the “Big Four” firms EY and KPMG providing IT assurance and advisory services. He also spent 10 years at two large financial institutions primarily in internal audit performing data analytics. Tim is a certified public accountant (CPA) in the state of Utah and is a certified information systems auditor (CISA). He holds both a Master of Accountancy and a Bachelor of Science degree in Accounting from Brigham Young University.