menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics

Journal Volume 4, 2008 cover

What Every IT Auditor Should Know
About Access Controls

By Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA
Volume 4, 2008

One of the more pervasive concerns of IT audits, whether associated with financial audits or not, is the risk associated with IT general controls, such as access control. The increased usage of databases, the growth of access points on networks (especially remote connectivity) and wireless technologies have increased dramatically the risk associated with networks and access control. Once a person has gained access to a system, that person could potentially access data, financial reporting data, applications (e.g., journal entry software) and other high-risk functions. While each entity must be analyzed according to its individual characteristics, virtually all entities subject to audits have some risk associated with access control.

The most basic principle in assessing the sufficiency of access control is to verify the alignment of the level of protection (sophistication) of access controls with the level of risk; that is, the more risk, the stronger the controls should be. It is becoming increasingly necessary to test more IT controls due to Sarbanes-Oxley requirements, the American Institute of Certified Public Accountants (AICPA)'s Risk Suite requirements and increased reliance on IT controls. This article demonstrates one methodology to assess the appropriateness of access controls using risk assessment, assess controls evaluation, and assess access control tests.

Authorization vs. Authentication

The first area of understanding regarding access controls is the difference between authorization controls and authentication controls. Authorization controls basically provide the functionality to verify that a certain combination of ID and password has been granted authorization to access the network. Hopefully, that ID/password also has been granted access to a limited number of files, applications, or data and appropriate access rights (read/write permission) via some network technology. Authorization is the cornerstone of access controls, and absolutely necessary, but it should not be the only access control, except in the most basic of systems and circumstances (e.g., small companies, simple systems or low-risk situations). The key to the authorization aspect of access control is whether or not the entity employs best practices for password policy.

Authentication becomes the second aspect, and more powerful in terms of mitigating risk. Authentication verifies that the login (ID/password) belongs to the person who is attempting to gain the access, i.e., users are who they say they are. Some examples include swipe cards, smart cards, USB devices, temporary PINs, specific and private information, and biometrics. There are various ways to implement a control with this objective, but there are times that the IT auditor would want to verify that some control for authentication exists (e.g., higher risk).

Measuring the Level of Risk

Most of the auditing profession today, regardless of the type of audit, uses a riskbased or top-down approach to the audit. The IT auditor will want to assess the level of risk associated with access controls, and the IT auditor working on a financial audit will probably limit the evaluation to risks associated with material misstatements, financial reporting, and financial data associated with risks of unauthorized access. That level of risk is escalated by a variety of circumstances.

One of the issues is the size of the system(s) under review. Size is measured by the sheer number of workstations, servers and network components. Typically, smaller systems are found in smaller entities. Smaller entities have fewer resources for segregation of duties and IT staff. Usually this inherent constraint has a negative impact on the strength of the system of internal controls, especially automated or IT-dependent controls. Therefore, the smaller the size, the more likely the IT auditor would assess access control risk at a higher level. That is not to say that large, complex systems, such as enterprise resource planning (ERP), do not have inherent risks as well—some most certainly do. But the risk associated with large ERP systems is more a function of complexity than size (number of users).

Complexity, or sophistication, of the systems under review is correlated to risk—the more complex, the more risk, generally speaking. If all of the systems are the same platform, the risk is lower than if there are multiple systems, especially those affecting financial reporting and data, and different platforms. For instance, in frauds of the past, it is a common factor that fraudsters who have the authority will deliberately use different systems for different aspects of the accounting functions and financial reporting, including pulling data off the various systems into a spreadsheet and producing financial reports from offline spreadsheets in a smoke-filled back room. Thus, generally speaking, the more systems in use, and the more disparate platforms being used, the greater the risk assessed by the IT auditor. Access control across disparate systems is usually difficult to administer.

If the entity has access to the source code, modifies code or generates code, then the access control risk is probably higher. Anytime people can affect the code being generated, there is a relatively high risk of error (which can be mitigated), and usually a moderate risk of fraudulent or malicious code. Therefore, if an entity has its own in-house programmers, the risk is generally higher than one that uses strictly commercial off-the-shelf (COTS) software. Access controls can be thwarted by malicious code.

Other issues relate to specific types of technologies or system architectures that inherently have higher risks. Some of them include wireless technologies, access to the Internet (i.e., the number of access points), shared files and databases, remote access, outsourcing of critical applications or system functions, and changes to infrastructure. These technologies or situations generally complicate the ability of the entity to adequately manage access control.

The outcome of this evaluation process is some level of risk associated with the access controls. Generally speaking, IT auditors like to simplify the assessed risk level as low, medium or high.

Measuring the Strength of Controls

The IT auditor needs to assess the ability of access controls to mitigate any risk above a certain level. The controls should be based on the level of risk/sophistication of the system. That is, the greater the risk, the stronger the controls should be. The IT auditor needs to be careful to not oversimplify audit procedures, i.e., simply verify that authorization controls exist for logins and network access without regard to overall risk.

Figure 1One common way of developing an effective IT audit procedure is to compare best practices of the object being audited against the practices being employed. For example, what are the best practices of access control and passwords? The IT auditor could use those best practices to evaluate the effectiveness of access controls at the level of login, and passwords in particular. Figure 1 provides some of the generally accepted best practices for password policy, and the metric is generally considered to be the best way to structure that aspect of passwords (however, these are not absolutes). This list of best practices and metrics provides the IT auditor with a road map toward assessing the level or strength of password-policy practices.

If the risk is low, the IT auditor probably has a limited scope and small number of audit procedures used to evaluate the effectiveness of the controls. For instance, the IT auditor could attempt a login of some critical application or the network server and verify that the authorization process is at least working. The access control itself would need to "fit" the circumstances of low risk. That is, a strong password and employment of relevant password policies (see figure 1, numbers 1 and 6) would probably be enough to mitigate a low level of risk.

If the risk is medium, however, the strong password alone would not be sufficient to mitigate the risk. For instance, if the entity is a financial institution with online access to financial accounts, the level of access control risk is probably medium or high because of threats such as identity theft. If an entity allows remote access for its employees, the same result is likely to occur—medium or high risk for access control. At levels above low, the entity should employ multifaceted controls, i.e., combine another access control with the password policy and controls shown in numbers 1-6 in figure 1 (a simple authorization process).

One way to accomplish that objective is to have a second login control with a different ID and password for the more sensitive access (e.g., network access is the first level of access, but a second ID and password are required to gain access to the payroll application software). Another way to accomplish that objective is to add something other than a login, e.g., a smart card, temporary PIN or biometric fingerprint.

The common framework for multifaceted access controls is something you know (e.g., ID and password, mother's maiden name, personal facts), something you have (e.g., smart card, temporary PIN) or something you are (i.e., biometric). Obviously, these controls are listed in order of strength or design effectiveness.

Thus, a bank that is assessed with high level of risk associated with access control, because of online banking risks, and that requires a login (ID and password) and mother's maiden name for secure login does not employ a level of effectiveness sufficient for a high level of risk associated with online banking; that is, the fit is not appropriate. That level of effectiveness is most likely low to medium at best. But the bank that requires two questions on personal information not easily attained from Internet search engines or other sources has stronger access control, even though the bank uses only the first level of multifaceted controls.

The stronger, more effective, approach is to add a second level of access control associated with the second level of multifaceted controls (e.g., temporary PIN sent via preestablished e-mail account), or even the third level: a biometric control.

The same would be true for a high level of risk associated with remote access and/or wireless access. A temporary PIN provided via a pager device or a smart card would strengthen the access controls to more appropriately fit the level of risk. For a high level of risk, the most effective multifaceted control is a biometric. For example, using a virtual private network for remote access is an effective control for the communications during the online session. But, how does the entity know users are who they say they are? How does the entity authenticate the user?

Therefore, using multifaceted password controls is not the same as having a sufficient authentication control. Many entities will use the private information of a user (college roommate, favorite "fill in the blank," etc.) as a substitute for authentication, and it may serve adequately as authentication. Likewise, the something the user has may be a surrogate for authentication, but it could be lost or stolen. A biometric is clearly the most effective way to authenticate the user, but not the only way.

Thus, IT auditors use these steps and information to seek alignment between the level of risk and the level of effectiveness of access control in their evaluation and audit procedures.

Test of Controls

The IT auditor should be able to develop appropriate audit objectives based on the assessed level of risk, best practices and the principle of alignment. For example, does the entity sufficiently control unauthorized access of high-risk (sensitive) information, data and/or systems?

Next is the matter of how to execute, but execution is more complicated than it sounds. Often access controls and password policy are so spread out in the network system and software that there is no easy way to gather the appropriate information. However, sometimes it is possible to gather it fairly efficiently.

One way to illustrate the step of developing audit procedures is to use the access control information from risk assessments and best practices and assume the entity is using Microsoft Server and Active Directory. The IT auditor can access the network server and conduct some quick and effective tests against the evaluation process and results. Using a utility tool known as Dumpsec, the IT auditor can print out access users and access rights—something more cumbersome without Dumpsec. The Dumpsec tool gathers the users and permissions and creates a table of access from which the auditor can assess the effectiveness associated with such areas as "need to know," admin access and terminated employees (see numbers 4-6 in figure 1).

For this platform, the IT auditor would also want to dump permissions for shared folders. For instance, if the entity compiles data into a spreadsheet and manipulates them to generate financial reports, the folder containing those files should be restricted to a limited number of authorized employees and certainly not accessible by anyone in the entity. Sharing permissions would allow the IT auditor to evaluate quickly the effectiveness of existing access controls over those sensitive (i.e., high-risk) files.

Also associated with this platform is the ability to review password policies that were established by IT staff. That information can be compared to the best practices in figure 1 to evaluate the number of best practices being employed. That information can be accessed through the "admin" utility and "Permissions for Shares" function.

Perhaps one additional test would be to see if the IT auditor can log onto the network server using one of the default logins, such as (ID) admin and (password) blank.1 This login is normally considered a high-risk access control because of the global access to permissions and the network. The IT auditor wants to gain some assurance that this login is strong and certainly not a default ID/password, which hackers and crackers know and use to carry out malicious activities.

The results of these tests are fairly easy to gather and evaluate and should enable the IT auditor to do a valid assessment of the effectiveness of access controls.

Conclusion

Like most of the audit procedures of today's audit world, IT audit procedures are risk-based, and IT auditors are assessing the appropriate level and scope of controls associated with the residual risks. Access control is one of the more common areas of IT audit concern. This article shows the basics of assessing the level of risk, assessing the effectiveness of controls, and verifying the level and scope of controls and their effectiveness as to whether they are adequate for the risks associated with access control (fit or alignment).

There are some simple tests of controls that an IT auditor can conduct to gain a reasonable and basic understanding of the nature of an entity's access controls and password policies. While there are many more issues and concerns with IT audits, these are meant to illustrate some of the common concerns and how to test them at a basic level. Most assuredly, this methodology could be effective for small to midsized businesses, but might be woefully weak for larger entities. However, these represent a good start for any size business.

Endnotes

1 One can find these defaults by searching "default logins" in search engines, such as Google. They include admin/ administrator and admin/administrator/password/ , among others.

Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA
is an associate professor of information systems at the University of Alabama at Birmingham (USA), a Marshall IS Scholar and a director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting information systems (IS) using microcomputers. Singleton is also a scholar-in-residence for IT audit and forensic accounting at Carr Riggs Ingram, a large regional public accounting firm in the southeast US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications, including the Information Systems Control Journal.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2008 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA