Page 136 - Courses
P. 136

Logical Security Applications

            cash function (e.g., on two separate floors in the same building); but, logically, they could both have
            access to the bank reconciliation and cash management systems.

            Concepts

            The following are some concepts internal auditors should be aware of while considering security at
            the application layer:

            Authentication

            Authentication of an application usually occurs using single sign-on (SSO) or by the application
            itself. Using SSO or similar relies on the network password features. Logging in without SSO requires
            use of the application-specific password features. Application-specific passwords:

              Are usually contained within the general configuration settings of the application.
              May not be as robust as those within the network.
              Are set as closely as possible to the organization’s policy.

            Typically, the application password table is encrypted using one-way encryption, and access to the
            application password table is restricted.

            Access Capability

            User access capability is usually assigned by role. A role is a set of functions or activities that are
            grouped together for a specific activity. For example, the general ledger accountant’s role would
            allow input of journal entries, creation of trial balances, and other financial reports; however, it may
            not allow entry of invoices, which is part of the accounts payable clerk role.

            Role-based security is an efficient method to assign user access. For example, all accounts could be
            assigned to one role. Sometimes, a user may require additional access capability beyond a role. For
            example, the accounting supervisor is assigned the accountant’s role, but may require access to
            additional functionality, such as the capability to review and approve other’s journal entries.

            Global Settings

            Global settings are overall settings that set the global functionality of a system. They are usually one-
            time set-up features and are not changed later. Global settings typically take the form of a
            parameter with a yes or no flag.

            Examples include features that:

              Allow debit transactions to equal credit transactions upon entry.
              Require the master general ledger (GL) account to equal the subsidiary ledger (i.e., fixed assets,
               accounts receivable, or accounts payable [AP])



            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
   131   132   133   134   135   136   137   138   139   140   141