Page 140 - Courses
P. 140

Logical Security Applications

              Be aware that these reports may show the user and a role but may not show any additional
               access capability assigned. In this case, the auditor should suggest report enhancements.
              A person in the business area who is knowledgeable of the system and functions would review
               these reports.
              The report could be separated by business function (accounts payable (AP), accounts receivable
               (AR), general ledger (GL), and fixed assets).
              Reviewers are trained on the manner in which such reviews are to be performed.
                   o  If audit trails exist, user’s activity within the application could also be reviewed. Such a
                       review is highly dependent on the audit trails within the application.
                   o  Activity of users with privileged access capability is a primary area for evaluation.
                   o  Unauthorized changes to system resources, like configuration parameters, should be
                       reviewed.

            Terminated Accounts Are Disabled in a Timely Manner

            Processes exist to ensure terminated user accounts are disabled in a timely manner. If SSO is
            enabled, then disabling the network ID should prohibit use of an active application account.
            However, procedures should exist to ensure that application accounts are also disabled in a timely
            manner. For example, an organization uses SSO for a GL application. The user’s network account is
            disabled, thereby prohibiting him or her from logging into the GL application. The organization then
            has a procedure to perform clean-up actions, disabling application accounts within 30 days of user
            termination.

            Disabling an individual’s network access does not guarantee all access is disabled. Web, mobile,
            voice-enabled, smart technology, and emergency accounts fall outside of network access, as do any
            web applications that can be accessed from outside the organization.  All of these accounts must be
            manually disabled or terminated.

            Auditing Application-Layer Security

            Click on each icon to reveal the steps taken in order to audit application-layer security:

            Test to ensure password features comply with organizational policy.

            Obtain a report of overall application configuration parameters and test to ensure the settings
            associated with security are reasonable.

            Obtain a report of user’s access capabilities and test to ensure they are appropriate.
              The internal auditor should request the current employee add/transfer/termination report from
               human resources (HR).
              The internal auditor should select a sample of users from the human resources report and
               compare them to the user access capability report.
              The internal auditor should write an observation if:
                   o  New users do not have the access stated in their access request form.



            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
   135   136   137   138   139   140   141   142   143   144   145