The Vital Role of User Access Controls in Combatting Accounting Fraud


In this day of constant phishing attempts and cyber-attacks, it’s critically important to revisit and strengthen your organization’s user access controls in your accounting system. Many organizations have various users set up in their accounting software, many of whom have much more access than is needed. Some merely need read-only access, while others may only need access to a specific subsidiary subledger. Just about every software has the ability to limit and determine the type of access each user has based upon a user’s unique login.
Think about the new senior salesperson who was hired and was provided a login to view sales information. He hasn’t been with the company long enough to know that the email he just clicked on wasn’t actually from the controller or finance department, and suddenly his computer is compromised, along with his saved password that logs him into the accounting software. The hacker now has access to banking information and can redirect outgoing electronic payments scheduled to be released.
Or think about your accounts payable clerk who received an email from someone posing as her CFO to set up a new vendor for payment. The vendor is a common one in her industry, so she expects it will be approved when the check is printed and signed. However, the checks slip through the review process due to the supporting fraudulent email provided when the checks are signed.
These examples are just two ways hackers have been successful. User access controls are critically important for several reasons:
When looking at the user access controls for your organization, think back to the basic rules of segregation of duties to separate individuals involved and responsible for:
Each accounting system provides slightly different options, although just about every system will allow you to define which areas of the accounting system you want your user to access (banking, accounts receivable, accounts payable, vendor database, general ledger, sales, etc.) as well as the level of access (read-only, posting, approving). New employees will be hired and with access added, but remember that the responsibilities of current employees also evolve over time. Therefore, the best practice is to perform an annual review, at minimum, of the extent of access per user. Most accounting systems can print a detailed report describing the level of access for every user, and the first time this detailed review is performed, it’s often shocking to find out how many individuals have full administrative access. The administrator setup generally has access to everything; therefore, admin access should be limited the most only to users that absolutely need it and is often limited only to designated IT individuals.
Simply documenting the user access rights by individual will easily bring to light any potential weaknesses, and will ultimately promote a solid control environment throughout the organization and can help prevent small problems from becoming enormous challenges.
Get ready, because by subscribing to our email insights, you'll be among the first to hear from our experts about key issues directly impacting your privately held business or not-for-profit.