The Vital Role of User Access Controls in Combatting Accounting Fraud

In this day of constant phishing attempts and cyber-attacks, it’s critically important to revisit and strengthen your organization’s user access controls in your accounting system. Many organizations have various users set up in their accounting software, many of whom have much more access than is needed. Some merely need read-only access, while others may only need access to a specific subsidiary subledger. Just about every software has the ability to limit and determine the type of access each user has based upon a user’s unique login.

Think about the new senior salesperson who was hired and was provided a login to view sales information. He hasn’t been with the company long enough to know that the email he just clicked on wasn’t actually from the controller or finance department, and suddenly his computer is compromised, along with his saved password that logs him into the accounting software. The hacker now has access to banking information and can redirect outgoing electronic payments scheduled to be released.

Or think about your accounts payable clerk who received an email from someone posing as her CFO to set up a new vendor for payment. The vendor is a common one in her industry, so she expects it will be approved when the check is printed and signed. However, the checks slip through the review process due to the supporting fraudulent email provided when the checks are signed.

These examples are just two ways hackers have been successful. User access controls are critically important for several reasons:

1. Preventing Fraud – Prevention is both external as well as removing opportunities to internal users.
2. Data Integrity – By limiting editing access, you also maintain the accuracy and reliability of financial information.
3. Confidentiality – Certain sensitive information should be limited based upon the credentials of the user and limited to specified stakeholders.
4. Audit Trail – Access controls provide an audit trail of who accesses what information, as well as when, to review suspicious activity.
5. Operational Efficiency – Proper controls streamline operations by ensuring that users have access only to the information needed for their roles, to both reduce errors as well as streamline overall workflow efficiencies.

When looking at the user access controls for your organization, think back to the basic rules of segregation of duties to separate individuals involved and responsible for:

• Approval of invoices should be performed by an individual in the department responsible for the receipt of goods/services. He generally would have read-only access to the system in order to review invoices and approve the setup of new vendors but with no ability to process payments himself.
• Processing of the invoice is then ideally performed by a second individual who is responsible for proper coding of the expense when the payment (either check or electronic payment) is initiated. This user would have rights in the accounting system only to enter previously established and approved vendors and should not be able to set up new vendors in the system.
• Authorization of the payment (such as check signing and approving electronic payments) is performed by a third individual who was not involved in the initial invoice/vendor approval or payment process. This user generally would also have read-only access as she is not initiating or entering transactions into the accounting system, but only approving the final disbursements of funds.

Each accounting system provides slightly different options, although just about every system will allow you to define which areas of the accounting system you want your user to access (banking, accounts receivable, accounts payable, vendor database, general ledger, sales, etc.) as well as the level of access (read-only, posting, approving).  New employees will be hired and with access added, but remember that the responsibilities of current employees also evolve over time. Therefore, the best practice is to perform an annual review, at minimum, of the extent of access per user. Most accounting systems can print a detailed report describing the level of access for every user, and the first time this detailed review is performed, it’s often shocking to find out how many individuals have full administrative access. The administrator setup generally has access to everything; therefore, admin access should be limited the most only to users that absolutely need it and is often limited only to designated IT individuals.

Simply documenting the user access rights by individual will easily bring to light any potential weaknesses, and will ultimately promote a solid control environment throughout the organization and can help prevent small problems from becoming enormous challenges.