Online Exclusive: Locking Virtual Doors

“If you’re not setting things up properly regarding who your system users are, what data and assets they have access to, and what approvals they need to access them, there is potential for something catastrophic to happen,” says Matthew Ragaglia, program auditor for the City of College Station, Texas.

While this is a concern for any organization, the large scale of even basic UAM systems makes this risk particularly difficult for public sector organizations to manage — particularly if they are small, municipal governments. Understanding the complexities of access management, having a clear strategy, and leveraging technology tools can enable small public sector audit functions to provide more comprehensive coverage of today’s UAM systems.

Audit Challenges

Ty Elliot, CAE for the City of College Station, identifies four main categories of challenges internal audit functions face when auditing complex UAM systems:

1. System setup and maintenance often prioritizes efficiency — rather than security — when configuring roles.
2. Privilege creep occurs when employees change roles, but their user privileges are not updated to match their new responsibilities.
3. Role complexity arises when users hold privileges across multiple roles, leading to violations of segregation of duties principles. Over time, this can result in an employee unintentionally gaining too much access.
4. Role-based access control fluidity refers to rapid changes in user privileges, which can render previous audit structures obsolete.

According to Elliott, internal auditors traditionally would use a piecemeal approach to a UAM audit that relied on obtaining documentation or assurance from the IT function, rather than conducting a thorough, independent review. In some cases, auditors could also examine user privileges as a part of another audit, such as an accounts payable audit.

Auditing segregation of duties was a particular problem. Elliott explains that most systems did not incorporate segregation of duties in the past. “For example, if I were auditing a purchasing process, I would ask questions like who has access to the check printing machine, who has access to invoice forms, and who has access to the check signer,” he says. “These were all physical items people had, and all duties could be segregated through maybe one process control and two physical controls.”

This approach is too limited in scope to match the complexity of today’s public sector systems. “A lot of small audit functions in local governments and political subdivisions would struggle with this kind of audit because it’s a very complicated thing to do,” Ragaglia says. “There are so many permissions — thousands of them — and often when you turn one off, it turns on a whole range of other things.”

Making matters worse, many small public sector organizations do not have anyone who understands how these interconnections are set up and what controls are in place. “It’s not just the risk of fraud that’s high, but also the risk of someone being able to cover it up without being caught,” Elliot says. “It’s a big risk everywhere, but it is especially true for the government.”

For all the headwinds resource-strapped internal audit teams face, the good news is that the marketplace is aware of the challenges and there are resources available just waiting to be leveraged — if the audit function knows where to look.

For example, facing UAM auditing challenges, the City of College Station internal audit team pursued a strategy that relied on close collaboration between the city’s IT department and ThirdLine, a risk management fraud detection software solution designed for government organizations.

“We kind of spawned out of internal audit functions on the public sector side, where a few of us on the team were making analytics specifically for different governments,” says Sam Gallaher, head of Data Science at ThirdLine. “It fills that gap of risk assessment where an audit shop might be doing some really great performance audits and contract compliance, but they don't have a good sense of what's happening in the enterprise resource planning system itself.”

Tools such as this can increase the scope of a UAM audit without the function drastically altering its strategic approach or straining its resources. Without these tools, it is difficult to do a roles and permissions test, Gallaher says. “They either have to write their own code to pull all these spreadsheets, or they do it by hand and they spend a good month or two,” he explains.

Using the software, the City of College Station’s audit function could evaluate user privileges across all departments. It could also identify potential segregation of duties conflicts that do not align with the chosen framework, such as ISACA’s COBIT 2019 Framework: Governance and Management Objectives or the U.S. National Institute of Standards and Technology’s Cybersecurity Framework 2.0. Additionally, the software could rank potential risks by their severity.

Key issues uncovered, Elliott says, included terminated employees who still retained access and multiple users with super-user privileges. In one unique case, their audit discovered that multiple payroll processing employees had super-user privileges, including the ability to create employee records, modify salaries, enter timesheets, and generate payroll.

Spreading Awareness  

Training is essential for internal auditors to use software effectively for UAM audits, and some audit functions may need support from vendors to get started. “It’s a high labor, intensive effort, but the reward is worth it because user access is such a high-risk area,” Ragaglia says.

The City of College Station’s experience using technology for UAM audits shows how exploring innovative options can elevate a public sector audit function’s performance to meet today’s risks.