Is Your Company Slacking When It Comes To IT General Controls?
IT General Controls (ITGC) have become an increasingly important part of financial audits in recent years due to our ever-growing reliance on technology in the financial reporting processes and recent changes in audit standards. GBQ’s business technology solutions team discovered several trends in performing ITGCs where improvements could be made to reduce enterprise risk. Summarized below are some of the key trends we observed across all industries.
- The principle of least privilege is not being followed.
- User account reviews are not regularly performed.
- Strong password policies and multi-factor authentication are not in place.
- Change management processes are not in place.
- Disaster recovery planning and testing are not performed.
- Backup and recovery needs for financial applications are not well understood.
To narrow that list further, this article will focus on two topics encompassing the six bullet points above: People Management and Data Management.
Read Also: When Focusing On Security, Don’t Forget Privacy
People Management
Our business technology solutions team found that very few organizations perform regular account reviews for their local networks or financial applications. Combining this with the expansive use of privileged accounts and weak password policies produces a significant risk to the organization in the event of an account takeover.
To mitigate these risks, organizations should take the following actions:
- Implement a policy to review user accounts every quarter. This ensures that access levels remain appropriate and that inactive accounts are promptly deactivated, reducing the potential for unauthorized access.
- Enforce the principle of least privilege by ensuring users have only the minimum access necessary to perform their duties. This limits the potential damage that can be done if an account is compromised.
- Develop and mandate the use of strong passwords. Require passwords to be at least 12 characters, complex, unique, and changed regularly. Implementing password managers can help users create and store strong passwords securely.
- Require multi-factor authentication for all accounts, especially those with privileged access. MFA provides an additional layer of security, making it more difficult for attackers to gain access even if they have a user’s password.
Data Management:
A lack of documented change management procedures, disaster recovery planning, and understanding of backup and recovery procedures for financial applications were identified in many ITGC walkthroughs. Outages, corrupt updates, or similar incidents could cause unforeseen downtime for financial applications and could result in the loss of data.
To mitigate these risks, organizations should take the following actions:
- Change Management Processes: Establish and maintain robust change management processes. Document and review all changes to systems and applications to ensure they do not introduce new vulnerabilities.
- Disaster Recovery Planning and Testing: Develop comprehensive disaster recovery plans and test them regularly. Ensure that backup and recovery procedures are well-understood, particularly for critical financial applications, to minimize downtime and data loss in the event of an incident.
By implementing these actions, organizations can significantly reduce their enterprise risk and enhance the security of their IT environments.
Address Your Weaknesses To Embrace IT Strength
Addressing these weaknesses is crucial for enhancing the security of ERP systems. Organizations should prioritize regular account reviews, limit administrative privileges, enforce strong password policies, and ensure a thorough understanding of backup and recovery procedures. By doing so, they can significantly reduce the risk of security breaches and ensure the integrity and availability of their ERP systems.
Contact GBQ’s business technology solutions team to learn how we can help empower the growth of your organization through ERP selection, security control reviews, and workshops to develop change management, business continuity, and disaster recovery programs.
By John Stuart, manager, business technology solutions
Looking for more insight to help you protect your business? These resources will help.
U.S. Privacy Law Landscape Shifts
Ransomware Recovery 101: How To Rebound Fast And Securely
Strong Internal Controls And Audits Can Help Safeguard Against Data Breaches