Making auditors happy: Business software security and controls

Have you heard the phrase “risk is the new black”? It refers to the fact that what people thought was safe has now changed radically. As a result, organizations are now expected to provide investors, customers and regulators verifiable assurance that there are the necessary controls to manage risk, by ensuring segregation of duties, integrity of operations and auditability.

It is becoming increasingly common to hear auditors ask about:

  • Oversight and control over transactions and operations
  • Monitoring and documentation of information flows and business transactions
  • Detection and prevention of accidental, and purposeful, changes that would increase risk and compromise business operations.

Before you ask your auditors to do a governance, risk and compliance assessment for your business you should consider whether your software system has addressed some key security issues:

  1. Access
  2. Control
  3. Monitoring
  4. Auditing

This is a standard tool for software that includes logins and passwords and should give you access security for various levels within the application. These levels are, from widest to most detailed:

  1. The system
  2. Company
  3. Program
  4. Transactions
  5. Activity
  6. Field

This means that a user’s access can be limited down to a fine level – not just to a program, but also to details of the data, such as specific warehouses, and branches.

Your software system should be configured to suit your organization’s control requirements. These controls enable business to ensure a much greater level of accountability, to promote segregation of duties, and tom implement traceability of activities throughout the system.

Operator control enables security to be managed at the individual level. Operators can be put into groups and sub-groups to align security administration to organizational division, such as departments and teams.

You can streamline controls further with role-based security. A default organogram provides a starting point for role management which can then be customized for different hierarchies.

Business processes can be defined against a general ledger code to ensure the code is used for appropriate transactions only.

Electronic signatures (e-signatures) secure transactions by authenticating the operator that performs specific transactions. E-signatures also provide traceability of who performed a transaction and when.

Monitoring can be done via:

  • Event logging and management
  • Triggers and alerts
  • Role conflicts

These can be automated to provide continuous controls monitoring.

Events refer to activities on the system, whereas triggers and alerts can be applied in a client user environment. This functionality enables the identification of abnormal events which may potentially point to fraudulent activity.

Does your system have a logging and recording facility which tracks when programs are accessed, and when changes are made to critical data, such as master file, company setup and operator information?

You don’t have to be a big or well established business to need good security and control. But you need to have a level of organizational maturity to effectively implement a proper governance and controls regime. The test is whether your auditors are happy that the necessary controls and standards are in place.

Have you asked your auditors to do a governance, risk and compliance assessment yet?

Food safety and compliance with SYSPRO brochure download

Stay ahead of the rest...

SYSPRO blog gives you weekly industry insights supplied by experts.

Leave a Comment