I’ve been involved in a number of debates lately regarding whether auditors should have READ access to IT systems and data. Surprisingly, I’ve found that there appears to be very little middle ground – auditors either get READ access to whatever they request or get no access at all.
At one company, I had READ access to help desk ticketing systems, financials, human resources, Bindview, the timecard system, and so on.
Having access to Bindview allowed me to run my own reports on Windows and Unix systems (user lists, hardware configuration, patch status, permissions on directories/folders/files, etc.). In the help desk system, I could locate my own tickets and determine whether the appropriate user account approvals were granted.
But having access to HR was most helpful, as I could look up employees and determine when they were hired, terminated, and the like. And since I had READ access to the ERP databases, I could write my own queries and pull whatever data I needed.
Begging Like a Dog
In other companies, I was forced to depend on IT for everything. I felt like a hungry dog begging for a dry bone.
This often results in extra time and wasted effort for auditors and IT, which are supposed to be on the same team.
In my opinion, having READ access is better. After all, the audit charter usually stipulates that auditors can access all the data and systems anyway. My challengers often say that I should not have access to any data unless I have a “need to know.”
I’ll admit that I don’t always have a need to know, as I don’t audit every system or database every month, and you can get the data from IT. However, I believe the benefits outlined below for giving auditors READ access make the decision much easier for management.
Why Auditors Need Access to Systems
– Saves audit and IT time and effort, and speeds up the audit. A big money-saver and IT loves it!
– Strengthens audit independence as IT is not relied on for the data, which IT can alter before providing it (Excel spreadsheet, anyone?).
– Helps auditors better understand the IT environment and how IT handles the data, especially if auditors use the same tools that IT uses (like Bindview, Help Desk software, etc.).
– Helps auditors discover data that IT would never have given them (heh, heh) or perhaps is not aware of!
– Keeps investigations confidential. No one can tip off the dept/staff that are being investigated.
– Allows auditors to do continuous auditing and monitoring. In this case, continued access is needed as data is obtained on a regular basis. Queries should be vetted by DBAs prior implementation, as well as all changes to queries before they are used. In the case of sensitive data access, a generic ID/system account for which the auditor does not have the password can be used.
The one downside I ran into is that auditors can accidentally overtax the system due to inexperience, such as creating a Cartesian join in one of their SQL queries. That’s a case where even READ access can cause problems. DBAs usually take access away from such auditors or insist they get training. Overall, this type of issue is fairly rare.
What do you think? Leave me a Comment.