- Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
- What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
- Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
- You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Brou Marie Joelle Alexandra Adje says
2)What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
In a business usually only one current posting period is kept open for a financial year to enter transaction related to that month, all other posting periods being closed. ( in general, the individual posting period correspond to a calendar month). This is to prevent wrong posting to a particular month.
Mansi Paun says
Rightly said, Alexandra. Besides, preventing wrong posting to a particular month, it also reduces opportunity of committing fraud by posting sales data to the wrong month. One could commit fraud by overstating sales in one month to meet monthly targets. Tax fraud could also be committed by posting accounting information to the wrong month.
Priya Prasad Pataskar says
Good points Alexandra and Mansi. From SAP point of view you can keep multiple periods can be kept open for posting. However, to prevent fraud it is recommended only one posting period must be open. Special periods are thus provided for closing postings during the period-end closing.
Posting periods can be bound by company codes that can determine which companies are open for posting in a specific posting period. In SAP, opening and closing of posting periods can be differentiated by account type. By doing this a posting can be bound to certain accounts. These various controls ensure preventing frauds related to posting.
Mansi Paun says
Priya, thanks for sharing the information about special posting periods. You’re right when you say that specific posting periods can be mapped company-wise and they help preventing fraud. I’m reminded of an example from my previous company where earlier, employees were allowed to claim expenses occurring in any month at any time in that fiscal year – many of the employees would keep procrastinating claiming expenses till the last month in the year so during year-end closing, the accounts payable team was always overworked. Often the employees wouldn’t have the receipts as the expenses had occurred many months back and so an exception process would be triggered. This led to an opportunity of committing fraud where by the employee could claim higher expenses and get it approved by manager. Eventually, the company changed its policy to have expenses claimed within 3 months of occurring. The process not only became more streamlined as it gave a true picture of quarterly expenses but it also made the accounts payable team more efficient and able to handle year-end closing.
Abhay V Kshirsagar says
Just to add another risk related to posting period, there have been incidents in my company where amounts were posted before the period that led to financial irregularities, which is a risk.
I think it was important to monitor and review the general ledger for any prior period postings. If there was any entry discovered, it was important to confirm that the transaction had valid business justification to it.
Sean Patrick Walsh says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
Not necessarily. I think businesses focus more on network security than they do on software security controls like those in SAP. I think the bigger scare for a business contemporarily is a network intrusion risk than an internal employee risk. I think businesses fear the damage done by a reputation loss and the associated revenue loss associated with a hack than they do with internal fraud. Also, internal fraud, unless required by law in specific types of fraud in certain industries, is not mandated to be disclosed to the public, so a business could suffer fraud but not necessarily lose any reputation or revenues from customers.
Brou Marie Joelle Alexandra Adje says
i definitely agree with you Sean about the fact that business focuses more on network security.And that is totally understandable because now more than ever, businesses depend on their network for their most important business operations, such as communication, inventory, and trading with partners. An insider fraud can be hidden but a network breach? not so easy. Depending on the type of business a damage to a business reputation can be very costly and hard to repair.
Magaly Perez says
Hey Sean,
I answered similarly to you but I never even thought about it from that perspective of disclosure of fraud and the laws associated with it . I still agree with the way I answered the question but I definitely valued that approach of thinking based of the risk acceptance view of a company. Great insight!
Said Ouedraogo says
Sean,
You are absolutely right about that. However, I think businesses should also focus on their security protocols in programs like SAP because the biggest threat of a company is its employees. In fact, employees can take advantages of the system if the company has not the right security protocols. When you think about it, majority of breaches/frauds came from employees (Wells Fargo, Enron, Worldcom…)
Yu Ming Keung says
Said, I definitely agree with you, companies without the right protocol tend to knowingly allow their employees to commit frauds. It is one of the biggest risk that could result in a loss of the company’s reputation. I would say that companies are the victims of a hack resulting less reputation loss and the public will forgive them, whereas they start to commit the fraud like Wells Fargo, the trusted has been damaged and it will take so long to rebuild the public trust and reputation. Hence, having the right protocol can mitigate the internal risks.
Joshua Tarlow says
Couldn’t agree with your comment more. Breaches due lead to reputation damage, but fraud and wrong doing by a company will inflict much more damage to a company than an external data breach. As noted above, Wells Fargo was impacted by their employees and clearly lacked proper controls. They will likely suffer far greater damage than had it been a data breach.
Yulun Song says
That is true Sean! software security is one of the many different security controls. other controls also important like physical controls, employees internal controls, etc. so Businesses should not focus on administrators as the only standard.
Wenlin Zhou says
of course,I agree with you. Businesses focus more on network security than they do on software security controls like those in SAP. The biggest threat of a company is its employees in the internal control. What’s more, I think the internal control can strength the network security. Internal controls should not be thought of as “static.” They are a dynamic and fluid set of tools which evolve over time as the business, technology and fraud environment changes in response to competition, industry practices, legislation, regulation and current economic conditions.
Priya Prasad Pataskar says
I think companies focus on both. Since network security and frauds are spoken more about and get quick media attention they are more focused. The constantly growing network related frauds tend to get more attention of security team. In my opinion, if the team members of security team are focused on network security and giving it more importance, that is absolutely fair. In the same way teams members of SAP security and SAP modules would be focused on securing internal controls.
To conclude if team each in a company is well focused on the job they are doing, they can strike a good balance between internal and external security.
Deepali Kochhar says
very well pointed Priya. This is where segregation of duties comes into the play. It is necessary to focus on both the aspects and give attention to internal as well as external frauds. Companies are constantly evolving in terms of managing internal and and external threats specially for systems like SAP which has all of their financial data and are managing this by segregating the duties to the system administrator both to manage the external network as well as manage securing internal controls. Therefore the role of system administrators is not confined to just manage the frauds occurring through external network.
Fangzhou Hou says
I agree with you Sean, that it really depends on the specific scenario. Different size companies may have different choices. For example, for those new start companies, investment in improving entire network security may be too expensive, and negatively affect the financial statements. In this case, focus on key programs like SAP may maximize the protection of key information assets and minimize the cost.
Sean Patrick Walsh says
4. You’ve used various computer systems in your lifetime, carreer. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain
I have seen these problems when I was in the military. We had controls for access to bases, buildings, and individual spaces before even getting to individual system security controls. Once you eventually got to a specific system you had to insert your “smart card” into the system’s keyboard and then type in your pin number, or you had to know your login name and password in lieu of using your “smart card.” Once logged into a system, a user had to have login ID’s and passwords for access to various programs, documents, folders, other networks, etc. If remembering all those different login ID’s and passwords wasn’t difficult enough, the passwords were required to be changed about every 60-90 days. When creating a new password there were minimum lengths, character diversity minimums, and your last 5 to 10 passwords could not be used depending upon the specific password being changed. It was very cumbersome to try and remember all your login ID’s and passwords, or find a way to write them down without them being easily linked to one another if they were ever found.
Aside from logins and passwords, many systems required approval from supervising personnel before something could happen that was important For example, say a piece of equipment was damaged and needed a replacement part. Well you would have to log into the program to write the job up and order the part(s). After that you would have to wait on your supervisors at various levels to “sign off” on the job and parts needed, and then you would have to wait on the department responsible to approve and issue the part(s) if available, or order the parts from another location. This added a lot of steps into doing something as basic as replacing a toner cartridge in an office printer.
Brou Marie Joelle Alexandra Adje says
Wow!I would be very annoyed with all these protocols. But when you think about it, security goes with complexity. However, I think at a certain level of complexity people will start disregarding the official policy entirely and make the system more vulnerable.
Thanks for sharing Sean
Said Ouedraogo says
Alex,
I couldn’t agree more that security goes with complexity. How do we balance user convenience and security? In Sean case, I think those controls are necessary because of the nature of his job. The military handles sensitive information and Top Secret project, it makes then sense for them to implement complex security systems.
Joshua Tarlow says
Definitely can relate to some of the systems I worked with while I was in the military. I remember when I was deployed there some computers that had login information taped onto them in plain site. Definitely not proper security protocol, but just assumed that someone had just given up or didn’t care.
Magaly Perez says
1. protocols in programs like SAP, rather than look for security in the entire network? Explain
I would like to believe that most businesses do not rely too much on administrators to configure their security protocols in a program, like SAP, rather than look for security in the entire network. I would think that the businesses whether they be big or small focuses on their network security controls because, their data and their company solely rely on the security of their network and the functionality. I think the software aspect security controls, like SAP are bought based on their reputation and effectiveness across all boards. Their security infrastructure as a whole are more detrimental to their company, I believe; without having a secure network infrastructure they are undermining their business. Conversely, I think software security is important but looking at it from a business owner/ administrator I would be more concerned with the internal risk of an unsecure network and the breeding grounds of fraud within the company as well as hacking via network injection, malware, ransom ware, etc. Subsequently, I think administrators look for software like SAP or Oracle that have great brands and security controls in place to make sure their data is secure but rather also, focus more on their entire security network infrastructure more because, it’s the direct product of their businesses.
Magaly Perez says
Oops: must have not copied the whole question >>>>>> here is the whole question prompt: Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
Brou Marie Joelle Alexandra Adje says
Both software and networks present risks and have the potential for malicious hackers to gain access to sensitive information inside the network or inside software that have access to the network.
You mentioned that “whether they are big or small they should focus on network security.” that’s right. However I think that small businesses are most likely at the top of a hacker’s list because they have more exposure ( Like relying on at least one staff member, who may have limited knowledge when it comes to cyber security threats, to manage their network’s security) and are easily prone to phishing attacks.
Plus, large businesses can survive a security breach because they have the resources to fix the problem, which is not always the case for small businesses.
Magaly Perez says
Yeah, I think they both present risk and never said they didn’t. However, I think the network security controls are the first the priority for all businesses whether they are big or small because, that is their means of business. But, yes I agree with you alex! Thanks for your input.
Sean Patrick Walsh says
I agree that network security is more critical too. First, SAP is a software package, and an intruder would have to gain access to the network, or a node on the network if the attacker is internal, in order to explain a vulnerability in SAP more than likely. So if network security is the primary focus then SAP security is a residual benefit to the network security as the primary concern. Second, any access to SAP over the web should be easy to secure through an encrypted portal which would again put the focus on the network’s security.
Wenlin Zhou says
I agree with you. The network security is more important. By increasing network security, you decrease the chance of privacy spoofing, identity or information theft and so on. Piracy is a big concern to enterprises that are victims of its effects. Anything from software, music and movies to books, games, etc. are stolen and copied because security is breached by malicious individuals. Because hacker tools have become more and more sophisticated, super-intelligence is no longer a requirement to hack someone’s computer or server. Of course, there are individuals that have developed sophisticated skills and know how to breach into a user’s privacy in several ways, but these types of individuals are less common than in the past. Today, most malicious users do not possess a high level of programming skills and instead make use of tools available on the Internet. There are several stages that an attacker has to pass through to successfully carry out an attack.
Ming Hu says
Nice post. No one would deny the importance of software security, but when it comes to business perspective, we focus on not only software security, but also hardware security, infrastructure security, look for security in the entire network. Especially considering the frequency and sophistication of cyber threats are at all-time high in nowadays business environment, how to address security risks from the entire network, not just software should be company’s first priority.
Brou Marie Joelle Alexandra Adje says
You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain
The company I worked at forced us to change our password to access several online systems each month. Password had to be at least 8 characters long and include a special character, number, lowercase letter, and uppercase letter. The fact that I had to change my passwords every month was very annoying. I could not remember that type of password when it changed so frequently, so I had workarounds. Since each program forced a password reset at different intervals, I just sync all my passwords to be the same and reset them all on the schedule of the program that forces the most frequent password change. Now how secure was that? My point is that complex policies ultimately can lead to a security breach.
Magaly Perez says
Alex,
At the Philadelphia DA’s Office we had the same protocol however, I noticed that this resulted in employees actually writing their passwords down and keeping them on their desk because they would always forget what their password was, definitely not secure.
Priya Prasad Pataskar says
I have been through the same. I had in fact audited a team who used to have 120 applications and security policies made them change passwords every 15 days. Now that is serious issue. Password management tools is an option but that software is at risk too.
I came across many articles which speak about password less security and I stand with them. Having login screens to enter username and password, also is another page for hackers to try SQL injections and CSS attacks. Instead all applications can aim at using one time password generators and sent one time login details to accounts you have linked them with ex. SMS, email.
This system is not yet full proof and has its own share of problems. Like what if a account is hacked and that is the account where the one time password is generated?
In short, security is not easy and users have to be patient to follow security policies. However, one who neglects security policy is definitely not in a good place.
Paul Linkchorst says
Hey everyone,
I will throw in my two cents on this subject. As much as people want to bash password complexities, I honestly think that having complex password requirements is not too big of a hassle but that people make it harder than it has to be. Half the case is remembering passwords, and if you create the password to be memorable than it isn’t a problem. For myself, I have always been a big proponent of the acronym style. For example. A phrase that I can remember is that “I am a student in the ITACS program”. I then take this phrase and put it into a password by taking the first letter of each word in the sentence. Therefore my password can become something like this; IAAsitip16. This password will likely meet complexity requirements and after 7-8 times entering the password I can normally enter it pretty quick. Likewise, this makes it harder to pinpoint the password in cases where the passwords are not encrypted.
Magaly Perez says
4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain
At the DA’s Office we had a protocol that passwords had to be changed very often. I believe it was about 6 times every 4 months which was in direct correlation to the databases my unit had to use. However, I noticed that this resulted in employees actually writing their passwords down and keeping them on their desk because they would always forget what their password was. We had 6 databases and internet access which you needed passwords to use. Yet, I worked for the charging unit which was open 24 hours and people worked on a rotating shift work schedule, as you can image the IT people weren’t there to assist when someone would be locked out which, made it even more cumbersome and dysfunctional. Ultimately, leading to people getting locked out and being unable to access the database needed to do work. This also led to employees sharing credentials which is a big NO NO! Thankfully, I never had been locked out but the databases we used were very important such as the FBI National Crime Information Center Databases to complete background checks. Personally, I wouldn’t share my credentials because come one, who would risk it but believe me, people actually shared them.
Deepali Kochhar says
One of the similar case occurred in my organisation. There were people from infrastructure team who never use to lock their system while leaving the desk for some temporary period of time. This came into the notice of the information security team and they were warned. Still they found it complex to lock the system every time they leave the desk. Because of this next time an incident was raised against this activity which I believe was correct. Therefore the way not sharing the passwords is important, leaving the system lock while leaving the desk is also very important and is a part of maintaining the system security in the organization.
Said Ouedraogo says
1. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
I think the main reason is to avoid fraud/error and facilitate accounts reconciliation at the end of the month or year. Each organization follows a specific fiscal year variant. For example, Temple University fiscal year goes from July to June with 4 additional special periods. From July to June, a period is open every month and transactions made in a specific month are recorded to that month. Once a period has been closed there is not possibility to post in that period. This way every transaction is recorded/posted in the month (period) it has occurred.
Sean Patrick Walsh says
I agree with your assessment. I would also describe the fraud potential by allowing users to access other posting periods would allow them to conduct “financial engineering” in their system which is moving costs and revenues to periods that they aren’t supposed to be recognized in for reasons to manipulate revenues. By only allowing the current posting period to be open helps mitigate that risk, at least at the base user input level.
Said Ouedraogo says
Exactly Sean! Plus, the auditors can go back to closed period to review postings. In that way, they don’t have to wait until the end of the year. Where I work, I have to combine all accounts in a single doc after each closing. It allows auditors to review the accounts and see if there are any discrepancies.
Binu Anna Eapen says
Well put Said. By closing the previous posting period you are forcing the people who are entering the data to be responsible for the data entry and also ensures that no changes can be made to the previous postings. This way even if there is any discrepancies, it will be easily identified and corrections can be made by the authorized person. This provides accuracy and also ensures that the transactions are recorded completely to avoid these error.
Yu Ming Keung says
I have never thought that changes can only be made by the authorized person. I would describe that one posting period is the first layer of security and the authorized user to make corrections is the second layer of security. Companies need to have a clear protocol for how the changes and corrections can be made in SAP to avoid fraud.
Said Ouedraogo says
Yu Ming,
In fact, changes can be made after the period had been closed. Generally, only the business manager has this privilege. When this person made change to a closed period, he/she has to provide backup documentation detailing why he/she has made changes.
Deepali Kochhar says
Said, it is not the case that once a period has been closed there is no possibility to post in that period. It is a very common practice is to keep the prior period open to allow period-end adjustments along with the current posting period and with that there is no restriction on number of posting periods which can simultaneously run. It is just a practice to keep one open at a time in order to avoid frauds and human error.
Binu Anna Eapen says
3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
Some of the controls for financial accounting as mentioned below:
1. System and Authorization procedures should be in place to provide accounting control over revenue, expenses, assets/ liabilities. Only the authorized person should be able to create, modify/change/edit and close/delete any records/transaction.
2. Segregation of functional responsibilities to create accountability for system of checks and balance
3. Completeness check: Every transaction has to accurate, timely and complete.
4. Controls should be in compliance with the federal, state and local laws and regulations affecting the operations.
5. Proper approval procedures should be in place.
6. Reconciliation procedures should be in place- to compare two sets of records which relate to same transaction and verify if there are any differences.
Authorization control is the most important and only authorized should have access to many any modification to any system. We can achieve this with proper segregation of duties and by setting up processes to be followed. I also think completeness control is as important. Every transaction is properly and recorded on time. This increases reliability and reduces the chances of error both human or fraud.
Sean Patrick Walsh says
I agree that Authorization Control is the most important control too. You can have all the other controls in place that you listed, but without proper authorization controls in place none of those other controls will matter. If the wrong people are authorized to create, alter, and/or delete some type of transaction when they should not be, then they can cause some serious problems for the business either on purpose or inadvertently. By making sure only the correct people have the authorization in place to do specific things in SAP/ERP then the the other controls can be effective, but without authorization controls the other controls are aesthetic at best.
Yu Ming Keung says
I also agree that authorization control is the most important control too because authorization is the process of enforcing policies by determining what types or qualities of activities, resources, or services a user is permitted. Other controls will be meaningless if unauthorized users are able to access to the system to create/alter transactions to commit fraudulent activities. Usually, authorization occurs within the context of authentication which is a way of identifying a user, typically by verifying valid user name and password before access is granted.
Said Ouedraogo says
Binu,
I strongly agree with you. It’s all about who has access to what and when. Where I work, I am in charge of doing monthly reconciliations. I reconcile what we have in the system (IBM Cognos), deposit logs, and receipt book. The process is simple. The front desk receives the check from the customer, issues a receipt to the customer and records the amount in the deposit log. Then, the person at the front desk deposits the check at the accounting department who posts the transaction in the system. Imagine I was the one having all those privileges. It would have been really easy for me in this case to commit fraud.
Wenlin Zhou says
I agree with you. The Authorization Control is the most important. The main reason is that Authorization is the basis by which the authority to complete the various stages of a transaction is delegated. These stages include the processes of Recording (initiate, submit, process), Approving (pre-approval, post entry review), and Reconciling. All transactions and activities should be carried out and approved by employees acting within their range of knowledge and proper span of control. Proper authorization practices serve as a proactive approach for preventing invalid transactions from occurring. For example, Level of authority should be documented. Documented authority creates an expectation of responsibility and accountability. Authority to perform a particular action may come in hard copy documents or system generated authority (example: ASTRA access system)
Ming Hu says
I agree with you that authorization is the most important one. Authorization makes sure that only authorized user has the proper permission to access a particular file or perform a particular action so as to reduce unauthorized access to a large extent, and then greatly mitigate the potential risks.
Yu Ming Keung says
2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
In general, the individual posting periods correspond to a calendar month and usually, at any one time, only one posting period may be open. The main reason for having one posting period open at a time for real time is to prevent frauds by prohibiting authorized users to access to other/previous periods to make changes. Any changes/corrections to be made, have to post to the special additional posting periods at the end of the year during year-end closing. That way can mitigate the risk of fraud.
Yulun Song says
Agreed that one posting opens at one time. If opens for many different times, many unauthorized people may thinks this an opportunity to access to make changes. so having a one posing period at one time is really important to mitigate risk of fraud.
Vu Do says
Hm, good point Yu Ming, I did not think about people not being able to access the statements that were posted for the previous period to commit fraud. That is a good reason for having one posted period quarterly to prevent anyone from making changes. This will prevent people from cooking the books and provide a safeguard for the company. Everything publish quarterly are usually provided to the public so everyone can see how that company did that quarter. So anything unusual will get discovered so once its publish that’s it.
Yu Ming Keung says
4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain
The company I used to work for is a small estate real company and I did not see high system security taken place in the company. However, we had to change the passwords of our computer systems and email every Six months but most employees write down the password on a post-note. All passwords are required to have at least 8 letters including upper and lowercase, numbers but names or previous passwords are not allowed. My coworkers found it kind of annoying because they could never remember the passwords. All passwords have also to be saved in an excel spreadsheet in a server so that other employees are able to see them. I am not sure these password polices are common to exist in small companies but I believe the system security was not adequate to protect the data and OS.
Yulun Song says
That is true Yu Ming. It also happened to my previous company. People type all account numbers and password and print it out and post on the wall so that they can see them easily. however, many co-workers can also see the passwords and may take them down and do fraudulent acts. I think this is sooo common for all companies. too many accounts, too many passwords, and no one can remember that many. I hope technology companies can develop a software or someone can create a way to memorize all different accounts and passwords.
Wen Ting Lu says
Hi, Yulun
You are right that we have so many accounts for school, work, and personal. It’s difficult for us to memorize all those passwords. Most of time, people will choose to use the same password for all their accounts, which is not a good way to secure their sensitive information. There is actually a way to save your passwords for the accounts that you have. The company I am working for uses LastPass, it is a password management service which stores encrypted passwords in private accounts. You only have to remember one master password for LastPass account and the rest of your passwords are locked up in your LastPass vault. It’s very convenient and secure to manage your passwords.
Brou Marie Joelle Alexandra Adje says
This makes me think about a company I worked for, we also had a spreadsheet with different account passwords that we commonly used on an everyday basis. The only difference Is that the spreadsheet was password protected. But still not the most secure thing to do. Why? For the simple reason that Excel passwords can easily be cracked (no matter which version you use). Excel uses a very weak form of encryption that can easily be broken use dictionary attacks.
Binu Anna Eapen says
Yeah I totally agree with you Alexandra. How safe is it to have a single password protecting software to protect all password?. If the attacker has just to break a single password to obtain every other detail of a person is it not risky? Obviously it is convenient, but can you imagine the amount of information that can be lost if this system was hacked.
Priya Prasad Pataskar says
Binu, I would say have a password management tool is better than having similar passwords for all accounts. This is a fact that people will use similar passwords or phrases or same passwords for various applications making it easy for hackers to guess credentials for all accounts.
In comparison a password management tool would use high level encryption. They would not only encrypt passwords but also the usernames. Example, KeePass. It supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. SHA-256 is used as password hash for the password for the tool itself. As of now no attacks have been able to crack SHA256. Additionally, you can lock the database to the operating system account to ensure it can be opened only by the same person who created it.
Mansi Paun says
You highlighted a good point, Yu Ming. Password policies are often seen as cumbersome to follow by the employees. In my experience, I find that smaller companies see computer security to be cumbersome for reasons like increased cost, lost time and reduced productivity. They often do not give it due importance and even employees have a similar attitude towards security.
Deepali Kochhar says
Definitely Mansi. In the similar way, banking industry use 2 factor authentication which is on one side complex for the users to but on the other side is very important to protect customers from criminals to gain access to a user’s private data such as personal and financial details. So such policies are very important to follow even if they seem to be complex.
Fangzhou Hou says
Thanks for sharing your experience Yu-Ming. I totally agree with you that password policies is very important in accessing control. From my previous experience in a bank, the employees only have three chances to input the password. After three continue wrong password, the account will be locked. To help employees remember their password, the IT department set a hint when employee input the wrong password. Employees can edit the hint and when they input the wrong password, the hint they previously set can help them remember the correct password.
Joshua Tarlow says
You’ve used various computer systems in your lifetime, carreer. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain
One example that comes to mind in the Veterans Administration. I am currently using the GI Bill to finish graduate school so I need the VA to certify my credits at the start of each semester. Unsurprisingly it doesn’t have the best or most accessible website. The password requirements are probably the most cumbersome for me, although they are definitely designed to be secure. The website does not allow any password to contain an actual word, so it has to be completely random. While this does make for a more secure password, it becomes much more difficult to remember. Combined with upper/lower case, numbers, and special characters there is very little to use to help remember. I definitely think that strong passwords are important, but a balance is important because if it is too hard then people will be tempted to write down the password.
Brou Marie Joelle Alexandra Adje says
Indeed Joshua, strong passwords can be very cumbersome and when you think about it, how many account do we all have online? can you imagine create strong password like that for each of them? There is absolutely no way, even with only 10 accounts, you can create passwords that are strong, unique and memorable. Maybe the safe thing to do is having some sort of password management system.
Yu Ming Keung says
Hi Alex,
I strongly agree with you, especially if the password is generated randomly by the system, you have no way to remember the password. The safe thing to do is to write it down and don’t lose it. And we even forget our normal password we created sometimes unless we use the same one for all accounts. I know some there are some password management app offered on smartphone, maybe that is a good option to solve the issue.
Joshua Tarlow says
I’m not sure I could remember one randomly generated password. As you noted 10 is impossible and most recommend not to use the same password more than once. Thought about using a password manager but haven’t gotten around to researching it yet. In my opinion, passwords are a terrible for these reasons. Makes sense why many tech companies are trying to move away from passwords to biometrics.
Wen Ting Lu says
Hi, Joshua
Change from traditional passwords to biometrics is very interesting, and it’s become popular especially for the banking industry. Traditional passwords are either too cumbersome or no longer secure due to growing number of data breaches. Some of the nation’s largest banks are increasingly using fingerprints, facial scans and other types of biometrics to safeguard accounts. However, biometrics is costly and it’s not acquired by everyone. For example, according to the article:”Wells Fargo is offering eye scans only to select corporate customers, for whom the stakes are arguably higher because there is potentially much money involved.”
The point I am trying to make is that biometrics is a better way to secure information, however, it might not be the best option because it can be very costly. Also, it might become challenge for people who are not tech savvy to adapt to it from the traditional passwords.
Source:
http://www.newsobserver.com/news/business/article85582757.html#storylink=cpy
Sean Patrick Walsh says
I know exactly what you’re talking about. I never understood why stringent password requirements and policies existed for certain systems. For instance, in the Navy we had Navy Knowledge Online (NKO), and I believe you used AKO if I remember correctly, for online training courses that were required semi-annually and annually. There was no real PII or any financial data in the system at all, but when it came to securing it with a password you had to create a very unique one with all sorts of criteria. On top of that, you had to change the password pretty frequently as well. I never understood why the policy was so strict when there was really nothing an intruder could get of consequential value if they were able to enter the system with your login ID or through some other security vulnerability. I’m pretty sure it was literally a lot of “red tape” to protect nothing at all.
Joshua Tarlow says
Definitely AKO, and a huge hassle. I remember that I was one of the few that had access to the computers at our unit because the certifications took so long to get, and then you had to find the one person at brigade who could authorize access. Always seem to use a lot of effort on things of less importance and not those that really need it. Not sure what your experience was with SSN, but the Army used to use them liberally. I remember that they were always on sign in sheets for mandatory training, even think one was for operation security ironically. Once something becomes too complex, then less people lose it which was my experience/
Sean Patrick Walsh says
I’ll do you one better. When I was a prison guard at the prison in Guantanamo Bay, we didn’t wear name tapes on our uniforms. Instead we were issued a number so that way the detainees did not know our names because somehow even there they had contact with the outside world and could visit harm on our families if they knew who we were. Well, at the beginning of our shifts we held musters and they would check our names off on a sheet of paper with our names and name tag numbers associated with our names on it. Don’t you know somebody lost one of those sheets in the prison yard one day. Unbelievable how un-secure security is at various places and times in the military.
Joshua Tarlow says
Can’t say I’m surprised at all. I remember when I was deployed, I heard from some of those stations at Bagram that they had to use their SSN when doing laundry. Which involved taking it to a service on the base run by local or third party nationals. I didn’t experience that myself since we had a facility on our base and I could do it myself, but didn’t surprise me at all when I heard.
Your example with the name tape does bring to mind so many examples and memories. Always so much effort only to undermine it so quickly.
Binu Anna Eapen says
Nice point Joshua. To add an example, In the firm that I had worked earlier, particular team was supporting a different company and that company had created accounts for these employees and had given the hiring status as contractors.
Now as a contractor:
1. the account would expire in 90 days and needed to be extended with approval from their onsite manager for extension before the completion of 90 days
2. the password had to be changed in 90 days and user could not use any of the last 10 passwords and it needed to of 8 characters with a mix of alphanumeric characters and special characters.
3. the account would be locked for 3 unsuccessful attempts.
3. The account will be disabled in 180 days of non usage.
The basic issue was that these employees worked only for short time and only during the busy season during financial audit period or taxation periods and most often did not require to login which made it easier for people to forget the password and this resulted in a large number of requests that were raised for password change, account unlock and extending the account/enabling issues at the start of every busy season.
I understand this complicated life both for employees and IT people but I also feel it was required to prevent unauthorized access to the system. And the company was aware of this and was ready to take up this challenge than put their information at risk.
Paul Linkchorst says
Hi Binu,
You provided a really good example of some of the frustrations by users in regards to access and password security policies. What would you suggest that they do differently or do you think that the process should remain the same? In your example, I think it would be easier to give them a temporary password that expires in 3-4 months. Once expired, the system admin or the individual granting access can verify and make sure that the accounts are disabled until next busy season. Depending on the type of access management software that the organization uses, the system admin or another individual can reset all the passwords back to default and require a password change upon sign in. This way it doesn’t bog down the process for individuals calling to have their accounts unlocked and it reduces the frustration of the contractors.
Binu Anna Eapen says
Good suggestions Paul.
But in this case I do not think that would be applicable for the following reasons:
1. Not all teams/projects work in the same period. That would mean the system admin will have to identify which team or which project requires what account for how much time. I do not think that this would come under the role of an AD admin. And even if the project lead or team lead sends the list of users every time a new project starts that will complicate the process and we will not be able to define processes for different teams- like TAX, Audit which have different timelines and increasing number of employees.
2. Temporary password provided for 3-4 months: How will the admin know when to setup the temporary password? In this case possibly, once the account expires, it could automatically set the password to a temporary password. But if its a password that everyone is aware off will that not increase the risk for any potential fraud. Do you mean to mean to set a temporary password unique for each employee. Again this increases the work of the AD Admin if he has to track each user in the company. And also remember it is not advisable to user the same password again.
3. Disabling/Enabling an account is not the decision made by the AD team alone. The HR would have to approve to re-enable the account after making the changes in SAP. Disabling account is same as telling the user is no longer working for the client.
I think the process set up was able to eliminate the risks posed. To be frank, I was involved in setting up this process. We did have multiple discussion back and forth with the client but I think they did have a good point 🙂
Ming Hu says
Thanks for your sharing. Password management is very important for both users and companies to keep security, I totally agree with you that user experience should be adequately cared, because too strict regulation is very annoying. Besides, like you said, the password is too hard to be remembered so we have to write it down in some cases, that’s a definite vulnerability.
Yulun Song says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I think most of companies focus on the security in the entire network rather than only rely on administrators to configure the security protocols in programs like SAP. For company’s security, it is true that software security is a crucial for them and they also focus on that. However, other securities are also important parts for all companies, like network security, physical security, software security, cyber-security, internal security, etc. Many companies use outsourcing security method so that they can focus more on internal and physical security within the company. So SAP is not the only focus for companies.
Yulun Song says
3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
1) Separation of duties: it involves splitting responsibility for bookkeeping, deposits, reporting and auditing. Less chance of fraudulent acts happens if further duties are separated.
2) Access controls: controlling access to different parts of an accounting or finance system via passwords, lockouts and electronic access logs can keep unauthorized users out of the system.
3) Physical audits: include hand-counting cash and any physical assets tracked in the accounting or finance system, such as inventory, materials and tools.
4) Documentation: standardizing documents used for financial transactions, such as invoices, internal materials requests, inventory receipts and travel expense reports, can help to maintain consistency in record keeping over time.
5) Trial balances: using a double-entry accounting system adds reliability by ensuring that the books are always balanced.
6) Approval authority: requiring specific managers to authorize certain types of transactions can add a layer of responsibility to accounting records by providing that transactions have been seen, analyzed and approved by appropriate authorities.
http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html
Yu Ming Keung says
1 Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I believe most business rely too much on technology to look for security in the entire network rather than relying on administrators to configure the security protocols. And there are still some giant companies who do not care about the security protocols. Without the proper security protocols, I believe organization wont be able to guide its employees to properly behave. Take Wells, Fargo as an example, they open millions of fake bank and credit card accounts for customers over the past five years. Wells Fargo said it has fired 5,300 employees in relation to the scam. I think that no employee want to commit those crime but they were forced by the manager to do so to make its report look good. With that being said, if an efficient protocol was in place, it would restrict most employees from committing the fraud. Security for the entire network is as important as the protocols to prevent data breach so companies should also put more resources in their security systems to secure client’s personal data.
Wenlin Zhou says
What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
You define posting periods in your fiscal year variants. You can open and close these posting periods for posting. As many periods as you require can be open for posting simultaneously. Usually, only the current posting period is open for posting, all other posting periods are closed. At the end of this posting period, the period is closed, and the next posting period is opened. During period-end closing, special periods can be open for closing postings.
For postings from Controlling (CO) to Financial Accounting (FI), you can define a separate period interval. You can use this period interval to be able to make CO-FI postings to Financial Accounting using real-time integration during period closing, for example. This period is not valid for any other postings; such postings are checked using other period intervals.
You can differentiate the opening and closing of posting periods by account type. This means that, for a specific posting period, it is possible for postings to customer accounts to be permitted and for postings to vendor accounts to be prohibited.
Wenlin Zhou says
Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
Internal control is a process — effected by plan management and other personnel, and those charged with governance, and designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting.
Your plan’s policies, procedures, organizational design and physical security all are part of the internal control process. The following are some general characteristics of satisfactory plan internal control over financial reporting:
1. Policies and procedures that provide for appropriate segregation of duties to reduce the likelihood that deliberate fraud can occur
2. Personnel qualified to perform their assigned responsibilities
3. Sound practices to be followed by personnel in performing their duties and functions
4. A system that ensures proper authorization and recordation procedures for financial transactions
The critical issue is that the plan’s internal control policies and procedures must be in place, performed by duly authorized plan personnel, or their designee who is capable of performing the control activities. Furthermore, plan management must accept responsibility for designing, implementing and maintaining internal control. For example, the plan can use its plan auditor to assist in identifying adjusting entries and drafting the financial statements and related disclosures. But to have effective controls to prevent, detect and correct misstatements in the financial statements, the plan must designate an employee to oversee the service who understands the benefit plan industry, understands how accounting entries affect the plan’s financial statements, is capable of making management decisions related to the monthly and year-end closing activities, and approves and accepts full responsibility for the plan auditor’s work product.
Mansi Paun says
1. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
Ans : In my view, the financial and accounting controls can be ranked as below in decreasing order of importance (most important ranked first) :
• Approval Authority
• Completeness
• Accuracy
• Access Controls
• Separation of Duties
• Reconciliations
• Trial Balances
• Documentation
• Physical Audits
I rank Approval Authority as the most important as without the transactions being authorized by the right personnel, they signal failure of control even if the transactions are correct and complete. At the same time, incorrect Approval Authority could also give way to fraud being committed. I would rank Physical Audits as the least important as if the other controls are already in place, Physical audit would be more of a check to confirm that the transaction information and accounting is done correctly. There wouldn’t be far-reaching implications if Physical audit weren’t taking place but all other controls were already in place.
Mansi Paun says
Sorry, this is the answer to Q.3.
Deepali Kochhar says
Mansi,
This is a great answer. I would say segregation of duties should be ranked top most. It is very important to first assign right duties to right person and define the organisational chart before the approval authority works on the approval process. It is very important to approve right kind of roles for the right person in order to manage fraud.
Mansi Paun says
Very valid point, Deepali – however I thought that there may not a;ways be segregation of duties possible and that there could be compensatory controls in implemented in that scenario. But even before the segregation of duties can be carried out, ensuring that the right personnel are the approval authorities should be paramount. Ofcourse practically, Authorizations and segregation of duties go hand in hand and authorizations can be provided once duties are established. If you look at individual transactions though, if they aren’t approved by the right authority, it is as outright control failure even if the transaction is accurate and complete.
Paul Linkchorst says
Hi Deepali and Mansi,
I felt that access controls should be the most important in terms of financial and accounting controls. I agree with you Deepali that segregation of duties is extremely important, however, the reason why I ranked access controls over it is because without proper access controls in today’s world, then you can’t effectively segregate duties within an accounting information system.
To go off of Mansi’s comment, you state that approval authorities should be the most important. In my experience, many transactions within a company don’t need to be approved by higher management, it is only those big ticket transactions that occur or a miscellaneous adjusting entry that actually need to be approved before processing. Therefore, I would see this control as lower on the pole since it doesn’t affect every transaction. Do you have a different experience where transactions are usually approved more often?
Ming Hu says
Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I don’t believe yet, compared to the configuration of software security protocols, which could be seen as a part of software security controls, the entire network security is a more complex project for business to mainly focus on, and in today’s business environment, it is becoming increasingly complex, as new Internet threats appear daily or even hourly. More than ever, good network security is vital to businesses of all sizes to protect the confidentiality, integrity and availability of your network and data, to protect your business from today’s sophisticated Internet threats, not just from software side.
Fred Zajac says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I believe business leaders do rely too much on administrators to configure security protocols, rather than practice over all security.
The reason I believe this is because many business leaders are not technology professionals. They don’t know about the vulnerabilities until they are informed by the IT professionals or they hear about it on the news. I doubt you will see many CFO’s reading about current IT control best-practices unless it is given to them by someone. The problem is, many business leaders are not passionate about IT, or even know about different network securities. They think everything must have been caused by a virus, installed randomly by an external source. The business leaders are focused on increasing revenue and/or reducing expenses. They don’t understand, security in the entire network is similar to making everyday safety activities. To fix this, security in the entire network has to become the company culture.
Annamarie Filippone says
Fred, this is a great point. Despite the obvious importance of security, many of today’s business leaders still view it as a drain on resources. As you mentioned, increasing revenue and cutting costs is their focus, and this can lead to poor security decisions that may cost them more in the long run. Security is the responsibility of everyone within the organization, not just IT. I feel that, unfortunately, many organizations must learn this the hard way (through data breaches or other harmful incidents), before they make changes.
Fred Zajac says
2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
The relevance of only being able to have one posting period open at a time for real-time postings because real-time postings are happening at that moment in time. The posting period open should be the current period, so it would be relevant to only have the current posting period open for real-time postings.
By only having the current period open for real-time postings, the opportunities for fraud are reduced by eliminating the integrity vulnerability. Having the ability to post real-time transactions in other periods would allow for a misrepresentation of the financial statements.
Fred Zajac says
3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
It is difficult to rank the importance of each control because they are all important based on what the control is controlling… Hope that isn’t confusing. Anyway, my ranking is based on what a small company, with limited resources should implement first, or most important.
1. Authorizations & Access Protection
This is generally set up by user and/or department to segregate duties throughout the company.
2. IT General Controls
This could be switched with Access Protection because polices will be implemented to allow access to the ERP application and/or the add-on functions (Apps, data, ect.)
3. Automated Testing and Monitoring of business processes, Keep Performance Indicators, ect
The controls should be monitored to determine if they are improving or worsening the business process. If it isn’t helping, things need to be changed.
4. Entity Level Controls
The integrity of the financial statements and management assertions should be accurate. Entity controls are internal controls used for each entity of the business to insure accurate completion.
5. Manual & Semi-Automated Business Process controls
Insuring the process is done correctly by a human and system will allow for a hands on review.
6. Automated Business Process Controls
This could also be very important for a large company, who has many customers or many steps in the business process. But from an importance point of view, you could always use Manual. It would take longer.
Fred Zajac says
4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain
My experience with computer systems security is switching from a local presence to a remote presence, for some of the reasons you mention. As long as you handle the due-diligence and proper vendor vetting, you will find the security on the system is much more robust than anything most company can build, manage, and maintain on their own. The costs, securities, and accessibility offered for “cloud” users makes moving many aspects of the computer system out of the office.
However, bureaucracy at the top will always be present with a local or remote computer system. The most difficult thing to do is, convincing a successful leader there is a better strategy than the one that made them successful. Many times you can show them why the system will benefit the company, but if you don’t have the comradery with the decision maker, you may have to wait for funding while the decision makers weekend friend moves forward with their project.
Seunghyun (Daniel) Min says
Q4: You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, eurocratic, etc. Have you seen these problems in your experience? Explain
In my past experience in the Korean Army, I was in the Signal Corpsman unit. Since we dealt with a lot of confidential information within the Army, it was very cumbersome and difficult to access the computer systems. We had multiple layers of authentification to log-in to the computer system and changed the passwords 2 times a week. And the Army tried not to rotate the passwords so we were always ending up memorizing new random ones. Just one problem I experienced with the multiple layers of the authentification was that it took much longer to get into the computer. So when a senior manager wanted to get some data from our team. Somehow, when it was urgent, It slowed down our reporting system.
Paul Linkchorst says
Hi Daniel,
I have never heard of someone having to change their passwords 2 times a week. That seems really excessive! I wonder how much protection the Korean Army thought they had by changing the password that often instead of once a week or even once every two weeks. It’s like having 3 locks on your front door. Sure they all do a good job and protecting you, but does the third one add that much more protection than having two? I am a firm believer in everything in moderation and the same goes for security.
Paul Linkchorst says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
Based on my experiences with internships and in the ITACS program, it seems that a lot of the focus on security protocols are not within programs such as SAP but more on network security. I suppose one of the reasons why many focus on network security is due to the fact that SAP or ERPs in general, are more buried within the network. When I say this, I mean that those whom interact with the SAP system as usually members of the organization, not outside vendors or customers. Therefore, if an individual is looking to gain unauthorized access, they will need to gain access to the network first then gain access to the application. With that being said, the security protocols that SAP offers are relatively robust and security professionals can take advantage of that to properly identify and authenticate users of the SAP system, which acts as a security feature within the organization and a second layer of defense in the entire network.
Paul Linkchorst says
2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
From an accounting perspective, having multiple periods throughout the year is a way to help prevent inappropriate management assertions such as completeness and cutoff. For example, if a business has monthly accounting periods, as in it “closes it books” every month, then you don’t want members of the accounting department to accidentally book an entry into the following month. This control likely serves two purposes. One, it works as a manual entry control which can work as a validity check or reasonable test, that prevent employees from non-maliciously creating transactions in the wrong posting period. The second, it works as a control that prevents individuals from maliciously posting transactions into the wrong posting period. While I do believe this control serves to prevent human error, I do think it can serve both purposes.
Paul Linkchorst says
3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
After doing a quick google search, I came across seven internal controls over finance/accounting. It seems that this list has a list of very broad control categories, however, I have ranked them in order of most important to least important.
1. Access controls: This control focuses on limiting who can access what within an accounting system. Without this control, users can access different areas of the financial system which causes a segregation of duties issue, which could potentially lead to fraudulent activities. Therefore, in order to have proper segregation of duties these controls need to function properly.
2. Separation of Duties: This control focuses on separating responsibilities among different members of the accounting process in order to reduce the risk of fraudulent activities and decrease potential human error. I rated this after access controls because even though you properly segregate duties, if you can’t enforce it then they are not properly segregated.
3. Reconciliations: This control works as a reconciliation against other account balances. In an accounting system, reconciliations can be performed as a check to make sure that data entered into the system is appropriate and are using the correct balance. This is one of the more important controls because it makes sure that balances are correct and that before going forward, one can verify that balances reconcile and everything ties out.
4. Trial Balances: A trial balance works much similar to that of a reconciliation. However, a trial balance works like a reconciliation to make sure that all the debits and credits match each other, which they are supposed to. Likewise, trial balances are used to compile financial statements at year end or when audited. This is important from a financial standpoint since it more or less makes sure the accounts have been properly recorded throughout the year.
5. Documentation: According to the website, this control works by standardizing all documentation that they fit a certain form and look such as invoices, purchase orders, etc. By doing this, it has the potential to reduce human error when inputting data into the accounting system, reduce confusion of purpose of documents, and also helps during an audit.
6. Approval authority: This control works by having a manager or superior approve a transaction or record before it can be processed. In the case of large transactions, this can serve as a way to make sure that the right personnel have responsibility over transactions. The reason why I put this lower on importance is because it should only affect big transactions and not control the majority of a company’s transactions.
7. Physical Audits: This control is a physical audit such as counting inventory or money. The reason why I rated this last is because it is only detective in nature. Since it only verifies that a correct counting was made, I would much rather have a preventative control in place than one that is detective.
List from: http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html
Paul Linkchorst says
4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain
Yes I have in multiple organizations. Security by its very nature seems to be bureaucratic since it often times is comprised of a higher level employee limiting what you can and cannot access. Since most of my recent work experiences have been internships, I by default am usually given limited access to systems and files. In order to gain access, I generally had to submit a ticket where a supervisor and a manager both had to sign off that the access I was requesting was appropriate. While this can be considered a good thing from a security standpoint, from a user standpoint it can be frustrating as you have to request authorizations to certain files/applications of which can take a while and end increasing one’s idle time. But as I stated earlier system security is cumbersome by its very nature, since it often at the expense of efficiency. A user might complain that having to sign on in the morning to their computer is a hassle or that connecting to a VPN to share documents is a waste of time. However, these simple authentication controls require relatively little time but can significantly protect an organization from unauthorized users. I think the major problem as to why system security seems cumbersome, difficult, and bureaucratic, is because users don’t understand the full purpose of each action.
Abhay V Kshirsagar says
Paul,
I absolutely agree.
In one of my internships, I occasionally customized the ERP tabs as per the requests from department came in. My primary job as an intern was related to the database and not system development. But, every time a customization request came in, it used to take at least 24 hours for it to grant me required privileges for the job. It was cumbersome because often small changes were needed to be done immediately and I found myself stuck with something that wasn’t in my control.
Abhay V Kshirsagar says
Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
From my experience, the COO, focused more on security protocols than the security of the enterprise network. Throughout different projects, I noticed how vigilant the whole department was when it came to for application security. Protocols were clearly defined for incidents like Phishing and Malware. Strong password policies were strictly followed.
Operational security protocols were also deployed, for instance, tools like round-the-clock monitoring and they had a dedicated tenured security team to ensure that security remained strong.
On the other hand, I observed that the organization had physical security controls missing. The card-reader at the entrance was out of order and the replacement took more than a month. It was a huge exposure since all the ports on the network can be used to infiltrate and compromise the entire network. In another instance, the contract with Managed Service Provider also had loopholes.
Priya Prasad Pataskar says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I believe the company as whole and board might be more concerned and focused on overall security in the network. From ERP perspective, the ERP mangers would focus more on internal controls. I think, earlier when ERP softwares were in the process of making and still evolving, overall security was not the priority. However now, ERP tools like SAP has come a long way and is integrated with web-based tools and technologies for security. However requirement of security is also increasing with the increase of using mobile phone, cloud storage, distributed network and cyber attack on rise. Including level of security in a complex ERP system becomes cumbersome.
Overall security must be though about when ERP is installed. Internal controls may change with business and ERP managers will update when required if not implemented the system will show errors soon. This is not same with overall security. Data integrity, availability and confidentiality aspect must be based on the security considerations and planning done at initial design stage.
Abhay V Kshirsagar says
Priya,
I absolutely agree with you. Just like the PCs, the ERP applications were developed to process data and help companies manage their business processes efficiently. As you rightly pointed out that contexts in which the technology is consumed has increased and so have the tools.
For e.g.: various ERPs have mobile apps that my company had made sure that our sales team had them on their company issued devices. As the convincing increased, so did the exposure to different threats. My company then had to also include some changes in its user-access control policy ensuring timely changes in security protocols of NetSuite ERP.
Deepali Kochhar says
Q 2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
A Posting Period Variant is useful in opening or closing finance posting periods across many Company Codes at one time. You define a posting period variant and assign it to various Company Codes.
SAP provides a feature to open multiple posting periods simultaneously and has no restriction on the number of posting periods.
Generally, business keeps only a current posting period open in a financial year for customers and vendors to enter transaction related to that month and all other posting periods are kept closed since becomes difficult to book revenue and cost in the correct period and can lead to inaccurate entries may be due to human errors.
Sometimes prior period is open to allow period-end adjustments.
This allows to manage multiple company codes through a single posting period and hence managing fraud.
Seunghyun (Daniel) Min says
Q1: Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
With respect to this question, I would say yes and no. I think it really depends on what you do or who you are in your organization. Over the summer, I worked for the Fox Information Technology, Temple University as a Technology Consultant. When I was an employee there, I was always discussing security issues or any suspicious activities on our web with a network specialist or managers who were the System Administrators. I was heavily relying on them because they were the only key to helping me secure or configure the computer systems that I was working on. At the same time, I was also a student at Temple University. As a student, my concerns in terms of security were how Temple can protect my credentials, personal data, or financial information – TU Pay – from any kinds of incidents related to outside intruders. That is, does Temple has an indestructible security process in their network system so that when a hacker tries to compromise the data, Temple can fight back to secure their students/faculty/staff’s information.
Binu Anna Eapen says
I agree that administrators will have more idea about the security protocols and will be able to suggest on better solutions as they are the one’s who directly work and handle day to day issues. Normally it is of practice that the technician/administrator will study the issue, number of occurrence, suggest resolution, But the decision for change is not decided by the administrator. Normally he change management team gets involved and checks, approves and verifies before any major change is made in the network.
Seunghyun (Daniel) Min says
Q2: What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
One of the main reasons for only being able to have one posting period open at a time for real time postings is to prevent users from entering wrong information to wrong posting period. As we have talked about a human error many times already in class, the best way to preclude the human error from happening is to make the process automated. Because only one posting period opens at a time, users are limited to jump around to other posting periods. It really helps the system record correct data into right sections.
Seunghyun (Daniel) Min says
Q3: Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
1. Separation of Duties
Separation of duties involves splitting responsibility for bookkeeping, deposits, reporting and auditing. The further duties are separated, the less chance any single employee has of committing fraudulent acts. For small businesses with only a few accounting employees, sharing responsibilities between two or more people or requiring critical tasks to be reviewed by co-workers can serve the same purpose.
2. Access Controls
Controlling access to different parts of an accounting system via passwords, lockouts and electronic access logs can keep unauthorized users out of the system while providing a way to audit the usage of the system to identify the source of errors or discrepancies. Robust access tracking can also serve to deter attempts at fraudulent access in the first place.
3. Physical Audits
Physical audits include hand-counting cash and any physical assets tracked in the accounting system, such as inventory, materials and tools. Physical counting can reveal well-hidden discrepancies in account balances by bypassing electronic records altogether. Counting cash in sales outlets can be done daily or even several times per day. Larger projects, such as hand counting inventory, should be performed less frequently, perhaps on an annual or quarterly basis.
4. Documentation
Standardizing documents used for financial transactions, such as invoices, internal materials requests, inventory receipts and travel expense reports, can help to maintain consistency in record keeping over time. Using standard document formats can make it easier to review past records when searching for the source of a discrepancy in the system. A lack of standardization can cause items to be overlooked or misinterpreted in such a review.
5. Trial Balances
Using a double-entry accounting system adds reliability by ensuring that the books are always balanced. Even so, it is still possible for errors to bring a double-entry system out of balance at any given time. Calculating daily or weekly trial balances can provide regular insight into the state of the system, allowing you to discover and investigate discrepancies as early as possible.
6. Reconciliations
Occasional accounting reconciliations can ensure that balances in your accounting system match up with balances in accounts held by other entities, including banks, suppliers and credit customers. For example, a bank reconciliation involves comparing cash balances and records of deposits and receipts between your accounting system and bank statements. Differences between these types of complementary accounts can reveal errors or discrepancies in your own accounts, or the errors may originate with the other entities.
7. Approval Authority
Requiring specific managers to authorize certain types of transactions can add a layer of responsibility to accounting records by proving that transactions have been seen, analyzed and approved by appropriate authorities. Requiring approval for large payments and expenses can prevent unscrupulous employees from making large fraudulent transactions with company funds, for example.
Ads by Google
Source: http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html
All of the 7 accounting controls above are imperative to preclude it from any financial incidents. Among those 7 controls, I think the Separation of duties is the most important; on the other hand, the Trial balances is the least important control. The Separation of duties is very important because it is one of the most basic, critical controls to prevent an organization from an internal fraud. As opposed to it, the Trial balances is the least important because nowadays most of the companies are trying to transform their accounting systems to become more automated. That is, there will be less errors in the financial documents since more transactions are going to be made automatically.
Abhay V Kshirsagar says
Dan,
I believe that the authorization control is the most important one of all. For instance, in the context of principle of least privilege, think about a company where a sales person has access to the HR system data. That sales person doesn’t need that access in order to finish his/her job resulting in violation of the principle of lease privilege. Over-privileged users can be victims of spear-phish or email phish attack and can open an email they are not supposed to, which can put the entire organization at risk.
So, even if you have others controls in place, without a sophisticated authorization control, everything will go in vain. If an attacker/fraudster gets privileges to change or delete data, transactions or download information, this can compromise all the aspects confidentiality, integrity and availability. Thus, I feel that if principle of least privilege is correctly followed for configuring systems, defining permissions for different accounts and really planning the application security, we can certainly take away some of the options that attackers may use against us and hence authorization control becomes the most important control.
Vu Do says
4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain
While working as an Associate Application Developer for Highmark BlueCross BlueShield I was given a laptop in which I was able to access the company system remotely from any location as long as I had Wi-Fi access. I also would need a key fob with a code that changes every time I click it to enter it in along with my password. If the number was not enter within the 30sec time limit then I would have to click it again and re-do it with the new number. It was a security procedure for the company so I understood why it was there but 30secs to enter it was a little bit much. I was the only one with access to the key fob and I also had to enter my password login which was required to change every 3 months. So it was a lot to remember for steps to logging in to their system remotely. And on top of that if the requirements was not in my user access account then I would not be able to login and would have to wait for the request to go through the chains of approval before I would gain access.
Abhay V Kshirsagar says
Vu,
I can certainly relate to this. In my case, the authorization request sometimes took more than three days. On one hand, I had a pile of customization requests growing and on the other hand, I was waiting to get the authorization.
Annamarie Filippone says
Q1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain.
No I think that most businesses understand the importance of security both for an entire network and within specific programs like SAP. Each comes with its own set of vulnerabilities and relying too much on the protocols of one leaves the other at great risk. If administrators relied solely on the security of SAP, it could open the network to attackers, which could cause serious harm to the organization in a variety of ways.
Annamarie Filippone says
Q2. What is the relevance of only being able to have on posting period open at a time for real time postings? What does this prevent from happening?
Having only one posting period open at a time helps prevent things being posted to the wrong period. This is sometimes done fraudulently, by shifting revenues or expenses to manipulate records. But it can also be a case of human error, someone manually entering the wrong period by mistake.
Annamarie Filippone says
Q4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain.
Like many others, I think one of the most “cumbersome” security process that I’ve experienced has revolved around passwords. At some of my previous jobs, frequent required password changes have led to unsafe practices for the sake of convenience. One of the most glaring problems was people putting their password on post-it notes by their desk, after giving up on attempting to remember. In addition, many people cycled through passwords, using the same three or four. Again, this made things easier for the individuals, but was definitely not proper protocol.
Jianhui Chen says
Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I believe business should focus more on the security in programs like SAP. As the programs likes SAP stores and processes all this financial data, which means that you need to control.
Nowadays, many company face the threat from insiders. For example, Wells Fargo’s employee to meet the sale target, opened opened bank and credit card accounts in customers’ names without their authentication. Obviously, the employees exploited the vulnerabilities of its organization program without enough security protocols.
Victoria A. Johnson says
Jianhui,
Wells Fargo is a great example of of what happens when security protocols are not effectively in place. This lack of security was carried out for for too long even though high level management “believed” they had a handled on the situation. When situations like these are left unchecked and not handled promptly, it only creates more of a snow ball effect which never ends well for the reputation of senior level management and the company as a whole.
Vu Do says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
No since businesses use program like SAP to administer most of its daily operations from placing orders, making sales, checking inventory, etc. SAP is such an important tool for a business that there focus should be on it since if it gets compromise then many issues can arise. Attackers can get into their SAP databases and mess up orders which could cost them business. But they also need to focus on other security protocols within their organization or else they leave it vulnerable to an attack. SAP is the database system use but there are desktops that have them install so those must be protected also.
Victoria A. Johnson says
Great post Vu. I agree that users need to be protected from whatever device they are using to access the SAP database.
Vu Do says
2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
The posting period is for the quarter that the company is in and it separates it from the rest of the year. The advantage is being able to see the results of how the company did at that time and compare it to the other quarters. It also helps to detect fraud if there are anything unusual in one period then the other. For example, seeing revenue for a consistent amount for two quarters and for the next seeing it spike up tremendously with no sales being made. With it being separated it would be easier to detect fraud and investigate.
Wen Ting Lu says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I don’t think business rely too much on administrators to configure the security protocols in programs like SAP. I think business should focus on security in the entire network. Computer networks have grown rapidly. If business do not take network security seriously, there could be major consequences, such as loss of privacy, theft of information, and even legal liability. One of the reason why network security is important is because it protect company’s assets, which are hardware and software. If the entire network is not secured, then it’s no point for business rely on administrators to configure the security protocols in programs like SAP because these software program could be easily attacked.
There are four goals of network security that all business should have:
1. Integrity: The assurance that the information is trustworthy and accurate.
2. Confidentiality: Ensuring that only authorized individuals have access to the resources being exchanged.
3. Availability: Guaranteeing the information system’s proper operation.
4. Authentication: Ensuring that only authorized individuals have access to the resources.
Victoria A. Johnson says
What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
The relevance of only being able to have one posting period open at a time is because typically these postings happen in a calendar month requiring only one posting open at that time. This is important because it helps to prevent fraud from occurring and it assists in prohibiting unauthorized individuals from having access to other posting periods. Typically, changes will require postings during the end of year closing which is a great way to reduce the risk of fraud.
Victoria A. Johnson says
Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
Considering the list of financial and accounting controls, I believe one of the most important controls is authorization control.
Authorization controls are important from a financial standpoint because it is a proactive measure that prevents invalid transactions from happening. Documenting authorization creates responsibility and accountability which help to clearly identify what individuals have authority to initiate, submit, reconcile, view and approve certain transactions. In case anything goes wrong, this is important control to have in place.
Wen Ting Lu says
2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
You can open as many posting period as you want in SAP. Generally, for business only the current posting period is kept open for a fiscal year to enter transactions related to that period. The relevance of only being able to have one posting period open at a time for real time postings is to prevent entries being recorded at wrong period. For example, if the expenses or revenue are posted at a wrong posting period, then it will affect the company’s financial statements, which will provide management and investors inaccurate financial information to make decisions based on the company’s performance. Also, it prevent fraudulent activities from happening, it prohibited authorized users to have access to make any changes in other periods. Adjusting entries should be recorded at the end of an accounting period to alter the ending balances in various general ledger accounts. These adjustments are made to more closely align the reported results and financial position of a business.
Fangzhou Hou says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
In my point of view, it depends on the specific scenario. Indeed, the security of entire network of the organization is very important, however, to improve the secure level of entire network, huge amount of investment in IT infrastructure like firewall and other hardware is required. If the company is a major public company with valuable information assets, of course, the security of entire network is very important to prevent the information assets damaged by cyber-attacks. However, if it’s a small company or new starting business, huge investment in entire network may negatively affect the financial statements of the company. In this scenario, focus on securing the key programs like SAP can maximize the protecting of the information assets of the new start company with minimized cost.
Fangzhou Hou says
3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
Financial and accounting controls are listed as follow:
1. Segregation of duties: Splitting responsibilities for bookkeeping, deposits, reporting and auditing to different person or departments to avoid one single employee handles all key accounting processes.
2. Access Authority: Only authorized users are allowed to access to the systems. The access controls usually involve setting passwords, lockouts and electronic access logs.
3. Approval Authority: Large payments or other sensitive financial actions are required approval from management level.
4. Physical Auditing: To mitigate the risk of potential fraud, physical audits like checking the inventory, materials, and tools are required.
The most important control is the segregation of duties. Because if all key accounting procedures are responded by only one person without others’ supervision, if the accounting fraud occurred, management may not find out, and damage the assets of the company. The physical control also important, but compare with other controls, it’s less important because the physical auditing is a secondary control to ensure the assets’ security even after the primary controls failed.
Wen Ting Lu says
4. You’ve used various computer systems in your lifetime, carreer. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain
Password is one of the major system security concern that we all have, no matter it is for work, school, or personal. As students, Temple request us to change our passwords every six month. For security purposes, the password cannot be reused in the previous terms, it must have eight characters with at least a capitalized letters and numbers. Oftentimes, we cannot remember our password so we had to write down somewhere, which it is not a good way do it.
In the company I work for, we have a common password to log in our computers. My work rely heavily on email and CRM, each of the employee has his or her own account and passwords. I have seen my co-workers posted their log in information on sticky notes and posted on the laptop screen. Because we are a CPA Accounting firm so we have lots of client’s sensitive information such as SSN, bank information, their log in information to the government sites, etc. Therefore, to secure passwords are very important. This year we started using a password management service called LastPass, which stores encrypted passwords in private accounts. It’s very convenient and secure to manage the all the passwords we have for different accounts. You only have to remember one master password for LastPass account and the rest of your passwords are locked up in your LastPass vault. Nothing is 100% secure, however I think LastPass is more secure than record all the password accounts in excel sheet or write them down somewhere.
Jaspreet K. Badesha says
2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
Each company can decide how many posting periods they want to keep open at a time. However, most companies chose to keep one open at a time so that account postings are posted to the correct month and there is less chance of error or fraud. Once a period is closed changes are generally not made therefore there are controls set in place to ensure that the full and correct data are inputted at the right time (before the posting period for those transactions close).
Ming Hu says
What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
Posting periods are defined in fiscal year, it will allow you to post and make changes in the documents only in a specific period in a company, usually the current posting period is open and all other periods are closed, at the end of a period, it will be closed and the next period is opened. This kind of control prevents documents from being posted to a wrong posting period.
Wen Ting Lu says
Just to add in, it also limited user to make changes from other posting period to prevent them committing fraudulent acts.
Jaspreet K. Badesha says
4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain
The most cumbersome experience I’ve had at both school and all of my jobs were changing my passwords frequently and not allowing me to reuse previous passwords and forcing me to make them complex. This is definitely needed for security systems however it is an annoyance. This is definitely hard especially when you are not supposed to store your password or write it down so it makes it hard.
Wen Ting Lu says
Hi, Jaspreet
I agree with you that having to remember different passwords for multiple accounts that we have is annoying. However, we cannot be careless because system security is very important. There are still people lack the awareness of the how serious leak passwords and account information are. If you use very simple passwords or reuse the same password will put yourself in risk because once your password get hacked, then hacker will test the same password for your different accounts to get your PII.
Jaspreet K. Badesha says
1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
No, I think a lot of businesses do rely on the configurations of security protocols but those can get compromised so they have realistic measures or proactive staff who continually check for other threats. Being proactive and having security protocols definitely gives businesses full security on their systems. For example in my company the directors and managers a long with IT personnel ensure that the system has manual checks and protocol so we do not lose revenue.
Jianhui Chen says
2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
You define posting periods in your fiscal year variants. You can open and close these posting periods for posting. As many periods as you require can be open for posting simultaneously.
Usually, For example, when u post a transaction for a particular month,eg- June
than the posting period is open for June only, and the past and the future periods are closed, in likewise when june will end up, than the system will automatically open
posting period for July and June will be closed. In this way it function.
Firstly, it can prevent some human error, as the closed period would not allowed to enter.
Secondly, it can help company compliance with regulation, as SOX shows company should be responsible for the information they report.
Wen Ting Lu says
Absolutely, it’s important for companies to compliance with regulation. You are right that to have one posting period open at a time for real time postings reduce human error from recording to a different posing period. In addition, it prevent fraudulent activities from happening, it prohibited authorized users to have access to make any changes in other periods.
Paul M. Dooley says
Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain.
In my experience most of the security efforts have been very much an across the board effort. In order to truly enhance your security posture it would be wise to look at the environment holistically from each layer and in order to do that you would need to put just as much emphasis on the individual application security protocols/controls as you would to the rest of the network.
Paul M. Dooley says
What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?
They only allow to have one posting period open at a time for real time postings in order to prevent fraud and eliminate false reporting. As we know financial statements need to be audited for compliance purposes. This prevents people from going back to closed periods and adjusting the numbers which would be tempting to do for a number of reasons, specifically the fraud and reporting issues stated above.
Paul M. Dooley says
Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
1.Access Controls
2. Documentation
3. Segregation of Duties –
4. Approval Authority
5. Physical Audits
6. Trial Balances
Ultimately access control would be the most important from my perspective because it is the first line of defense in protecting the confidentiality and integrity of the sensitive accounting information. In a close second I put segregation of duties. These 2 controls go hand in hand with the ultimate goal of protecting very sensitive data by only giving people access to the information that need it to perform job functions but also to eliminate the opportunity element that occur in cases of fraud.
Paul M. Dooley says
You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain.
In my most recent experience most applications I’ve had to use for work were web applications and the security actually wasn’t too overbearing from what I can recall. The biggest challenge for me was getting access to the numerous systems that were available. We were a growth by acquisition company so the portfolio expanded by acquiring a completely new company and bringing their systems along with for the administration of the tools. Once I had access though from my memory it was pretty smooth sailing. The most painful part of the process was gaining access approval and waiting for the necessary approvals to go through. I have a feeling I may be in the minority in this question though haha.
Wen Ting Lu says
3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
I have found seven accounting and financial control procedures after Google research. Below are the list of the seven controls, I would rank them from most important to the least important.
1. Access Controls
2. Separation of Duties
3. Reconciliations
4. Documentation
5. Trial Balance
6. Approval Authority
7. Physical Audits
I believe access controls is the most important one out of seven control procedures. This control limits users who can have access within an accounting system. It’s a preventive control that mitigate the risk of fraudulent activities. Separation of duties is also important because an organization must splitting responsibilities among employees to reduce the chance of committing fraudulent acts. For example, someone who responsible for invoicing should not be the same as person who collecting the payment. The least important control is physical audits, it’s a detective control. Physical counts of money or inventory can be very time consuming, I think it will work more effect for smaller companies. In my opinion, it’s essential to have preventive controls taking place because it always good try to prevent somethings bad from happening.
Source: http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html