I am the auditor of a small bank (114M)with individuals often working in several areas.While performing routine procedures for user access I have identified what appears to be some issues. An IT employee who has full access to the Banks Systems has set up another user account for themselves. Permissions have been set at the teller level. Daily reports for user listings have been turned off without management authorization so my ability to review this aspect has been eliminated. The Information Security Officer is not aware of this additional user. I have monitored the activity of this individual for several months.
On a recent report I noted that this individual has attempted to access areas within the core banking system that are out of her area. While access has been denied I am still concerned as to the motive. This individual also works closely with our head bookkeeper (who also has complete access to the system as well as the ability to process transactions.) I don't believe there is a fraud issue at this time but I would like to be able to legitimately express concern for the internal controls. Can someone please clarify and site references for the clarification of the roles of IT personnel and their unlimited access. I would like to address this with management but since we are a small bank some things are viewed as personal and recommendations are ignored. I feel this is too important to ignore but would like to be able to justify my reporting.
(This individual is a personal friend of the President (plays cards with him and wife weekly) and friends with two board members.) Another reason for needing concrete references. Please help!

Kimm, have you asked the IT Administrator the purpose of the additional user as well as the reason behind reports being turned off? You are an auditor and certainly have the right (and I assume the responsibility) to know the reasons...It may be something very simple and legit. I would think that would be a good first step anyway....

I agree with MikeJ, and understand your concern. Separation of duties and powers and dual control procedures are standard in any bank for fraud and basic security detection/prevention under safety and soundness and as an auditor, I think that is a clear method for your inquiry.

I believe there are numerous "best practices" in the IT world (Including but not limited to the GLB Safeguard standards) that also indicate certain separations, as well as GLB itself (limiting information to employees who have a need to know). Arguably, even in a small environment, if that person is not the administrator and otherwise does not need access, s/he shouldn't have it.

Good luck!

I would look in the FFIEC guidelines, i found this part pretty quick in the workpapers @ http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

some potential problems exist around objective 7, well, you look for yourself. i see potential issues for the time when you come under an audit or exa as these are the specific documents they use and you should feel free to cite them with the powers that be because its' no secret what they will be looking for. (had an examiner tell me that one time while we were taking an IT beating lol)

I understand how your situation can be uncomfortable, but in your role as the auditor you can not let situation of a small institution compromise your objectivity as the institution's auditor. Best of luck !

Sounds like the problem is the IT employee's lack of skill at playing cards.

But seriously, review the FFIEC weblink previously provided and go to the Information Security booklet (you will find "concrete" guidelines). There are several problems with the scenario you provided. First of all, no one should have the unilateral authority to create a user account on the core system (especially without the Information Security Officer's knowledge). All core system users and their access permissions should be supported by a "system access" form (or something similar) that checks-off each user's authorized access permissions --- which in your bank's case --- should be periodically reviewed and approved by a management-level committee (such as an IT Committee). Also, why does the head bookkeeper have full access permissions to the core system? With this scenario, it appears that the head bookkeeper has the "opportunity" to perpetrate fraud and conceal it as well. You may be relying on "after-the-fact" controls such as maintenance log reviews, etc. to keep everybody honest --- but why rely on those back-end controls when you can take care of things on the front-end (ie, reduce the head bookkeeper's access permissions accordingly). And lastly, if I understand you correctly, it appears that an "audit logging" feature has been disabled? ("daily reports for user listings") This appears to be a significant problem as well; why would someone want to disable a security logging feature unless he/she wants to hide something. Collectively, given your scenario, this does not pass the smell test.