Thread Options
#1969374 - 10/14/14 11:00 PM Security Access
Compliance Audit Offline
100 Club
Joined: Mar 2005
Posts: 200
I am the internal auditor for a small community Bank. We have centralized the system maintenance and verification functions but our Bank management still feels that department managers need full access to add and/or maintain customer files. For example out CFO manages our investment - securities area and has codes to add, change, delete any file on the system - and our Operation Manager has similar authority levels. I understand that Limited staff in most areas of the Bank sometimes makes it difficult to maintain a good separation of duties but it seems very risky to allow all of that access to managers. Does anyone else have this issue?

Return to Top
Audit
#1969391 - 10/15/14 12:50 PM Re: Security Access Compliance Audit
osucpa Offline
Diamond Poster
Joined: May 2011
Posts: 1,400
In the investment area, are you saying your investment portfolio is on your bank's system, not administered by a third party? Either way, it appears your CFO controls the entire investment process.

Return to Top
#1969461 - 10/15/14 03:30 PM Re: Security Access Compliance Audit
RR Jen Offline
Power Poster
RR Jen
Joined: May 2003
Posts: 3,759
Running and riding everywhere ...
If they want that access, I'd recommend some mitigating controls. Is there another department/person that reviews file maintenance?
_________________________
I don't need any more negativity in my life...be positive and helpful people or I will kick you in the shins!!!

Return to Top
#1969508 - 10/15/14 04:30 PM Re: Security Access RR Jen
Compliance Audit Offline
100 Club
Joined: Mar 2005
Posts: 200
Yes - the file maintenance is verified independently.

Return to Top
#1969513 - 10/15/14 04:40 PM Re: Security Access Compliance Audit
RR Jen Offline
Power Poster
RR Jen
Joined: May 2003
Posts: 3,759
Running and riding everywhere ...
Do I like it? No. Is there a weakness regarding the controls, sure. If management is willing to accept that risk (and the audit committee) I'd probably not choose to die on that hill. But I would be sure it was noted in an audit report with an appropriate management response!

We are choosing to go the opposite way now and pulling maintenance capabilities from several upper managers. They are kicking and screaming, but at $450 million in assets 12 locations and 180ish employees they can deal with it.
Last edited by RR Jen; 10/15/14 04:41 PM. Reason: to add the CYA sentence of noting it in a report
_________________________
I don't need any more negativity in my life...be positive and helpful people or I will kick you in the shins!!!

Return to Top
#1969609 - 10/15/14 07:37 PM Re: Security Access Compliance Audit
EdOils Offline
Platinum Poster
EdOils
Joined: Jan 2004
Posts: 553
Louisiana
There is no one answer that will fit every institution. Having worked in several institutions from $35MM to 1B, what worked for one, would not work for the other.

I guess I'm a little confused by your question. Do the dept heads have change rights to everything in the system or just their department? Can the CFO change loan info or just the investments? I would want him/her to only have change rights to what is needed.

As for him/her having change rights, I'm not against it, but with some provisions. 1) It is truely a small department. 2) There is an independent review process (there sounds like it is). 3) The changes are made as a result of a backup process only (for example dept of 2 and 1 employee is out sick).

The question is can he/she control a process from a-z? If so, that is ok as long as there is an independent review process immediately following (not annually, for example). After testing the review process, is it effective? If so, then you are fine. If not, then you have a problem.

Hope this helps!
_________________________
You gain education by reading the fine print. You gain experience by not.

Return to Top
#1969625 - 10/15/14 07:57 PM Re: Security Access Compliance Audit
DerrickAuditor Offline
Member
Joined: Mar 2008
Posts: 91
USA
We thankfully rarely do this, but when segregation of duties are seriously lacking and/or control weaknesses are not adequately mitigated due to management's decision, we document a memo explaining the weakness and the risk of what could go wrong and ask the CEO and audit committee chair to sign off.

Return to Top

Moderator:  Andy_Z