User Access Controls protect user access to automated financial systems. These controls restrict user access only to authorized users and only for the functions they need to perform their jobs. Effective user access control practices help to mitigate the risk to nonprofit organization of unauthorized or fraudulent activity occurring.
User Access Controls include assigning:
Login Rights-designate who is authorized to log onto a system and how they log on
Permission Rights-designate which functions each user may perform within the system, for example, input, edit, delete or view only.
Best Practices For User Access Controls
NEW USER AUTHORIZATION
Prior to granting access to a new user, proper authorization should be provided to the system administrator. For example, a user access request should be submitted by an authorized approver.
USER TERMINATIONS
System access for terminated employees and other users should be promptly revoked upon their termination. A formal process should be implemented for notification of terminated users to the system administrator. This process should be included in an exit checklist for terminated users.
ASSIGNING PERMISSION RIGHTS
Assigning permission rights based on roles ensures that all users who are assigned a particular role are given the same permissions appropriate to their role.
REVIEW AND UPDATE USER ACCESS
Periodic review and update of users who have access to the systems and their permissions should be undertaken to identify terminated employees whose access was not removed and to reflect changes in permissions due to changes in an employee’s role. These changes should not be implemented by the system administrator without proper authorization.
MAINTAINING INTERNAL CONTROLS
Internal controls such as segregation of duties and supervisory approvals should be maintained when assigning permissions. For example, no one person should be able to input, edit and approve their own transactions in the system. Maintaining these controls will mitigate the risk of unauthorized or fraudulent activity.
Roberta Katz Consulting can assist your organization in identifying and evaluating your fraud risks and provide guidance and tools that have proven to be effective in managing the risk. Schedule a complimentary consultation today!
Leave a Reply