Pub. 7 2016 Issue 1

www.wvbankers.org 14 West Virginia Banker D ata security breaches continue to gar- ner headlines, and criminals continue to engage in targeted activities to steal millions of dollars in unauthorized funds. Banks and other financial institutions must heed the warnings of recent cases ad- dressing the issue, as well as the statutory framework that explains who is responsi- ble for resulting losses. Introduction. The continued and in- creased use of information technology to process customer and accounting transac- tions has placed an increased importance on the logical access control features of the various solutions utilized by financial institutions. As reliance on information technology continues to increase, internal auditors, external auditors and regulatory examiners, place a greater emphasis on logical access controls. This article focuses on the logical access controls of a financial institution---chal- lenges, mitigating controls, and best practices. What is Logical Access. Logical access is a feature of software applications that allows senior management to both provide and limit access authorities to personnel in order to perform assigned job duties and responsibilities. Why do auditors and Regulatory Examiners focus on logical ac- cess controls? When utilizing a computer system to process significant transactions, it is important that logical access assigned to financial institution personnel promote an adequate segregation of duties. For example, loan processing personnel may commonly have new loan and file mainte- nance authority. However, a loan officer ideally should not have the ability to add a new loan or conduct file maintenance on the lending system since loan offi- cers typically approve new loans and file maintenance requests. Logical access, or access privileges, should also apply to an organization’s network operating systems and other operating systems utilized by the financial institution as well as databases and other production tools (not just the core processing system). Why is Logical Access Important. When conducting audits, we have operated under the “presumption of authority” guidelines. In many cases, employees may not have the authority to process certain trans- actions per policy but the logical access assigned to them grants them that author- ity. If an employee has the logical access authority to perform the function, then the employee presumably has the authority to conduct those functions regardless of the written policy. In these cases, the finan- cial institution would have a segregation of duties issue resulting from the logical access assigned. The inappropriate access assigned can occur for several reasons – some planned and some inadvertent. For example, an employee may have new job duties and responsibilities resulting from a promotion but the logical access assigned was not changed accordingly. In other cases, an employee may have the same primary responsibilities but has experienced subtle changes that result in inappropriate logical access being assigned. An inadver- tent change could result from updates to the core processing system that resulted in logical access issues. In some cases, the employee(s) in question may serve as backup personnel in order to provide timely customer service. Regardless of the reason for the potential segregation of duties exception, the financial institution should monitor and review activi- ty for appropriateness and adequacy. Best Practices. Certain best practices can assist a financial institution with mitigating the risk of the logical access assigned: • Effective Logical Access Administra- tive Procedures – Formal logical access administrative procedures can assist senior management with ensuring policies and procedures are being followed. The proce- dures should include the use of formal add, change and employee separation forms or processes. For example, when a new employee begins employment, a formal communication should be provided to the logical access security administrator(s) that communicates the name of the employ- ee, title, required access and approval of the access requested. The logical access administrator will review the form and provide the logical access privileges after reviewing the request form. If the logical access security administrator questions the access requested, a procedure for communi- cating their questions and concerns should exist to address any issues prior to providing Importance, Issues Encountered, Monitoring and Compensating Controls By Chris Joseph, CPA, CISA, CRISC, CITP, Arnett Carbis Toothman LLP