Implement A Security Audit to Prevent Fraud

In today's fraud landscape, keeping your organization’s vendor and customer sensitive data from unauthorized access is critical. Implementing a security audit that includes least privileged is an essential strategy to protect sensitive information and prevent both internal and external fraud.

What is Least Privileged Access and Why It Matters

Least Privileged Access (LPA) is a security principle where users, applications, and systems are granted the minimum level of access—or permissions—necessary to perform the assigned tasks based on their job function. This approach minimizes the risk of unauthorized access to sensitive data and reduces the potential impact of breaches or insider threats. 

This concept is critical in both accounts payable and accounts receivable because it means less team members that can be social engineered into revealing or changing sensitive vendor or customer information just because they happen to have access to view or edit this data. It also prevents potential internal fraudsters from adding fraudulent vendors or customers, changing payment information to divert vendor payments or changing shipping addresses to divert customer product deliveries. 

How To Implement a Security Audit

A security audit serves as a preventive measure to identify and resolve potential vulnerabilities within your systems that house sensitive data. Using the vendor master file as an example, here is a five-step process to implement a security audit.

Step 1: Identify Security Roles with Access to Your Vendor Record

The first step in a security audit is to identify all the security roles that have access to your vendor data.  This includes understanding what each role can view and edit. Typically, roles with vendor data access might include:

• Vendor Management Roles: Adding, changing, and viewing sensitive vendor data.
• Procurement Roles: Viewing non-sensitive vendor data needed for purchase orders.
• Accounts Payable Roles: Viewing non-sensitive vendor data required for posting invoices to the right vendor.
• Internal Team Members: Viewing non-sensitive information.

IT or system security teams might need to generate reports to provide a comprehensive list of roles and their access levels. This should give you insight into any special access given to roles that are not typical of the role. 

Lesson Learned:  As an Sr. Accounts Payable Manager, I was two years into my role when I discovered via a security audit that the Procurement Role in our ERP had an extra edit function added – those with that role could edit the contact information screen of  the vendor master file.  The original purpose was to give the procurement team access to quickly update the email address needed for automated purchase orders.  The problem was that this was also the screen that we used to update contact information to confirm remittance changes, an internal control.  That means that anyone with this role could be social engineered into changing contact information to that of a fraudster!

Step 2: Match Security Roles to Positions Based on Tasks

Next, align security roles with specific positions within your organization. This ensures that employees have the appropriate access based on their job responsibilities. For example:

• Vendor Manager: Approval, confidential data access, and searches.
• Procurement Manager: Viewing and searching vendor data.
• AP Specialist: Viewing and searching vendor data.

This alignment helps in maintaining a clear structure and prevents unauthorized access to sensitive data.

Step 3: Review of Security Roles by Position and Employee

Review the security roles assigned to each position and employee. Consider the following questions during your review:

• Has the employee left the company or changed positions?
• Is the current security role appropriate for the employees’ responsibilities?
• Do they need access to sensitive vendor data, or can it be masked?
• Will removing access reduce internal/external fraud risk?
• Does the security role create a segregation of duties issue?

This step is crucial in ensuring that only necessary personnel have access to sensitive information.

Step 4: Update Security Roles/Access and Team Members Assigned to Roles

Based on the findings from your review, update the security roles and access levels assigned to each team member. This might involve:

• Removing access for terminated or transferred employees.
• Adjusting access levels to fit the current role's requirements.
• Ensuring that no single employee can create a vendor, generate a purchase order, create an invoice, and process a payment.  Add compensating controls if segregation of duties cannot be avoided.

Make sure to document these changes and communicate them to your IT/security team for implementation.

Step 5: Implement a Recurring Security Role/Access Audit

Finally, establish a routine for conducting security role/access audits. This can be on a monthly or quarterly basis. Assign a team member to:

• Review security role/access reports regularly.
• Remove access for termed or transferred employees promptly.
• Verify that no changes have occurred without proper authorization.
• Submit necessary changes to IT/security.

This ongoing process ensures that your vendor data remains secure and that your organization stays vigilant against potential internal and external fraud threats.

Conclusion

Implementing a security audit and the concept of least privileged access is a vital part of fraud prevention. By following these five steps, your organization can reduce the potential for both internal and external fraud by protecting sensitive data in your systems from unauthorized access.