Part 1

I wrote an article called “Why Access Controls Must Be Tested for All In-Scope Systems,” and the feedback has been shocking. I have a decent network of auditors throughout external audit firms who regularly comment “off the record” when I am drafting or have published something. Honestly, I didn’t think the article was that revolutionary, however I am now realizing otherwise based on the feedback I heard. Publishing that article has uncovered a systemic issue in the internal and external audit industries I didn’t know existed.

One of the reasons I wrote the prior article: Why Access Controls Must Be Tested for All In-Scope Systems was to stress how important it is to verify control performers do not have access to the underlying activities they oversee in the execution of the control. As it stands, this critical verification process goes unperformed. The ramifications of such an oversight are massive.

Why was Sarbanes Oxley (SOX) implemented? One of the main reasons SOX was implemented was to have controls in place to make sure management was not overriding controls. What is one way management can override controls? They can enter or maintain data that doesn’t get caught during the performance of a control.

What happens if management has access to the ability they are overseeing in the control? Management can override the control and then the data they enter or maintain may not be caught by someone else.

A recent example we have of this is FTX. Sam Bankman Fried (SBF) was the Founder and CEO of FTX and had access to crypto wallets. This gave him the ability to move billions of dollars without anyone knowing it. Why did the CEO of FTX have such powerful access and how did this not get caught during an audit?

While the specifics of the FTX case are unknown, I think it’s worthwhile to consider what controls could have prevented this loss in the first place.

SBF as CEO should never have had access to any highly privileged system accounts. He should have been a part of the execution of the control. Given his technical expertise he probably should have been the Control Reviewer overseeing those who have access to “keys to the kingdom” accounts.

Let’s assume he was part of the operation of the control. This would mean he was asked to opine on the appropriateness of his own access. FTX gives me one recent example of why the lack of Control Performer independence testing is a systemic issue in the internal and external audit industries.

What did the internal and external auditors likely miss in the FTX audit? If SBF was the final Control Reviewer, he would have been the one to sign off on the effectiveness of the control. The external auditors should have verified that SBF as Control Reviewer did not have access to enter or maintain accounts with access to the wallets. If they had they would have identified SBF HAD THE ABILITY to override the controls with his current access.

I could go down further into this rabbit hole and talk about system or generic accounts that could have been used. Or password controls. Or SignOn login monitoring. There are a myriad of routes potentially producing the same result.

However, to keep us on track I will make this blanket statement:

“Control performers should NOT have access to the activities they are responsible for signing off on. The controls they assert are in place when they certify their controls are effective at the end of the audit.”

Here are three truths every auditor should know:

1. The job of management is to make sure anyone performing a control cannot override the control. This includes themselves and all others that are involved in executing and reviewing the control.
2. The job of the Internal Auditor is to make sure management has done number 1.
3. The job of the External Auditor is to make sure management has also done number 1.

So, what led to Sarbanes Oxley’s passage in Congress in 2002?  It was a series of frauds and business failures primarily due to management overriding controls.

Am I confident this issue has been solved? NO WAY! The opposite is most likely true.

I am convinced that auditors are NOT routinely testing whether the Control Performer has access to the activities they are overseeing because it takes a level of cooperation between the financial auditors and the IT auditors that we rarely, if ever, see.

Here are the steps that would need to be in place for this type of testing to take place by external auditors:

1. The financial audit team needs to identify that controls implemented by management they would be relying on in their audit.
2. The RACM would most likely identify a job title rather than a person that is part of the control performance. Management would need to identify who is(are) the control performer(s) and financial audit team would need to verify that is consistent with their testing.
3. The IT team would need to identify the logins for the control performer(s) in each of the in-scope systems.
4. A full sensitive access analysis assessment process would need to be executed. This would consist of full details of all users, including all Control Performers and their access via assigned roles. There would need to be logical understanding and technical confirmation that the scan is complete and accurate.
5. Once established that the assessment is complete and accurate, the activities that a Control Performer can perform (transactions, master data, and configurations) would need to be compared to the control activities and control description to see if their access impairs their independence.

Why I am skeptical this is being done is because:

1. This requires the use of access control software or a point-in-time assessment for all in-scope systems.
2. This requires the risk content being used in the access control software for this assessment to be complete and accurate as well. We rarely, if ever, see the large risk advisory firms that do this type of work having an extensive library of sensitive access risks.
3. I have yet to see an IT audit team or financial audit team do this during an audit.

To see my case for this issue elaborated in more detail, read: Lack of Software to Test Access Controls is Systemic and why It Matters.

Subscribe to our newsletter and receive our featured article a week in advance!