14
Solihull Metropolitan Borough Council September 2015 IT Audit Findings Report
Solihull Metropolitan Borough Council
September 2015
IT Audit Findings Report
© 2015 Grant Thornton UK LLP | September 2015 1
Version: Responses v6.0 SMBC Management Response July 2015
Financial Year: 2014/2015
Key to assessment of internal control deficiencies
Material weakness - risk of material misstatement
Significant deficiency - risk of significant misstatement
Deficiency - risk of inconsequential misstatement
© 2015 Grant Thornton UK LLP | September 2015 2
Introduction The recommendations of the external auditors have been reviewed by relevant SMBC managers and a solutions schedule is set out below. The delivery of the completion dates will be monitored by internal audit.
Control Title Auditors’ Risk Assessment
SMBC Solution effort/ complexity assessment
Scheduled completion date
Control 1 Oracle EBS user management and governance
(Controls 1 – 7)
Significant
Multiple responses; see controls 2 – 7
Multiple dates for controls 2 – 7;, see below.
Control 2 Excessive number of system administrators in Oracle EBS
Significant
High December 2015
Control 3 Users self-assigning responsibilities in Oracle EBS
Significant
High December 2015
Control 4 Excessive privileges assigned to generic accounts in Oracle EBS
Significant
Medium October 2015
Control 5 Audit logging is not fully enabled and configured in Oracle EBS
Significant
Medium October 2015
Control 6 Users with 'processes tab' functionality in Oracle EBS
Deficiency Low 31 July 2015
Control 7 Users with inappropriate access to elevated accounts
Deficiency Low 31 August 2015
Control 8 Weak Northgate logical access controls
Deficiency Low DONE
Control 9 Weak Oracle EBS logical access controls
Deficiency Low DONE
Control 10 Users without password expiration date
Deficiency Low 31 July 2015
Control 11 Access rights and responsibilities assigned are not periodically reviewed (Oracle EBS)
Deficiency High December 2015
Control 12a Removal of leavers user access rights
Deficiency Medium Short term fix October 2015
Control 12b Deficiency Medium Medium term fix December 2015
Control 12c Deficiency High Long term fix To be prioritised and scheduled
© 2015 Grant Thornton UK LLP | September 2015 3
Assessment Issue and risk Recommendation 1 1
Oracle EBS user management and governance
We observe that there is no clear separation between users responsible for business functions and users with access to IT functions and utilities. There is no evidence that an effective role based access control (RBAC) process is in place, nor is there evidence that segregation of duties are properly managed within the application.
This weakness manifests itself with IT users having the ability to create and post financial transactions and business users having access to certain system administration functions. We also noted that certain users have the ability to increase their own level of systems access and may have done so without requiring authorisation from an appropriate person.
In complex Enterprise Resource Planning (ERP) systems such as Oracle EBS, the assignment of user privileges must be carefully considered to avoid excessive access and the potential lack of segregation of duties that can follow as a result. We noted for example, that IT users were regularly using the SYSADMIN default account which has full system access.
The potential for certain users to change their own access without authorisation is a clear violation of best practice, undermines information governance principles and is likely to increase the level of incompatible duties as well as increasing the possibility of users incorrectly posting financial entries due to unfamiliarity with the application's functionality.
The lack of control over information governance, excessive access and segregation of duties conflicts can increase the risk of fraudulent activity and lead to unreliable financial reporting. We also note, that it is possible that existing management controls may not be sufficient to compensate where those risks are not
Solihull MBC IT Security Policy provides a framework to manage user access. Management should consider how to enforce this at all levels of the organisation including those staff managing the IT environment and applications.
The following principles should be considered:
enforcing appropriate authorisation of role and responsibility changes
restricting System Administrator privileges to only those that need them based on operational requirements (see Issue 2)
removing full System Administrator responsibility from created roles that do not require this level of access and restrict access to only those functions that the role requires (see Issue 2)
eliminating self-assignment of responsibilities (see Issue 3)
reinstating SYSADMIN privileges to its 'out of the box' role (see Issue 4)
removing access to the process tab in all cases (see Issue 6)
creating responsibilities specific to roles based on the 'least privilege' principle and remove multiple accounts for individual users (see Issue 7)
Assessing the appropriateness of the above measures would benefit from further analysis relating to segregation of duties conflicts sand this should be conducted as soon as possible.
Management response: We acknowledge the points made and agree, except for “IT users were regularly using the SYSADMIN default account”. This is not a regular occurrence and only used for scheduling required concurrent processes. For this issue – and for all other issues in this report as indicated – solutions to these controls are scheduled as below.
© 2015 Grant Thornton UK LLP | September 2015 4
Assessment Issue and risk Recommendation fully understood.
2 2 Excessive number of system administrators in Oracle EBS
There are 43 accounts within the system that have the ability to perform system administrator functions. Not all of these users are members of the IT function.
Of these:
16 users have the 'System Administrator' responsibility
assigned to them
27 users have been assigned 'View Users', Password re-
set' or 'Purchasing User Details'
these responsibilities are seen as a 'backdoor' which
allows individuals to create new users, reset passwords
and assign privileges (including their own)
this is not a standard Oracle process or seen as
maintaining best practice
Users within Oracle EBS are considered to have system administrator abilities if they can access the forms that allow the creation or modification of user accounts or reset passwords.
Management should consider:
restricting System Administrator privileges to only those that need them based on operational requirements
create responsibilities specific to roles based on the 'least privilege' principle Management response: We believe that some of the numbers are not quite right, but the principle of the concern is sound. We will revise and update both IT and financial operations access. Action This work requires review, discussion and documentation of requirements and access with users, as well as ensuring good documentation and processes are in place to maintain the security control. This will be completed by December 2015.
3 3 Users self-assigning responsibilities in Oracle EBS
We identified that in the period under review there have been 14 instances where users have assigned additional access rights to themselves in the production environment. These users are not all located within the Oracle EBS support functions. When users have done this they have not end-dated the responsibility and therefore retain access to it permanently.
Information governance is undermined by such actions. Users
Staff should be prohibited by policy from self-assigning additional functionality. In instances where support staff require additional functionality, for example when resolving an emergency, this should be supported by after the fact documentation and authorization. Where administrative staff require additional functionality this should be formally authorized and approved with the responsibility end-dated accordingly.
© 2015 Grant Thornton UK LLP | September 2015 5
Assessment Issue and risk Recommendation should not be permitted to assign themselves additional responsibilities, especially where there is no evidence of monitoring user activity.
An audit log monitoring process should be established to identify occasions when users have self-assigned themselves privileges. Management response: We consider that the actions identified to resolve control 2 will also resolve control 3. This is therefore also scheduled to complete for December 2015.
© 2015 Grant Thornton UK LLP | September 2015 6
Assessment Issue and risk Recommendation 4 4
Excessive privileges assigned to generic accounts in Oracle EBS
There are 41 additional responsibilities assigned to the SYSADMIN account. A number of these are default, unsegregated responsibilities that Oracle EBS is provided with (see Issue 6). We also identified that one individual user has four system administration accounts. This violates the principle of accountability and is indicative of poor management processes.
The highest level account in Oracle EBS is the SYSADMIN account. This ships with the application and cannot be locked or disabled as it is required to perform maintenance tasks and upgrades.
Best practice is that this account should only be used when required and as such it should not have any responsibilities assigned to it other that the default 'System Administrator'. As a generic account this presents a risk that users can access the account and use it to perform inappropriate or fraudulent transactions without any accountability.
These responsibilities could allow users to perform end-to-end transactions and/or modify standing data, enabling fraud to be committed without detection.
Management should consider:
restoring the SYSADMIN account to its original settings
establish audit logging on the SYSADMIN account to identify any changes to it
if additional responsibilities are required for a specific reason, they should be supported by an authorised change request and end-dated
Management response: Generic Sys Admin has ability to do more than is necessary and scheduled jobs (like PO workflow and CRM Calendars) use this level of privilege. The pre-requisite to restoring SYSADMIN to its original settings is to remove sys admin from scheduled jobs. We expect to complete this for October 2015.
© 2015 Grant Thornton UK LLP | September 2015 7
Assessment Issue and risk Recommendation 5 5
Audit logging is not fully enabled and configured in Oracle EBS
We note that some auditing processes and alerts have been created and enabled. However, these have not been fully configured and updated and can be easily by-passed by other users with elevated privileges.
By default, Oracle EBS automatically records the user and time that a financial or system record was created and last updated. It does not record what was changed, nor detail all changes between the point of creation and the last update.
There is a risk that inappropriate or unauthorised activity within a high risk area of the application is not detected in a timely fashion. A user could disguise fraudulent activity by making a change, waiting for the change to be processed and then changing the record back to its original state, the only record of change would be the most recent.
Management should implement the audit logging of key areas of the system on a risk-based approach. These logs should be secured against unauthorised access and retained for a sufficient period. A procedure should be introduced to ensure that audit logs of high-risk areas are subject to periodic review by a user independent of the function. To aid management, a list of best practice forms/functions to consider enabling audit logs is provided below:
Application controls Journal Sources, Journal Authorisation Limits,, Approval Groups, Adjustment Approval limits (AR), Receivables activities (AR), Line Types (PO), Document Types (PO), Approval Groups (PO), Approval Group Assignments (PO), Approval Group Hierarchies (PO), tolerances, item Master Setups, Item Categories
Affect Business Processes
Profile Options, Descriptive Flexfields, Key Flexfields, Value Set Changes
Development Concurrent Programs, Executable, Functions, SQL forms
Security Menus, Roles, Responsibilities, Request Groups, Security Profiles, SQL forms such as Dynamic Trigger maintenance, Define Profile Options, Alerts, Collection Plans.
Fraud related Suppliers, Remit-To-Addresses, Locations, Bank Accounts
Management response: Internal Audit have agreed to do the periodic review of audit trails.
© 2015 Grant Thornton UK LLP | September 2015 8
Assessment Issue and risk Recommendation Internal Audit will liaise with IT and agree which fields to audit track by October 2015. Agreed Audit tracking to be switched on shortly afterwards.
6 6 Users with 'processes tab' functionality in Oracle EBS
There are an excessive number of users that have access to the 'process tab' in Oracle EBS at Solihull MBC.
The 'processes tab' (also known as 'AZN menus') is a known security risk present within Oracle EBS. It is used for system developers during the implementation stage to easily configure business workflows and should not be enabled within the production environment. The processes tab displays workflows diagrammatically, however it also enables the related functions to be performed, bypassing the responsibilities allocated to a user. For example a user with the out of the box responsibility 'Payables Manager' can view the accounts payable workflow on the processes tab. This will also enable the user to perform any of these stages, such as make a payment.
Of particular risk is the 'Application Developer' responsibility that allows full access to most business processes within Oracle EBS. Users are able to have unsegregated access to whole processes that system administrators and management are not aware of. There is a risk of users being able to perform end-to-end transactions that could be used to commit fraudulent activity. The risk of such changes not being detected is increased by the absence of effective audit logging.
A review should be undertaken to identify all responsibilities in use that could be
exploited using the processes tab functionality. These can be identified by
reviewing responsibilities for menus that include the string %AZN% .
Exclusions should then be used to ensure that no responsibilities in use have
access to these menus.
To aid management the following responsibilities are in use that are either default responsibilities, or direct copies of them.
Responsibility No. of users Application Developer 11 ACA General Ledger Super User 7 ACA Payables Manager 4 ACA Purchasing Super User 9 ACA iProcurement 4 GX General Ledger Super User 3 GX Payables Manager 3 GX Purchasing Super User 6 GX iProcurement 1 General Ledger Super User 5 LDC Payables Manager 3 LDC Purchasing Superuser 9 Payables Manager 7 Purchasing Super User 12 RESPONSIBILITY_NAME 1 Receivables Manager 12
© 2015 Grant Thornton UK LLP | September 2015 9
Assessment Issue and risk Recommendation SCH General Ledger Super User 5
Management response: This functionality is not used in SMBC, so can simply switched off. Completion scheduled for August 2015.
7 7 Users with inappropriate access to elevated accounts
A responsibility for second-line Oracle EBS support staff to enable password resets has been created and is provided to 24 users.
A weaknesses of Oracle EBS's password management controls is that the password of any account can be changed. There is no process whereby new passwords are automatically emailed to the user, the system administrator is only required to type a new one in.
There is therefore a risk that these 24 users could hijack privileged accounts, for example those shipped with the application of those of system administrators, through changing their passwords. These users could perform inappropriate or fraudulent transactions whilst covering their tracks due to using another's account. This risk is compounded due to the absence of pro-active monitoring of audit logs.
Management should consider:
restricting the number of staff with this level responsibility
enable logging on and independently monitor regularly (see Issue 5) Management response: We will remove password reset access privileges from the ICT service desk for both SMBC and Lichfield District Council (for whom we run a shared service). This will have the added efficiency benefit of driving more password resets to self service.
8 8 Weak Northgate logical access controls
The password settings for users with the 'First Default' profile are inadequate as passwords must only be a minimum of three characters long.
The 'First-Default' profile is allocated to system administrators of the Northgate application. Users with this profile have access to all system administration functionality, including creating users and modifying access rights or system parameters.
Passwords for all profiles within Northgate should be set to a minimum of eight characters.
Management response: Done
© 2015 Grant Thornton UK LLP | September 2015 10
Assessment Issue and risk Recommendation
These users have the most privileged level of access within the system strong logical access controls are necessary to adequately reduce the risk of unauthorised access being obtained through password guessing or brute force attacks. Such unauthorised access could lead to fraudulent activity or individuals having inappropriate access to information.
9 9 Weak Oracle EBS logical access controls
The following weaknesses are in the system password settings for the Oracle EBS application:
Passwords are only required to be a minimum of six characters
Users are not prevented from recycling a password they have used within the previous year
Weak logical access controls increase the risk of unauthorised access being obtained through the guessing of passwords or the brute force cracking.
The Oracle EBS logical access controls should be strengthened in line with best practice:
Passwords should be required to be at least eight characters long Users are prevented from re-using a password they have used within the previous 180 days Management response: Done
10 10 Users without password expiration date
There are 70 accounts that have no password expiry date value against them. These accounts are all generic accounts and are not linked to named individuals. Two have significant business process privileges assigned to them and have not changed their password since 2011.
We also note that at least one generic Oracle EBS account still has its default password and no password expiry set.
We note that the majority of users have an expiry set to 90 days. However, accounts that accounts that have passwords that do not expire become vulnerable to being disclosed over time and can therefore provide access to the system and data.
All accounts should have a password expiry value entered against them, (unless they are system accounts performing automated tasks e.g. batch posting).
This should be subject to periodic review to identify any users with administration rights who have overwritten this setting.
Disciplinary action should be taken in these instances. Management response: All real user password lifespan days set to 60 days – done None of the 70 accounts are people. They are processes, like WebForms and calendars, with limited privileges and where the business process requires no end
© 2015 Grant Thornton UK LLP | September 2015 11
Assessment Issue and risk Recommendation
Passwords which either do not expire or which are not changed frequently represent a high risk that they will be enumerated and disclosed to unauthorised users. Where this is assigned to a generic account access to and subsequent activities may not be monitored or identified which could undermine security settings within the system.
date. Management will verify that this is the case for all 70, and end date any exceptions, by August 2015.
11 11 12
Access rights and responsibilities assigned are not periodically reviewed (Oracle EBS)
There are no regular processes within Solihull MBC to review access rights across functions for Active Directory, Academy or Oracle EBS.
Additionally, no security audit logs are maintained to monitor user activity which would identify anomalous user actions outside their remit (see Issue 5).
Over time, users can acquire access rights that are not commensurate with their functional role and bypass or override internal control processes. This contradicts the principle of least privilege, whereby users are allocated the minimum level of access rights to fulfil their role. Without this control in place the following risks are inadequately managed:
gaps in user administration processes and controls may not be identified and dealt with in a timely manner
access to information resources and system functionality may not be restricted on the basis of legitimate business need
enabled, no-longer-needed user accounts may be misused by valid system users to circumvent internal controls
no-longer-needed permissions may granted to end-users may lead to segregation of duties conflicts
access privileges may become disproportionate with
There is a need for management to perform periodic, formal reviews of the user accounts and permissions within Oracle EBS, Academy and Active Directory. These reviews should;
take place at a pre-defined, risk-based frequency (annually at a minimum)
create an audit trail such that a third-party could determine when the reviews were performed, who was involved, and what access changed as a result.
evaluate both the necessity of existing user ID's as well as the appropriateness of user-to-group assignments (with due consideration being given to adequate segregation of duties)
access to folders are only given to those with appropriate roles and responsibilities
develop a process/form to document and evidence approval of user amendments including access active directory folder permissions
Management response: Although some periodic reviews do take place, this can be enhanced with better input data. ICT could develop a script to produce data for analysis of leavers, movers and joiners access privileges. This requires time to review, write, discuss, revise etc.. Business system owners to agree they will use the output of the scripts to do better periodic reviews. Script to be operational and system owners will be making regular use of it by December 2015.
© 2015 Grant Thornton UK LLP | September 2015 12
Assessment Issue and risk Recommendation respect to end users' job duties
accumulation of excessive folder rights which undermines roles defined in system access profiles
All issues above could result in unidentified material misstatement due to fraud or error.
12 Removal of leavers user access rights
System administrators for Oracle EBS, Northgate and Active Directory rely on the end-user community to notify them of accounts that require disabling as a result of users moving post or leaving the organisation.
The end-user community should never be solely relied upon to inform security administrators of the need to revoke logical access due to leaver activity, as such notifications are typically inconsistently provided (if at all).
Whilst the Oracle EBS administrators monitor leaver activity recorded through the Oracle EBS HR module, this may not capture non-HR users e.g. temps, agency staff, contractors etc. and it is not clear whether these user accounts are only removed from Oracle EBS and not from active directory or Northgate.
Access to information resources and system functionality may not be restricted on the basis of legitimate business need and enabled, no-longer-needed user accounts may be misused by valid system users to circumvent internal controls.
Terminated employees may continue to access information assets through enabled, no-longer-needed user accounts and revocation of access rights may not be performed accurately, comprehensively, or on a timely basis.
Oracle EBS, Northgate and Active Directory administrators should be provided with:
timely, proactive notifications from HR of leaver activity for anticipated terminations
timely, per-occurrence notifications for unanticipated terminations
Security administrators of financially critical applications should then use these notifications to end-date user accounts associated with anticipated leavers, or immediately disable user accounts associated with un-anticipated leavers. Management Response: There are a number of issues to resolve in this control, with short term, medium term and long term actions. The proposed solutions are: Short term: Re-instate the process with HR advising of people end dated in Oracle (probably through an improved automated script). This is scheduled for October 2015 Medium term: Add contractors and consultants (particularly those with IT systems access) to Oracle. This is scheduled for December 2015 Long term: build “joiners-movers and leavers” process automation. This is to be reviewed, prioritised and if appropriate scheduled, by the Oracle Exploitation Board, led by the Director of Resources.
