Janis Wong
Janis Wong

Identity and Access Management Continually Rank High in Lists

Here’s why.

February 16, 2010
by Janis Wong, CPA.CITP

Many top 10 lists rank Identity and Access Management (IAM) as one of the key technologies most likely to affect today’s business marketplace. In fact, participants who voted in the 2009 Top Technology Initiatives ranked Identity and Access Management as the seventh most important initiative.

Companies and organizations are increasingly investing in identity and access management’s products and procedures to enforce stronger controls and avoid potential data-breach incidents. These tools serve multiple purposes and, in general, protect against possible external/internal security breaches and establish internal guidelines for data accessibility. While access management products and procedures are integrated with other core technology resources, the two primary access entries in which organizations are vulnerable to security risk are logical access and physical access.

Logical Access

With logical access, businesses typically spend more of their initial investments purchasing firewall software, installing virtual private networks (VPNs) and using intrusion-detection tools to achieve network security. Other access-control policies applicable through a business’ existing resources, including Windows Active Directory or Oracle applications, may be further enforced at the server/database and financial system/application level. As a CPA organization, the key element that your firm should consider when implementing access policies is all possible points of entry to your resources and assets.

Physical Access

With physical access, businesses may be exposed to risk of theft or asset damage when on-premise physical access is not monitored from the office building itself to the specific information technology (IT) server room(s) located in the office building. Monitoring capabilities may be preventive, detective or corrective in nature and depends on the format and tools utilized to monitor access. Good examples of preventive controls are electronic badge cards and biometric security and examples of detective controls are video cameras and room-entry audit logs.

While a CPA firm may have the financial resources to invest in technology tools and the sense of urgency to secure its data and resources, security goals cannot be achieved without proper setup, policies and enforcement. Access and identity management is generally a two-step process and applies to logical and physical access:

  1. establishing user identity or authentication to establish user accountability and
  2. ensuring the appropriate level of access is granted.

Establishing User Identity or Authentication

When addressing a user’s identity and authentication, three techniques are frequently applied in combination or independently to establish user accountability:

  • What you know: Passwords/pass phrases.
  • What you have: Tokens, digital certificates, PKI (public key infrastructure).
  • Who you are or what you do: Biometrics (finger, hand, retina, voice recognition).

While the first two techniques apply most often to logical access controls, biometrics are implemented more often for physical-access controls — more frequently at businesses that host client servers and have multiple clients trafficking through the building/warehouse to access their own servers.

Logical controls can be achieved through single sign-ons, token-devices or multiple-factor authentications. Other authentication device examples may also include RSA (an algorithm used in public-key cryptography named after its inventors) tools that encrypt and decrypt messages, such as digital certifications and smartcards. Combining required password features, such as requiring expiration or syntax rules, along with the suggested examples provided above make up a large component of enforcing a strong access management policy.

Ensuring the Appropriate Level of Access

With logical access, system administrators grant employees system access so they can perform their job functions. More importantly, however, the level of logical access is enforced to ensure that the system is allowing the appropriate user to enter a transaction into a financial system or application and that a CPA firm’s assets (intellectual or monetary) are safeguarded appropriately.

Some logical access management examples include:

  • Financial application access, including entry access only to create a journal entry, restricted access to delete a journal entry or limited approval access to only post a journal entry.
  • Database access, such as read-only access to a sales transaction table or establishing Payment Card Industry (PCI) data-security standards to protect customer payment information.
  • Programmer access, including read-only access to the production environment of a financial system/application or restricted access to push program coding to a financial system/application.

According to the Oracle Community of employees and users, managing and monitoring user identities or the associated roles and system privileges across the whole organization, are critical to solving Segregation of Duty problems. Typical problems the community sees include:

  1. A difficulty enforcing Segregation of Duties across a heterogeneous environment and across multiple business applications.
  2. System roles and identities have conflicting privileges that leave organizations vulnerable to fraud.
  3. Managing access privileges across business applications and silo-ed identity repositories.
  4. Privileges are managed on a system-by-system basis, rather than across the whole organization. This makes conflicting roles difficult to spot and manage.
  5. Difficulty auditing and report access controls.
  6. Difficulty protecting information assets.

Small businesses are generally more vulnerable to risk when implementing access management controls. In addition, businesses may be disinclined to invest in updated technology if a system in an older version still works. As a result, there may be limitations to enforcing access management policies due to the capability of the older/outdated financial system. An outdated system may not have the capability to define specific user groups and distinguish user access levels or require various password syntax rules to apply during login.

Security risk may not be significant for an application that only tracks 20 semiconductor machines (that are very visible and less likely to be stolen or lost from a warehouse). However, if a system has limited functionality and mitigating procedures are not implemented, there may be a greater risk exposure for an organization to monitor internal/external access, financial ledger activity or customer/supplier activity in an application.

Physically security is also at higher risk when companies may not have the funding available to provide high-quality facilities and store its servers. Organizations with branch offices may tend to follow this path and allocate less technology funding to the branch facilities. In this case, allocating funds to implement good access management policies also depend on the importance of the assets to an organization and the risks associated with the loss. Alternatively, a small business may have to consider other options available such as relying on Cloud Computing vendors to provide data security services that may not be affordable independently.


While companies should not create more unnecessary complexity into processing a transaction, appropriate access and identity management policies should be in place to secure an entity’s sensitive information. However organizations also should consider if implementing a new process or software will reduce any associated specific costs or if the benefits will outweigh the costs.

For more resources around this topic or other associated topics (such as Assurance Services or Data Protection) visit AICPA’s IT Resource Center or contact me.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Janis Parthun, CPA.CITP, CISA, CMA is a senior technical manager at the AICPA, where she manages AICPA’s IT Section and Certified Information Technology Professional (CITP) Credential program (IT Interest Area). The focus of the IT Section and CITP Credential program is to provide educational resources to CPA professionals interested in IT Assurance and Information/Data Management. Prior to joining the AICPA, Parthun worked at Grant Thornton, LLP as an internal controls manager within their Business Advisory Services group in the San Francisco/Bay Area.