When assessing risk, what areas do auditors typically target?
EL: When it comes to exercising judgment about testing anti-fraud controls, auditors target two areas in the security domain. The first is default user names and passwords in vendors products that are never changed or removed (and thus can be used to perpetrate fraud). The second is privileged passwords or accounts such as the administrator or root password that, if freely shared, can give fraudsters the anonymous ability to access an in-scope financial system and change its data or schema, and erase their tracks. These areas are targeted because for auditors, it is all about accountability and the proper identification of users and their activitiesand specifically the privileged account users who administer corporate systems. Compliance is largely about preventing fraud, and if you ask yourself where fraud is most likely to occur, chances are it is in the area of privileged accounts. The people we entrust with systems administration are highly intelligent and highly skilled. If for so
