How authentication issues can affect financial data and financial statement audits

Authentication controls, such as passwords and restricted access rights, are a primary layer of protection between an entity’s data and bad actors. Weaknesses in these controls can leave systems vulnerable to exploitation and compromise.

If organizations do not have the means to prevent, detect, and respond to authentication issues within their financial applications, the risk of corrupted, altered, or deleted financial data increases. This can have several significant implications for organizations that experience a data breach:

• If the organization does not have compensating factors to re-create or recover the affected data, it may be unable to present complete and accurate financial statements.
• There are often long-term effects of successful breaches that result from authentication issues, such as penalties, fines, and legal fees.
• Breached organizations often experience reputational impacts that result in a loss of trust from customers, clients, and other constituents.

Authentication strategies differ among organizations, and the approach to mitigate risks may vary based on an organization’s industry, risk appetite, user base, and financial and technical resources. However, regardless of an organization’s size and complexity, authentication risks are relevant.

Therefore, it is important to be aware of these implications and understand current best practices and considerations related to authentication controls. With this knowledge, financial leaders and other members of management can facilitate discussions with the board to gain support and advocate for additional resources and controls; IT management and departmental leaders can implement enhancements within the organization’s applications; and auditors can assess risks to client environments.

WHY TRADITIONAL CONTROLS CAN BE INEFFECTIVE

Authentication controls have been an important consideration for both organizations and auditors for over a decade; however, the areas of focus have shifted over the last several years. While controls such as password composition and frequency of password changes were previously deemed critical, they can have unintended consequences in today’s threat environment.

For example, remembering passwords can be extremely difficult for users, especially when users are required to change them frequently due to expiration settings. Further, enforcing long, complex passwords can cause users to write them down, save them in their web browsers, or store them in other unsecured ways.

These controls can also encourage individuals to use bad creation practices. If an organization enforces a 14-character password length with the intention of causing users to create a unique password, the user may use a password comprised of easy-to-guess dictionary words, their pets’ names, or other characteristics that are easy to remember — and also easy to hack.

Finally, hackers’ tools and techniques, such as password-cracking software, keylogger malware that captures keystrokes, and social engineering, are more sophisticated and effective than ever before. Coupled with the millions of passwords in circulation on the dark web due to previous data breaches, it’s incredibly easy for hackers to capture passwords, even if they are long and complex.

UNDERSTANDING THE RISK

Authentication weaknesses can stem from a variety of other sources. Whether it is a password with only a few characters, one that has not been changed in several years, or another cause, exploited controls can ultimately lead to the same result: the organization’s inability to present complete and accurate financial data.

Once bad actors have accessed a system, they can delete, alter, or corrupt the data. If bad actors gain access to an organization’s network resources, they could introduce ransomware that encrypts financial systems and data. From an audit perspective, if the entity cannot provide confirmation that data was restored to a pre-incident state, the auditors may not be able to rely on the entity’s data. Further, if there is a significant volume of activity within a key financial system, it may be impossible for an entity to re-create that data. Without complete and accurate data, the auditors would need to evaluate the impact of the circumstances as a control deficiency and its communication to those charged with governance as well as any impact on the auditors’ report.

There are also considerations if the systems affected by the breach house sensitive information. The bad actors could steal this information and sell it on the dark web, which often results in penalties, fines, and other financial costs related to the aftermath of the breach. Depending on how significant the financial effect is estimated to be and the likelihood of it being realized, the entity may need to make certain disclosures in its financial statements related to the potential loss contingencies resulting from unknown financial costs from the breach.

STEPS TO STRONGER DEFENSES

It is important to note that traditional controls are still valuable. For example, it has been proved that increasing the length and complexity of a password with letters, numbers, and special characters increases the amount of time it takes password-cracking software to capture the password. However, it is also imperative to recognize the need for other compensating factors.

First, multifactor authentication (MFA) should be a priority for every organization. MFA is a critical layer of protection that often prevents a hacker from logging in to the system if a password has been captured. MFA combines something you know (e.g., a password) with something you have (e.g., a token) and/or something you are (e.g., biometrics).

At a minimum, any system accessible via the public internet, such as hosted software-as-a-service solutions, should have complex MFA techniques configured for each login. Consideration should also be given to other higher-risk systems regardless of where they are hosted.

Account lockout settings are another control to consider. Limiting the number of times hackers can attempt to guess a password limits their ability to succeed. Ideally, after repeated invalid logins, an account would be locked until an administrator could reset it. This conservative setting often has to be adjusted based on how an organization operates, and there is a balance to achieve between security and operational capabilities. However, when combined with strong MFA, account lockout settings can provide significant protection for applications.

Access rights to applications are also an extremely critical consideration. If a hacker exploits an account with administrative rights, the hacker will gain those rights. However, if the account has view-only capabilities, what the hacker can do will be much more limited. Access should be limited to only what is needed to support each user’s job functions to reduce the effect if that user’s account is compromised.

Finally, monitoring capabilities are often overlooked. Unfortunately, incidents are inevitable, so maintaining the capability to record and identify suspicious activity within their systems can help organizations react quickly and effectively. Initiating a faster response can significantly minimize the effect of a potential breach and increase the organization’s ability to recover data and restore it to a pre-disaster state.

ADDITIONAL LAYERS OF CONTROLS TO CONSIDER

Authentication is one component of a strong, layered control framework, and other controls can mitigate the effect of authentication weaknesses. These include the following:

• Employee training can reduce the risk that an employee will reveal their password through a phishing or other social engineering scam.
• Strong vulnerability management procedures comprised of malware protections, security updates, and vulnerability scans can decrease the risk to vulnerable systems.
• Maintaining incident management capabilities can aid in reducing the effect of a breach.
• Cyber insurance can add another layer to mitigate the financial effects an organization may experience.
• Backup processes can ensure that secondary copies of data exist so that data can be restored if needed.

Every organization operates differently and has different needs within its user base and should establish controls accordingly.

AUDITS AND AUTHENTICATION PROCEDURES

As part of the audit process, it is important for the auditor to obtain an understanding of the key components of the organization’s internal controls surrounding the authentication procedures. The auditor may want to perform the following:

• Assess the role that the organization’s authentication practices have in its internal control environment.
• If necessary, determine the effect of these practices on the evaluation of the overall internal control environment.
• Consider identified risks when determining the audit approach.

Having these discussions earlier in the audit process will allow the entity to take corrective action for any key identified weaknesses sooner.

About the author

Allison Davis Ward, CPA, CISSP, CISA, CISM, is a partner with CapinTech, a CapinCrouse Company. To comment on this article or to suggest an idea for another article, contact joaed@aicpa.org.