Summary

With Roles and Permissions software, we’ve set a new standard for auditing who can do what in their ERP system- Ty Elliott, Chief Auditor

A Roles & Permissions audit is accomplished in record time and reduces cyber and fraud risk now. Click here for the official Report from College Station.

Introduction

Nestled in East Texas between Dallas and Houston, College Station is a vibrant college town of 120,000 residents. Home to the world-class Texas A&M University, also known as Aggieland, College Station thrives on education, diverse food, and entertainment.

However, like many local governments, College Station relies on Tyler Technologies Enterprise ERP powered by Munis®, which has a notoriously complex roles and permissions structure. These permissions are crucial, allowing users to perform tasks ranging from handling payroll to maintaining primary accounting records.

The Objective

College Station’s Internal Auditors face the significant challenge of reviewing how ERP access is assigned to staff. Their objectives include ensuring adherence to the principles of least permission and separation of duties (SoD) —key safeguards against fraud and cybersecurity risks. If someone has excessive permissions, they or an outside malicious actor could exploit the system to perform unauthorized actions, such as creating and paying a fake vendor.

To effectively review thousands of individual permissions across hundreds of ERP users, the audit department needed a modern solution to access and analyze the information locked within the ERP system.

The Challenge

“Role and permissions auditing is a major gap in the field and a blind spot for auditors. The methods I've used for over 20 years are no longer sufficient. The internal audit function as a whole must adopt a new approach. This is a challenge that, to my knowledge, no city has fully mastered without dedicating significant resources.”
- Ty Elliott, Chief Auditor of College Station.

Three factors make it easy to violate the principles of least permission and separation of duties:‍

1. ‍Role Complexity: Permissions are assigned to roles, which are then assigned to people. Each person can have multiple roles, with no alerts if these assignments grant excessive permissions. Moreover, the privileges users have can become even more complex due to overlapping access controls, such as approval rights and menu access, making it difficult to clearly understand their access levels‍
2. Position Reassignment: Employees often change positions within the organization, accumulating new roles without having old ones removed, increasing the risk of excessive permissions.‍
3. Privilege Creep: Permissions can be added to roles over time, unintentionally expanding access without notice.

“SoD within the ERP is such a high risk area because it can lead to self-approvals, unrestricted access to payroll records, or unauthorized changes.

One concerning permission is the Payroll Superuser, which allows users to perform both personnel and payroll functions. This creates opportunities for fraud, such as the creation of ghost employees. However, removing this permission without disrupting the payroll process is challenging due to system limitations.”
-Auditor Matthew Ragaglia.

Before adopting ThirdLine’s Segregation of Duties software, the City of College Station struggled to assess their role-based access policies and if the privileges provided by those roles adhered to the principles of least permission and segregation of duties.

First, linking all the permissions together in a Role-Based Access Control is a difficult task because of:

• the population of users, roles, permissions creates an entangled web of information that is not easily extracted from Tyler’s Enterprise ERP,
• there is a lack of technical knowledge on what each permission does and,
• how a combination of each permission could lead to a segregation of duties issue.

With these issues combined, the auditing process is cumbersome and time-consuming.

Second, many auditors traditionally limit the scope of their investigations to a single department or function. Because of this, the full breadth of privileges or users may never get examined, or at best, they are examined piece-meal over long periods of time. This may leave SoD issues or users with more permissions than necessary, which increases the City’s vulnerability fraud risk and IT security threats.

Third, and most importantly, role-based access in an ERP system is inherently fluid. As roles evolve and personnel shift, changes occur regularly, which means that even the most thorough audit can quickly become outdated.

The Solution

“With ThirdLine’s Roles and Permissions software, we’ve set a new standard for auditing who can do what in their ERP system,”
-Ty Elliott, Chief Auditor.

ThirdLine’s solution provided the audit team with powerful tools to automate the process of auditing roles and permissions, allowing them to analyze every role assigned to each employee across all departments and identify violations of separation of duties or excessive privileges.

By seamlessly integrating with the existing ERP system, ThirdLine’s software enabled the audit team to pinpoint SoD issues and then collaborate with management and IT to verify the issues and make necessary changes. This collaborate process  significantly reduced the risk of unauthorized access and fraud. The software provides:

• Identification of terminated employees who still have active access to the ERP system and/or  still assigned to roles 
• A comprehensive view of all permissions assigned to each role, all roles assigned to each employee, and the number of employees in each role
• Detection of separation of duties conflicts and the roles and permissions causing the issue
• Identification of employees with superuser permissions or other high-risk access, such as the ability to print checks or view Social Security numbers’
• Update frequencies set by the client from quarterly, monthly, to nightly.

The Results

The College Station Audit Team achieved significant results, detailed in their full report. Three key outcomes include:

1. Efficiency & Effectiveness: The team completed a full audit of roles and permissions of the entire ERP system in just a few months in a task that would take a year of an auditor or two’s time without ThirdLine. Now that their initial audit is completed, the audit team anticipates future periodic audits of the entire system to be concluded by one auditor in a matter of weeks. With nightly data refreshes, auditors can now see segregation of duties conflicts decrease in real time and watch the number of superusers decline as management implements the audit recommendations.‍
2. Risk Mitigation: City Auditor Ty Elliott noted a marked decrease in vulnerabilities related to role mis-assignments and permissions.‍
3. Continuous, Real-time Monitoring for Management: The audit team and managers collaborated throughout the audit as they reviewed ThirdLine’s outputs and the additional audit work to uncover the risks and their causes. With this collaboration, the auditor’s recommendations had strong buy-in, which is an important factor for any recommendation to be implemented as intended. Management noted that prior to this audit the Role-Based Access Control was not as effective as it could be and that the audit was a catalyst to make the necessary changes.

Benefits, Challenges, and Future Plans

Unique Features and Benefits

What sets ThirdLine apart is its ability to connect to Tyler Enterprise ERP’s complex underlying tables, provide tests based on ISACAS’s segregation of duties framework, and present it in an intuitive user interface. ThirdLine’s solution allowed College Station’s auditors to quickly adapt to the new system without extensive training. They are now set up for ongoing auditing and monitoring of roles and permissions at a fraction of the cost. They expect future audits to be completed in half the time of this initial project.

Challenges and Overcome Obstacles

Transitioning from a manual to an automated auditing process was initially daunting, with challenges in interpreting permission values and presenting outputs in a useful format. However, with strong support from ThirdLine and its user-friendly platform, the audit team quickly mastered the new system. They used the information to produce an audit report they plan to share nationally.

Future Plans and Scalability

Building on the success of this project, College Station plans to expand the use of ThirdLine to other areas of government operations, including procurement, vendor management, and accounts payable. They believe this new approach could significantly reduce fraud and IT security risks across the board and are eager to share their success story with other local governments.

‍

Ready to revolutionize your approach to roles and permissions auditing? Contact us today to learn more about how ThirdLine’s software can help your organization achieve similar results.

‍