With Roles and Permissions software, we’ve set a new standard for auditing who can do what in their ERP system- Ty Elliott, Chief Auditor
A Roles & Permissions audit is accomplished in record time and reduces cyber and fraud risk now. Click here for the official Report from College Station.
Nestled in East Texas between Dallas and Houston, College Station is a vibrant college town of 120,000 residents. Home to the world-class Texas A&M University, also known as Aggieland, College Station thrives on education, diverse food, and entertainment.
However, like many local governments, College Station relies on Tyler Technologies Enterprise ERP powered by Munis®, which has a notoriously complex roles and permissions structure. These permissions are crucial, allowing users to perform tasks ranging from handling payroll to maintaining primary accounting records.
College Station’s Internal Auditors face the significant challenge of reviewing how ERP access is assigned to staff. Their objectives include ensuring adherence to the principles of least permission and separation of duties (SoD) —key safeguards against fraud and cybersecurity risks. If someone has excessive permissions, they or an outside malicious actor could exploit the system to perform unauthorized actions, such as creating and paying a fake vendor.
To effectively review thousands of individual permissions across hundreds of ERP users, the audit department needed a modern solution to access and analyze the information locked within the ERP system.
“Role and permissions auditing is a major gap in the field and a blind spot for auditors. The methods I've used for over 20 years are no longer sufficient. The internal audit function as a whole must adopt a new approach. This is a challenge that, to my knowledge, no city has fully mastered without dedicating significant resources.”
- Ty Elliott, Chief Auditor of College Station.
Three factors make it easy to violate the principles of least permission and separation of duties:
“SoD within the ERP is such a high risk area because it can lead to self-approvals, unrestricted access to payroll records, or unauthorized changes.
One concerning permission is the Payroll Superuser, which allows users to perform both personnel and payroll functions. This creates opportunities for fraud, such as the creation of ghost employees. However, removing this permission without disrupting the payroll process is challenging due to system limitations.”
-Auditor Matthew Ragaglia.
Before adopting ThirdLine’s Segregation of Duties software, the City of College Station struggled to assess their role-based access policies and if the privileges provided by those roles adhered to the principles of least permission and segregation of duties.
First, linking all the permissions together in a Role-Based Access Control is a difficult task because of:
With these issues combined, the auditing process is cumbersome and time-consuming.
Second, many auditors traditionally limit the scope of their investigations to a single department or function. Because of this, the full breadth of privileges or users may never get examined, or at best, they are examined piece-meal over long periods of time. This may leave SoD issues or users with more permissions than necessary, which increases the City’s vulnerability fraud risk and IT security threats.
Third, and most importantly, role-based access in an ERP system is inherently fluid. As roles evolve and personnel shift, changes occur regularly, which means that even the most thorough audit can quickly become outdated.
“With ThirdLine’s Roles and Permissions software, we’ve set a new standard for auditing who can do what in their ERP system,”
-Ty Elliott, Chief Auditor.
ThirdLine’s solution provided the audit team with powerful tools to automate the process of auditing roles and permissions, allowing them to analyze every role assigned to each employee across all departments and identify violations of separation of duties or excessive privileges.
By seamlessly integrating with the existing ERP system, ThirdLine’s software enabled the audit team to pinpoint SoD issues and then collaborate with management and IT to verify the issues and make necessary changes. This collaborate process significantly reduced the risk of unauthorized access and fraud. The software provides:
The College Station Audit Team achieved significant results, detailed in their full report. Three key outcomes include:
Unique Features and Benefits
What sets ThirdLine apart is its ability to connect to Tyler Enterprise ERP’s complex underlying tables, provide tests based on ISACAS’s segregation of duties framework, and present it in an intuitive user interface. ThirdLine’s solution allowed College Station’s auditors to quickly adapt to the new system without extensive training. They are now set up for ongoing auditing and monitoring of roles and permissions at a fraction of the cost. They expect future audits to be completed in half the time of this initial project.
Challenges and Overcome Obstacles
Transitioning from a manual to an automated auditing process was initially daunting, with challenges in interpreting permission values and presenting outputs in a useful format. However, with strong support from ThirdLine and its user-friendly platform, the audit team quickly mastered the new system. They used the information to produce an audit report they plan to share nationally.
Future Plans and Scalability
Building on the success of this project, College Station plans to expand the use of ThirdLine to other areas of government operations, including procurement, vendor management, and accounts payable. They believe this new approach could significantly reduce fraud and IT security risks across the board and are eager to share their success story with other local governments.
Ready to revolutionize your approach to roles and permissions auditing? Contact us today to learn more about how ThirdLine’s software can help your organization achieve similar results.
Download the PDF version →