• Connors State College
• Langston University
• Neo A&M College
• OK Panhandle State University
• Oklahoma State University
  • Center for Health Sciences
  • Institute of Technology
  • OSU-Oklahoma City
  • OSU-Tulsa

System User Access for Financial Information Systems

A. Introduction
To ensure the integrity of financial data, accuracy of financial reporting and to minimize the risk of fraud, it is important to establish a clear system access provisioning and segregation of duties (“SoD”) policy for information technology financial systems.

B. Provisioning User Access
Proper provisioning of user access to financial information systems shall be establishedsuch that no user is given system access that allows the user to both initiate and approve a transaction. Specifically, user system access in one or across multiple system(s) shall be granted such that no one user has system access that allows sole control over any one transaction. Applicable transactions include but are not limited to:
• the receipt of funds
• disbursement of funds
• transfer of funds
• journal entries
• human resources and payroll activity, including but not limited to establishment of an employee and/or changes in pay rates and/or benefits
• budget entries and transfers; etc.

C. Least Privilege
The principle of least privilege states users shall be granted the minimum level of access to information systems that is necessary to perform the user’s assigned tasks. User access to financial information systems shall be configured in accordance with the least privilege principle.

D. User Authentication Controls
Strong user authentication controls shall be implemented in accordance with Uniform Information Security Governance guidelines, or the applicable industry standard for information security at the time, including, but not limited to the use of complex passwords, limits to unsuccessful login attempts, and session timeouts; provided, however, authentication controls may change over time in accordance with industry standards. User IDs and passwords shall be kept confidential and changed regularly. Employees with administrative access to financial information systems shall not utilize administrative access accounts for operational or financial tasks.

E. Monitoring
Each Vice President that has financial information systems in their area shall be responsible for establishing procedures to ensure the security and integrity of financial information systems accessed by their employees and to ensure employees are appropriately trained on such procedures. These procedures shall specify that user activity will be monitored routinely to ensure all users are appropriately provisioned to establish proper segregation of duties and configured in accordance with the least privilege principle.

F. Audit Trails
Audit trails and audit logs shall be implemented to track and record all financial transactions and system access. A user access change log shall also be maintained that records when user access permissions have been changed and by whom. The audit trails/logs shall be reviewed regularly by management and retained in accordance with records retention requirements. These records shall be protected against unauthorized access, modification, and deletion.

G. Deprovisioning User Access
Each Vice President that has financial information systems in their area shall establish procedures to immediately terminate user access to financial information systems when a user leaves the organization or changes roles. Additionally, these procedures shall include a periodic review (not less than annually) of all user access to ensure it is appropriately assigned.

H. Conclusion
This policy is intended to ensure that system access controls related to financial transactions are implemented and maintained to protect the integrity, security, and confidentiality of system data. By implementing this policy, institutions can reduce the risk of errors, fraud and unauthorized activities and increase the effectiveness of their internal control systems. Non-compliance with this policy may result in disciplinary action.

Approved Date: 
June 16, 2023