The Tale of the Hidden User ID: A Lesson in Audit Accuracy

In the world of auditing, every detail counts. It’s a lesson we learned the hard way during a memorable audita few years back, while working with a large mining client. This story illustrates why ensuring the completeness and accuracy of Information Provided by the Entity (IPE) and Information Used in the Execution of the Control (IUC) is so critical.

A Troubling Discovery:

It was a typical audit, or so we thought. Our task was to review the client's IT controls, including user access management. The previous year, an elevated user ID had raised concerns due to its high privileges, posing potential risks. We needed to ensure this issue had been resolved.

As we reviewed the user lists provided by the client, everything seemed in order. The problematic user ID from the previous year was nowhere to be found. It looked like the control issue had been addressed, and we were ready to give the control a clean bill of health.

Unearthing the Truth:

However, something didn't sit right. We decided to dig deeper, asking the client directly about the missing user ID. To our surprise, they confirmed that the elevated user ID still existed and was, in fact, essential for their operations. This was alarming—if the user ID was still active, why wasn’t it showing up in our data?

The Clever Exclusion:

Our investigation revealed a startling truth. When generating the user list, the client had used an exception statement: “Give us all users, except this specific user ID.” They had intentionally excluded the problematic account from the data provided to us. This exclusion had almost led us to incorrectly conclude that the control issue had been resolved.

The Importance of Completeness and Accuracy:

This experience underscored the crucial importance of validating IPE and IUC. Here’s how we’ve changed our approach to ensure such oversights never happen again:

1. Review Selection Criteria: We now always review the queries and input filters used to generate reports. This helps us understand exactly what data is being included—and excluded.

2. Verify Source Systems: We make sure data is extracted from live production environments, not from testing, developing or any other non-production system., ensuring the information is current and relevant.

3. Check Timestamps and Success Status: We look for timestamps to confirm the data is recent and verify the extraction status to ensure there were no errors during the process.

4. Row Count Verification: We compare the row counts in the system's output with the final report to confirm no data loss during extraction.

A Valuable Lesson:

This memorable audit experience taught us a vital lesson about the potential pitfalls of incomplete and inaccurate data. By learning from this experience and implementing rigorous validation processes, we’ve strengthened our audit practices.

Ensuring the completeness and accuracy of data isn’t just about ticking boxes—it’s about maintaining the integrity of the audit process and providing reliable assurances. If you need assistance in securing your data for audits, contact us today for a tailor-made solution.