Finding Text
System Access Controls and Principle of Least Privilege Criteria: A sound system of internal control over financial reporting includes restricting user access within financial systems based on job responsibilities and the principle of least privilege. Condition: During our audit procedures, we noted instances in which cash activity was inadvertently recorded to a prior period, indicating that users beyond the senior accountant had the ability to post transactions to closed accounting periods. We also noted certain users had broader system access than necessary to perform their assigned duties. Cause: The condition resulted from insufficient review of user access roles and system permissions and the absence of a formally documented least-privilege access framework. Effect: Excessive or inappropriate system access increases the risk of unauthorized or unintended financial reporting activity, including prior-period postings, inappropriate adjustments and reduced accountability over financial transactions. Recommendation: We recommend the District formally implement a least-privilege access framework within its accounting and financial reporting systems. This should include restricting prior-period posting access to designated personnel, aligning user permissions with assigned job responsibilities and performing periodic reviews of user access rights. Views of Responsible Officials and Planned Corrective Action: Management acknowledges the need to strengthen system access controls and will review existing user roles and permissions, implement more restrictive controls over prior-period postings and establish periodic reviews of user access rights.