​​​​Internal Control Best Practices for Small and Mid-size Companies, Part 1

Establishing proper access controls and business continuity procedures can help put small and mid-size companies on the road to a secure IT infrastructure.

Comments Views

Small and mid-size businesses worldwide face the challenge of adding internal controls to enhance their IT infrastructure and reduce risks. Although many of these companies don't have to comply with government regulations, they may be involved in highly critical transactions that require a secure IT infrastructure. Furthermore, because most company transactions involve the use of computer systems, it is important for companies of all sizes to have efficient and effective system controls in place to ensure investors and other stakeholders that all management and financial reports are reliable.

Because many small and mid-size companies are not held to the same internal control standards as their larger counterparts, their IT policies and procedures may not include strong or effective controls that help safeguard corporate assets and fulfill business strategies. To ensure effective and long-lasting internal controls are established, organizations should discuss their creation early in the planning process and incorporate them as part of their overall IT policies and procedures. Below is the first of two articles providing best-practice control recommendations that small and mid-size companies can use to enhance their information systems policies. Part 1 discusses the use of access controls and business continuity procedures that can help these organizations be one step closer to a secure IT environment. Part 2, which will be published in March, will discuss other key best practices, including change management procedures, data security protocols, and capacity planning.

Access Control

One of the most important internal controls an organization of any size should establish is access control — the doorway to all IT systems and corporate resources. Access controls specify how the business will monitor its IT resources and how they should be used. The most commonly used access controls include user accounts, consisting of passwords and usernames; login and resource access rights; and the establishment of privileged system accounts.

User Accounts

The creation and management of user accounts is vital to an organization, because access controls are built around user accounts. The purpose of user accounts is to grant employees access to specific network systems and resources.

Companies should establish user accounts for employees based on their job description and responsibilities. This login information should be set up on the network's operating system. Although employees only need one user account for access to network resources, system administrators must have an additional account that enables them to perform system maintenance work. Any unused user accounts should be disabled as soon as possible. In addition, user accounts should be disabled after an employee is terminated or leaves the organization.

A key aspect of all user accounts is the creation of a username and password. The company's IT department should establish the employee's username. Because many usernames are based on the employee's first and last name, passwords should be hard to guess. To help employees create effective and secure passwords, companies should incorporate the following rules as part of their IT security policies:

  • Passwords should contain at least six characters.
  • Passwords should contain at least one number, as well as one uppercase and lowercase letter.
  • Passwords should be changed every 60 days.

These rules should be implemented as a systemwide policy on the operating system. If a separate authentication process is used for specific applications, the same rules should be part of the application's use policy. In addition, companies may want to consider the use of separate usernames and passwords — or at least a different password — for each system, so that not all systems are affected when a security breach occurs. Although this is more difficult for employees to manage, this alternative offers more effective security.

Login and Access Requests

The username and password allow employees access to a company's network resources. As a result, companies must hold employees accountable for all activity associated with their user accounts. For example, employees should not share their passwords with anyone, write them down on paper, or store them in their computers. If they reveal their password to IT support staff, systems must be reset to prompt the employee for a password change when the user logs into the system again.

Furthermore, the user account should be set up to allow employees three login attempts only. After the third failed login attempt, the system should disable the account. To re-establish the user account, the employee must contact the company's network administrator or customer service department. Finally, access requests to network resources should come from the employee's direct supervisor, and the company's IT policies and procedures should indicate who needs to implement all access requests.

Privileged System Account

Privileged system accounts are used by IT support staff to conduct system activities. When creating a privileged system account, organizations should identify the following in their IT procedures:

  • What is the purpose of the account?
  • Who will be responsible for the system account (i.e., who is the system owner)?
  • Who will approve the creation of the account?
  • Who will create the account?

Once the system owner is identified, he or she will be responsible for confirming all account details every six months during the audit review. In addition, companies must document clearly who the account users are, when the account is used, and for how long it is used. Additionally, the account's password should be changed if someone in the IT department leaves the organization, whenever there's a security breach, or whenever an authorized user no longer has access to the account.

Remote Access

Remote access extends the network's boundaries by enabling employees to use company resources when working outside the office. Remote access should occur through a remote server that allows the creation of user profiles. At least two types of profiles must be created: A normal user profile and a user profile for each system administrator. A normal user profile has no rights to perform system operations and is given to any non-IT employee who asks for remote access or works from a remote location. On the other hand, user profiles for system administrators must enable them to run system applications and tools remotely.

All remote access requests must come from the employee's supervisor and should specify the kind of access needed and the location where access will take place. In addition, remote access connections should use encryption, as well as a time limit for connections that are inactive for 30 minutes or longer. Furthermore, remote access accounts should have a different username and password combination, as well as a password that changes for each login activity — a digital access card can be used for this. Finally, the IT department needs to keep track of all remote access connections in a log.

Business Continuity (BC)

Incorporating BC plans as part of the IT planning process will help organizations maintain the safety of all employees and ensure the continuity of business operations when emergencies occur that disrupt the flow of daily activities. Two entities are important to ensure the continuity of corporate processes: people and computer hardware.


BC plans should document employee roles during emergencies. For instance, job descriptions should outline what the employee is required to do when an emergency occurs, especially job descriptions for IT staff. Office processes, such as those involving the use of computer systems, also should be documented in the BC plan and must be reviewed and updated regularly, as well as tested periodically by an external auditor or other disinterested party.

Computer Hardware

For better effectiveness and security, organizations should incorporate the following three elements in their computer hardware policies: architecture and design, alternate hardware, and system backup and recovery.

First and foremost, the architecture and design of all computer systems must be documented. This will assist IT staff if a system needs to be rebuilt. In addition, documentation should be part of the organization's change management process. This means documentation should be reviewed and updated whenever changes are made to the computer system, as well as address:

  • The system's purpose and operation requirements.
  • Details of any tests conducted on the system, such as development and maintenance tests.
  • Technical specifications, including hardware requirements and system configurations.
  • Business process integrations.
  • Validations.
  • Implementation strategies and the steps taken to implement them.

Besides documenting the hardware's architecture and design, organizations should store any alternate or backup hardware in a different location, as well as keep a file that lists what is stored and where. Small and mid-size businesses usually keep their backup hardware in a leased facility. Requirements for backup locations should depend on the company's overall recovery strategy, available data centers, and the number of employees at each location.

Finally, businesses should have a backup schedule that outlines the steps needed during system backup activities and recovery efforts, as well as the expected recovery time. This would depend on the amount of data in use and the company's service-level agreement (SLA) with the backup facility. SLAs should outline how the company's confidentiality and integrity of, and availability to, backup systems will be maintained. IT policies should also describe when and how backup data will be stored. A good rule is to backup offsite data at least once a week — preferably daily — to ensure the most up-to-date information is available for recovery.

Looking Forward

Effective internal controls enable organizations of all sizes to have a safer IT environment. Small and mid-size businesses that wish to enhance their IT environment should incorporate these best practices during the IT planning process. This will help IT departments and internal auditors assess the effectiveness and corporate compliance to established IT procedures, as well as identify any security weaknesses. In addition, many organizations use computer systems as the primary means to conduct business transactions. As a result, it is important to control who has access to the system and ensure the system will be restored quickly in the case of a disaster. Auditors can use these best practices as a baseline when reviewing whether the IT department's operations are consistent with the company's strategic plan.

This article focused on different best practices small and mid-size companies can implement when establishing network access and continuity controls. Part 2 of "Internal Control Best Practices for Small and Mid-size Companies" discusses the use of change management procedures, data security protocols, and capacity planning.​



Comment on this article

comments powered by Disqus
  • TeamMate_Oct2017_Prem 1
  • IIA Cert CGAP AFW_Oct2017_Prem 2
  • IIA CIA RoadMap_Oct2017_Prem 3