Superuser or Supervillain?
Andrew Davidson
IT Audit Senior Manager
Imagine handing over your credit card and pin to a colleague with the understanding that they would buy all of your shopping from now on and deliver it to your door as and when you need it, saving you the bother of going yourself.
They’ll also help you out by checking the credit card statements for accuracy and paying off the balance each month with a direct debit from your own account.
Is there anything about this that feels wrong to you?
Because a similar issue regularly occurs in many businesses. Some CEOs and directors don’t even realise that when they give a member of staff ‘Superuser’ access they might be creating their very own ‘Supervillain’.
A Superuser is a member of staff who has the access rights to, for example, add and remove staff from key systems, change user access rights and add or amend critical software.
“But isn’t this what our IT department is there for?”
Yes…. and no.
Yes, IT support staff should be able to perform these tasks. But at the same time they could use these ‘powers’ to:
- Add fictional staff to payroll (and effectively double their own salary);
- Change supplier bank details so that you pay them instead of the supplier;
- Change records to hide the fact you’ve not paid the supplier;
- Set themselves up as a customer and have free goods sent to them (with fictional records saying they’ve paid);
- Put in fake expense claims and distribute the cost across several accounts so they won’t be noticed;
- Adjust company finances to hide activity and remove all traces they did it;
- Using your business as a Money Laundering service for criminal activities,
- and you would only find out once the money and goods are already gone (with possibly no trail to show who did it). The Supervillain has struck!
When the majority of these issues come to light and a culprit is identified the first response from the business is often:
“But they were so trustworthy!” or “Why did we not see this happening?”
The problem is that most fraud starts small when staff realise there’s an opportunity due to lack of controls. It might start with a mistake which they discover has gone un-noticed or a small change in their favour which they believe they ‘deserve’ due to pressure at work or home. Either way – it can escalate to the point where the business goes from profit making to a loss while owing even more money in legal fees and fines.
How to thwart the Supervillain?
What would you do if you gave money to someone to get your shopping for you? You’d hopefully review the receipt against expectation and inspect what was bought, maybe even for large purchases you’d want to see an invoice. In other words, you’d monitor the situation.
In business, these activities are often picked up through reconciliation controls over key accounts but a Superuser who knows how the business work could potentially hide the evidence from these reconciliations by changing the report itself or backdating transactions.
There are several ways to better defend against the Superuser/villain:
- Restrict Superuser access to as few people as necessary
- Give each Superuser a unique account (so activity can be traced back to them)
- Log Superuser activity over key risk processes (such as changing user access rights or program changes) and get someone who isn’t the Superuser to review these logs and confirm the activity is justified
- Vary reconciliations (or do additional spot testing over key accounts) as if always done at the same time by the same people in the same way then it’s easier for Superusers to spot patterns and remove traces of unauthorised activity before the standard reconciliation occurs.
Need more information?
If you have any queries regarding Superusers and require more advice on how to manage this risk within your organisation, please do not hesitate to get in touch.