Fastpath Completes SOC 1 Type 2 Examination

Fastpath has completed their SOC 1 Type 2 examination.

Let’s talk about SOC’s and why they matter. Not socks, though they keep you warm. Not SOX in white or red, though they can be fun to watch, but SOCs.

A SOC (service organization control) is an attestation standard, a form of an audit. It means that if you use cloud services, your auditors may rely on the cloud provider’s SOC to reduce their work. It also means that a cloud provider has been deliberate about their controls and those controls have been audited to ensure appropriate operation. Like you, Fastpath has 2 SOCs cleverly known as a SOC 1 and a SOC 2. They break down like this:

  • SOC 1: Internal Controls over Financial Reporting (ICFR).
  •  SOC 2: Controls at a service organization that are relevant to security, availability, processing integrity confidentiality, or privacy.

[https://socreports.com/audit-overview/soc-1-vs-soc-2]

If your cloud provider doesn’t have at least a SOC 2, you’ve got problems. A SOC 2 is tied to control over the provider’s data. Without that, you have to wonder about what kind of protection is in place. A SOC 2 is relevant for any cloud provider. A SOC 1 is appropriate if that cloud provider is also tied to Financial Reporting. 

But there is also more than one type of each SOC. A type 1 indicates that the company has set up controls and the design of the controls have been reviewed. A type 2 indicates that the controls have been in place for a period of time and then been audited. You can’t get a type 2 overnight. 

Fastpath has BOTH a SOC 1 Type 2 and a SOC 2 Type 2. These reports aren’t always publicized, so if you’re unsure, ask your cloud providers. If you get dumb looks and blank stares, be very nervous.

GP Controller Series: Keys to Role Management

Security around an ERP system is a key area and yet a lot of GP companies have users with excessive privileges. You really want to avoid having to make statements like Costo did:

“The weakness relates to general information technology controls in the areas of user access and program change-management over certain information technology systems that support the Company’s financial reporting processes. The access issues relate to the extent of privileges afforded users authorized to access company systems.”

Costco reports a material weakness in internal control. But is it really?

So how do you fix this in GP? There are a lot of pieces, but we’ll hit the highlights and include plenty of resources.

  1. Control/Limit/Eliminate ‘sa‘ & ‘Dynsa‘ users, and don’t assign the ‘Power User‘ role. Once the system is up an running, ‘sa’ is really only recommended for installing additional modules and running the GP Utilities APPLICATION (not utilities in GP). Everything else can be done with other permissions. Dynsa is required to exist and own the database. There is no reason for a user to need it. The Power User role simply provides too much access and creates a risk of both intentional and accidental issues. Fastpath’s Minimizing the Use of ‘sa’ whitepaper is a great resource for addressing this.
  2. Rebuild & reassign roles in GP. The roles in GP are designed to complete a process from beginning to end. This works great for testing and violates segregation of duties principles across the board. An AP clerk should not be able to create a vendor, enter a voucher, and process payment without additional controls, but that is what the AP Clerk role allows. The tasks are a great starting point, but they need to be reassigned into new roles. Fastpath’s free Security Matrix is a good tool to start the role rebuilding process with.
  3. Identify mitigating controls. There are a number of features in GP that can be used as mitigating controls when changing security is not an option. Workflow is a great example. An AP Clerk could be allowed to create vendors, but before the vendor is final, it needs to be approved by a supervisor using GP’s built-in workflow.
  4. The first three will significantly improve security. They’ll take some time, but not a lot of additional money. The last step is looking across roles to see where multiple role assignments may have created new segregation of duties conflicts. This is really hard to do without a paid tool. Fastpath’s Assure tool is the best option for complete segregation of duties management.

Links to all the posts in this series can be found at http://mpolino.com/gp/gp-controller-series-index/