Open Forum

Expand all | Collapse all

3rd Party GP system access for auditors

  • 1.  3rd Party GP system access for auditors

    Posted 23 days ago
    So our auditors (whom I trust) asked if I would participate in something new.  They want a 3rd party cloud based tool to access our accounting records (GP 2018 on a remote desktop terminal cloud server) to extract all financial, payable, sales, etc. data to facilitate the annual audit.  Evidently this service (Validis.com) will organize the data for our auditors to make the selection of samples and the overall audit process be much easier for them.

    This service requires that they access to our company database(s), that we allow it to bypass our firewall, and that I provide them with an Admin User ID and password,

    I'm a bit leary (if not a little paranoid) of "handing over the keys" to our accounting system to a 3rd party that I've never heard of.

    What questions should I ask of them?
    What security measures (e.g. read-only access) should I attempt to put in place? And how can I do that (maybe create a user ID with limited access for this tool to use)? I'd rather not hand out our sa credentials.
    Would you allow such a system to access your accounting records?

    Thanks in advance for any suggestions or advice,

    ------------------------------
    Jeff Hassenboehler
    Definition6
    Atlanta GA
    ------------------------------
    Academy - Online Interactive Learning from Experts


  • 2.  RE: 3rd Party GP system access for auditors

    TOP CONTRIBUTOR
    Posted 22 days ago
    We have a user security role w tasks and userID for the outside auditors.  I can guarantee it is not ADMIN.....

    ------------------------------
    Thaddeus Suter
    Retus, Inc
    HELOTES TX
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 3.  RE: 3rd Party GP system access for auditors

    GPUG ALL STAR
    Posted 22 days ago
    @Thaddeus Suter

    Would you mind sharing the details of that role and those tasks? Enquiring minds!

    Regards,​​

    ------------------------------
    "Sparkly" Steve Erbach - Green Bay, WI
    Co-Chair, GPUG WI (Green Bay) Chapter
    Blog: https://www.gpug.com/blogs/steve-erbach
    Twitter: twitter.com/serbach

    ───────────────
    Excel Webinar List as of June 10, 2020
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 4.  RE: 3rd Party GP system access for auditors

    TOP CONTRIBUTOR
    Posted 22 days ago
    Edited by Thaddeus Suter 22 days ago
    Sure

    Three Tasks in the Auditor Role
    1. Inquiry All
    2. Reports All
    3. Smartlist All

    We would never give them access to Transactions, Cards, Routines, Utilities and never never ever to SQL. Smartlist will suffice for their exports unless it is over say 30,000 records in which case we make a Smartlist Excel Builder report which can easily handle hundreds of thousands of records

    For access they come through XenApp or RDWeb just like everyone else with Cisco VPN and an AD account.

    edit: Oops they also get the DEFAULTUSER task....
    ------------------------------
    Thaddeus Suter
    Retus, Inc
    HELOTES TX
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 5.  RE: 3rd Party GP system access for auditors

    GOLD CONTRIBUTOR
    Posted 22 days ago
    Edited by Luc St-Yves 22 days ago
    I did this for the second year for our auditors, and for 5 of our companies.

    It is an engine that do the trick.  I first have to logon to their secured website, then I have to download and install a 1 time application run.
    Running it, I have to select our ERP from a drop down list, and enter SQL creds so the engine connects to the database.  So, I created for them a single user which only have access in read to some tables they said they were looking for extraction by that engine (Customers, Suppliers, GL, SOP10* and SOP30* series).

    They are auditors, so security is out of any doubt their main concern in doing this.  Still, we have to be cautious.  My recommendation would be to ask them which tables they need exactly, and create an SQL user that only have access in Read to only these tables.

    Besides this, yes it will speed up the auditor's process and give them what they need in order to ask less questions to the accounting department.

    Cheers

    ------------------------------
    Luc St-Yves, Senior Business Analyst
    Humanware Technologies, QC (Canada)
    Implementation projects leader
    -Essilor Instruments USA and Canada
    -Essilor International S.A.S., France
    --Promoting Dynamics GP in Europe--
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 6.  RE: 3rd Party GP system access for auditors

    Posted 22 days ago
    Well done for being concerned about your information security, we need more of that :)

    You shouldn't need to "open it all", you should be able to open very specific things.

    Firstly you could open your firewall with VERY strict rules. I know very little about firewalls but I know most of the good ones let you specify an IP address to open to. So you won't be opening your network to the entire internet. You will need to get their IP address that they will be calling from. I believe most of the good firewalls also let you specify where they can connect to, something like your SQL server IP address. And you can often set a date range for the rule, or manually delete it once they are done. Chat to your network admins about these options.

    Then you will need to provide them with security credentials to access your databases with. I would strongly advise that you create those with very strict rules. Only give read access, and only to the tables they specify. Once they are done you can disable the login or delete it. Chat to your database admins about this.

    If you are still uncomfortable you could ask them for templates of the data that you could upload for them.

    If done right an automation like this can save lots of pain and give you more reliable results so it's worth looking in to, but you need to be sure that you do not compromise your information security.

    You may want to ask them about security compliance reports on the network and database that they will be storing your data in once uploaded

    ------------------------------
    Adriaan Davel
    Mekorma
    West Hollywood CA
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 7.  RE: 3rd Party GP system access for auditors

    Posted 22 days ago
    I'm sure that I am hopelessly old-fashioned at 56, but I wouldn't do it, certainly not without a directive in writing from my boss.

    ------------------------------
    Nicholas Saner
    Systems Engineer
    Gaiam, Inc.
    Louisville CO
    ------------------------------

    Academy - Online Interactive Learning from Experts


  • 8.  RE: 3rd Party GP system access for auditors

    TOP CONTRIBUTOR
    Posted 22 days ago
    Never never ever. At best we would consider providing a SQL database from a backup and let them have at it ....but it would not be on the production SQL Server and they would have to access through a provided AD account.

    ------------------------------
    Thaddeus Suter
    Retus, Inc
    HELOTES TX
    ------------------------------

    Academy - Online Interactive Learning from Experts


If you've found this thread useful, dive deeper into User Group community content by role