Fatskills
Practice. Master. Repeat.
Study Guide: **Internal Controls: System Controls & Security Measures**
Source: https://www.fatskills.com/accounting/chapter/internal-controls-system-controls-security-measures

**Internal Controls: System Controls & Security Measures**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

Internal Controls: System Controls & Security Measures

A practical guide to segregation of duties, access controls, cybersecurity, and business continuity.


What Is This?

Internal controls are policies, procedures, and technical safeguards that protect an organization’s assets, ensure data integrity, and maintain operational resilience. You use them to prevent fraud, errors, cyberattacks, and downtime—critical for compliance (e.g., SOX, GDPR) and trust in automated systems.


Why It Matters

  • Fraud prevention: Segregation of duties stops a single person from initiating, approving, and executing a transaction (e.g., embezzlement).
  • Data protection: Access controls limit exposure to breaches (e.g., ransomware, insider threats).
  • Uptime: Business continuity plans minimize disruptions (e.g., natural disasters, cyberattacks).
  • Compliance: Avoid fines (e.g., $4M+ for GDPR violations) and legal liability.


Core Concepts


1. Segregation of Duties (SoD)

Principle: Split critical tasks among multiple people to prevent conflicts of interest or fraud.
Example: - Bad: One employee creates, approves, and pays invoices.
- Good: Separate roles for invoice creation, approval, and payment.

Key Controls: - Dual control: Two people must approve high-risk actions (e.g., wire transfers).
- Job rotation: Rotate roles periodically to deter fraud.
- Mandatory vacations: Force employees to take time off to uncover hidden misconduct.


2. Access Controls

Principle: Grant the minimum necessary access to users, systems, and data.
Layers: - Authentication: Verify identity (e.g., passwords, MFA, biometrics).
- Authorization: Define what a user can do (e.g., read-only vs. admin).
- Accounting: Log all access attempts (e.g., SIEM tools like Splunk).

Models: - Role-Based Access Control (RBAC): Assign permissions to roles (e.g., "Accountant" can view financial data but not modify it).
- Attribute-Based Access Control (ABAC): Grant access based on attributes (e.g., "Only managers in the Finance department can approve budgets").


3. Cybersecurity

Principle: Protect systems from unauthorized access, attacks, and data leaks.
Critical Areas: - Network security: Firewalls, VPNs, intrusion detection (e.g., Snort).
- Endpoint security: Antivirus, EDR (e.g., CrowdStrike), patch management.
- Data security: Encryption (AES-256), tokenization, DLP (Data Loss Prevention).
- Application security: Secure coding (e.g., OWASP Top 10), API gateways.

Threat Vectors: - Phishing: Fake emails tricking users into revealing credentials.
- Ransomware: Malware encrypting data for extortion.
- Insider threats: Employees or contractors misusing access.


4. Business Continuity (BC) & Disaster Recovery (DR)

Principle: Ensure critical operations continue during disruptions.
Key Components: - Business Impact Analysis (BIA): Identify critical processes and their dependencies.
- Recovery Time Objective (RTO): Max acceptable downtime (e.g., 4 hours for payroll).
- Recovery Point Objective (RPO): Max data loss (e.g., 15 minutes for transactional data).
- Redundancy: Backup systems (e.g., cloud failover, RAID storage).
- Incident Response Plan (IRP): Steps to contain and recover from breaches.

Testing: - Tabletop exercises: Simulate disasters (e.g., "What if AWS goes down?").
- Failover drills: Test backup systems (e.g., switch to a secondary data center).


How It Works (Architecture)


Example: Secure Payment Processing System

  1. Segregation of Duties:
  2. Role A (Clerk): Enters payment details.
  3. Role B (Manager): Approves payments > $10K.
  4. Role C (Auditor): Reviews logs monthly.
  5. Access Controls:
  6. RBAC: Clerks can’t approve payments.
  7. MFA: Required for all admin actions.
  8. Cybersecurity:
  9. Encryption: Payment data encrypted at rest (AES-256) and in transit (TLS 1.3).
  10. DLP: Blocks credit card numbers from being emailed.
  11. Business Continuity:
  12. RTO: 1 hour (failover to backup payment processor).
  13. RPO: 5 minutes (real-time database replication).
[Primary Data Center] → [Backup Data Center] (automatic failover)
↑ [Payment API] → [Encrypted DB] → [SIEM Logs]
↑ [MFA + RBAC] → [User]


Hands-On / Getting Started


Prerequisites

  • Basic understanding of IT systems (e.g., servers, databases).
  • Access to a test environment (e.g., AWS Free Tier, VirtualBox).
  • Tools: Open-source options like Keycloak (IAM), Snort (IDS), Duplicati (backup).


Step 1: Implement RBAC with Keycloak

Goal: Restrict access to a mock "Finance Dashboard" API.


  1. Install Keycloak:
    bash
    docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password quay.io/keycloak/keycloak:24.0.0 start-dev
  2. Create Roles:
  3. finance-reader: Can view data.
  4. finance-writer: Can edit data.
  5. finance-admin: Can delete data.
  6. Assign Permissions:
  7. Map roles to users (e.g., "Alice" gets finance-reader).
  8. Test Access:
  9. Use Postman to call the API with a JWT token. Verify finance-reader can’t edit data.

Expected Outcome: Users only access what their role permits.


Step 2: Set Up a Basic Firewall Rule

Goal: Block unauthorized SSH access to a Linux server.


  1. Check open ports:
    bash
    sudo netstat -tulnp
  2. Configure UFW (Uncomplicated Firewall):
    bash
    sudo ufw allow from 192.168.1.100 to any port 22 # Allow only your IP
    sudo ufw enable
  3. Test:
  4. Try SSH from an unauthorized IP—it should fail.

Expected Outcome: SSH access restricted to approved IPs.


Step 3: Create a Backup & Recovery Plan

Goal: Automate database backups with Duplicati.


  1. Install Duplicati:
    bash
    sudo apt install duplicati
  2. Configure Backup:
  3. Source: /var/lib/mysql (MySQL data).
  4. Destination: AWS S3 or a local NAS.
  5. Schedule: Daily at 2 AM.
  6. Test Recovery:
  7. Delete a test file, then restore it from backup.

Expected Outcome: Data is recoverable after accidental deletion.


Common Pitfalls & Mistakes

  1. Over-Permissioning
  2. Mistake: Granting "admin" to everyone for convenience.
  3. Fix: Follow the principle of least privilege (start with no access, add only what’s needed).

  4. Ignoring SoD in Small Teams

  5. Mistake: One person handles all financial tasks in a startup.
  6. Fix: Even in small teams, split duties (e.g., CEO approves payments, accountant records them).

  7. Backup Without Testing

  8. Mistake: Assuming backups work without restoring them.
  9. Fix: Test backups quarterly (e.g., "Can we restore the payroll database in 30 minutes?").

  10. Static Access Controls

  11. Mistake: Never reviewing or revoking access (e.g., ex-employees retain permissions).
  12. Fix: Automate deprovisioning (e.g., sync HR system with IAM).

  13. No Incident Response Plan

  14. Mistake: Panicking during a breach because no one knows what to do.
  15. Fix: Document steps (e.g., "Step 1: Isolate infected systems. Step 2: Notify legal.").

Best Practices


Segregation of Duties

  • Automate SoD checks: Use tools like SAP GRC or ServiceNow to flag conflicts.
  • Document exceptions: If SoD isn’t possible (e.g., in a 2-person team), log and monitor the exception.

Access Controls

  • Enforce MFA everywhere: Especially for admins and remote access.
  • Use temporary credentials: For contractors or third parties (e.g., AWS IAM roles with expiration).
  • Audit logs: Store access logs for at least 1 year (compliance requirement for many industries).

Cybersecurity

  • Patch early, patch often: Automate updates (e.g., unattended-upgrades on Linux).
  • Assume breach: Monitor for anomalies (e.g., unusual login times, large data transfers).
  • Train employees: Simulate phishing attacks (e.g., with KnowBe4).

Business Continuity

  • Prioritize critical systems: Not all systems need the same RTO/RPO (e.g., email can wait; payment processing cannot).
  • Geographic redundancy: Store backups in a different region (e.g., AWS us-east-1 and eu-west-1).
  • Communicate the plan: Ensure all employees know their roles during a disaster.


Tools & Frameworks

Category Tool Use Case
IAM Keycloak, Okta Centralized identity and access management.
SIEM Splunk, ELK Stack Log and analyze security events.
Firewalls pfSense, Cloudflare Network traffic filtering.
Backup Veeam, Duplicati Automated data backups.
Encryption OpenSSL, AWS KMS Encrypt data at rest and in transit.
SoD Automation SAP GRC, ServiceNow Enforce segregation of duties.
DR Testing Chaos Monkey, Gremlin Simulate failures to test resilience.


Real-World Use Cases


1. Healthcare: HIPAA-Compliant Patient Records

  • Challenge: Protect sensitive patient data (e.g., medical history) while allowing doctors to access it.
  • Solution:
  • Access Controls: RBAC (e.g., nurses can view records but not edit them).
  • Encryption: AES-256 for data at rest, TLS 1.3 for data in transit.
  • Audit Logs: Track every access to patient records (required by HIPAA).

2. E-Commerce: PCI DSS Payment Processing

  • Challenge: Secure credit card data to comply with PCI DSS.
  • Solution:
  • Segregation of Duties: Separate roles for payment processing, refunds, and auditing.
  • Tokenization: Replace card numbers with tokens (e.g., Stripe, Braintree).
  • DLP: Block credit card numbers from being emailed or stored in plaintext.

3. Manufacturing: OT/IT Convergence

  • Challenge: Secure industrial control systems (ICS) from cyberattacks (e.g., Stuxnet).
  • Solution:
  • Network Segmentation: Isolate OT (operational technology) from IT networks.
  • Air Gapping: Critical systems (e.g., PLCs) have no internet access.
  • Business Continuity: Redundant PLCs and failover power supplies.


Check Your Understanding (MCQs)


Question 1

A company’s finance team has one employee who creates invoices, approves them, and processes payments. Which internal control is missing?

A) Multi-factor authentication B) Segregation of duties C) Data encryption D) Incident response plan

Correct Answer: B) Segregation of duties Explanation: Segregation of duties splits critical tasks to prevent fraud. Here, one person controls the entire payment process, creating a risk of embezzlement.
Why the Distractors Are Tempting: - A) MFA is important but doesn’t address the conflict of interest.
- C) Encryption protects data but doesn’t prevent internal fraud.
- D) An incident response plan is for breaches, not fraud prevention.


Question 2

Your team uses AWS IAM to manage permissions. A developer needs temporary access to a production database to debug an issue. What’s the most secure way to grant access?

A) Give them permanent admin permissions.
B) Create a time-limited IAM role with read-only access.
C) Share the root account credentials.
D) Whitelist their IP in the database security group.

Correct Answer: B) Create a time-limited IAM role with read-only access.
Explanation: Temporary, least-privilege access reduces risk. IAM roles can be set to expire automatically.
Why the Distractors Are Tempting: - A) Permanent admin access violates least privilege.
- C) Sharing root credentials is a major security risk.
- D) IP whitelisting doesn’t limit what the user can do.


Question 3

A ransomware attack encrypts your company’s database. Your backup system has an RPO of 1 hour and an RTO of 4 hours. What does this mean?

A) You’ll lose 1 hour of data and recover in 4 hours.
B) You’ll lose 4 hours of data and recover in 1 hour.
C) The backup runs every 1 hour and takes 4 hours to restore.
D) The ransomware will be contained in 1 hour and removed in 4 hours.

Correct Answer: A) You’ll lose 1 hour of data and recover in 4 hours.
Explanation: - RPO (Recovery Point Objective): Max data loss (1 hour).
- RTO (Recovery Time Objective): Max downtime (4 hours).
Why the Distractors Are Tempting: - B) Swaps RPO and RTO.
- C) Misinterprets RPO/RTO as backup frequency/restore time.
- D) Confuses recovery metrics with incident response.


Learning Path

  1. Foundations:
  2. Learn basic IT security (e.g., Cybrary’s Free Courses).
  3. Understand compliance frameworks (SOX, GDPR, HIPAA, PCI DSS).

  4. Hands-On:

  5. Set up RBAC with Keycloak or AWS IAM.
  6. Configure a firewall (e.g., pfSense) and test rules.
  7. Create a backup plan with Duplicati or Veeam.

  8. Advanced:

  9. Automate SoD checks with SAP GRC or ServiceNow.
  10. Deploy a SIEM (e.g., Splunk) to monitor security events.
  11. Simulate disasters with Chaos Monkey or Gremlin.

  12. Specialization:

  13. Cloud Security: AWS/Azure/GCP security certifications.
  14. OT Security: Learn about ICS/SCADA security (e.g., NIST SP 800-82).
  15. Governance: Study COBIT or ISO 27001.

Further Resources


Books

  • IT Governance: A Manager’s Guide to Data Security and ISO 27001/ISO 27002 – Alan Calder.
  • The Phoenix Project – Gene Kim (fiction, but teaches DevOps/IT security culture).

Courses

Tools & Docs

Communities

  • r/netsec (Reddit).
  • OWASP Slack (Join here).
  • ISACA ([


ADVERTISEMENT