Federal Government

Treasury Strategies was solicited by a large federal agency to conduct a comprehensive risk analysis of a newly implemented primary accounts payable system.

As required by law, the agency had performed a system risk analysis, against government application standards. However, for additional security, they wanted to subject the system to private sector (corporate) risk analysis standards as well.

Payment system software must be secured, in terms of its physical and server environment, and the procedures for making software code changes need to be very carefully controlled. User access to the software is another area of concern, which needs to balance preventive and detective controls. Certain application functions, such as vendor setup, are highly sensitive. And forensic tests, such as those that detect unusually repetitive payments, multiple sub-threshold payments, or aggregate payments in excess of tolerances, should be built into the control programs as much as feasible.

Our team had the knowledge of corporate risk assessment this client required. We performed the system and application risk analysis, and found a few areas of un-addressed risk. Straightforward recommendations for compensating controls and modified procedures helped the agency mediate these risks.