Give us some real security

[SBCTrustee]

Hello Everyone,

I like everything about PC+ v9 except the password security. Why can't there be a sort of caftera style of selections within each module, instead having to have the whole module, for example in accounting?

Why must I allow anyone who has access to accounting to be able to mess with my chart of accounts? ( I am finding new accounts being created on the "fly", eveywhare). Why must journal entries be opened to anyone who can also write checks? Why can't I allow some to enter invoices, but prevent them from writing checks?

I am asking for greater fine tuning of your security system. I believe that this will make a great program greater!

Tom
2nd Baptist Church of Ypsilanti

[Matt]

In defense of PC+, I think that you need to keep in mind the types of users the software is intended for. In general, I have found that PC+ is used by just a handful of people in a church, sometimes only one or two. If you only have one or two people working the system, it is pretty difficult to have the segregation of duties and security controls that you would like to see.

Having said that, I understand the need to have good internal controls in an accounting system. Sure, there is always room for improvement, but you have to look at the cost vs. the benefit to be gained. I feel that given the types of users PC+ is intended for (churches--which by definition should have people more trustworthy than the population at large) the software has excellent security and internal controls. One of the best controls new to version 9 is the audit logs which track postings, deletions, changes to accounts, and so on. However, one thing that is missing from the audit logs is the addition of new accounts to the chart of accounts. I would like to see that functionality added to the audit logs, for the reason you state.

[SBCTrustee]

Hello Everyone,

I really do understand your reply, however, why should an user have to settle for security holes. Except for a totally one man shop, the door is left wide iopen for problems. I have a lady who just loves to create account on the "fly", the probably is that she does not understand accounting. Therefore, I have to figure out how to "cleanup" her mess. There should be no exposure to unautherized account changes.

I can't see very much developemental increased cost to limiting certain accounting functions as needed. It appears that most of the (Fox Pro) code is probably already there to provide much of the additional accounting saftguards. How much coding does it really take to add an "if statement" or two in the program code?

Please understand me, I believe that PC+ may be the best thing since sliced bread. The product that we were using only had passwords to get into certain tables, so I understand.

Tom

[Matt]

Tom,

Understand your situation completely. I have had to deal with similar situations. However, I submit that the problem you have with the lady creating accounts is really more of a training issue than a security issue. You can pay a whole lot more for an accounting system and still have the types of problems you describe if the users aren't trained properly. I am involved with implementing a new accounting system at work and I would have to say that in many respects, PC+ works far better than this system which they have paid millions of dollars for. One of the primary reasons they are having trouble is due to lack of good training for users of the system.

Matt

[SBCTrustee]

Hello Everyone,

As I reviewed the responses that I received regarding security, I began to appreciate your view of my concerns, more.

When the dust finally settles, I know that the best internal controller is the HOLY SPIRIT. However, I hope that he will move the programmers to re-vist (enhance) the accounting security modual some day with the following features:
a) Provide a report that lists the security for each authorized user.
b) Separate the acconting functions better thru password selection.
c) Provide a user type profile so that the admin. could set password accessabilty the same for all users with that profile.


Yes costs must be weighed, however, the cost of not having proper security is also costly. Probably the smaller the "shop", the greater more important security becomes.

I am not as worried about someone writing a million dollar, as I am worried about some little by little doing so over time!!!

A lot of things can not be prevented, however, we need a way to at least be able to determine that something went wrong.

Tom

[Matt]

If someone is determined to do something dishonest, they usually can find a way to do it. I believe that your first line of defense is the honesty and integrity of the people using the system. If you can't trust them--beware.

My observation in being a church treasurer and working with other churches setting up their system is that there's a tendency to be lax on policies and procedures when it comes to the financial things. The reason often is an unwillingness to take the extra time and effort to do things right. They feel that it's burdensome and unnecessary. As a result, you end up with loose controls. If you are worried about security, I would recommend looking at your operating policies and procedures first and making sure that things are being done correctly and in order. This is where I think the greatest internal control weaknesses lie.

For example--when was the last time the combination was changed on the safe? How often do you change user's passwords? What documentation and approval procedures do you have in place before a check can be written? How many people can sign checks? Where are your blank checks kept? Are blank checks being signed in advance for convenience purposes? These are all areas of potential security weaknesses that have nothing to do with the security controls in PC+.