BTerrell Group Blog
by Chris Karnes
As new employees join the company and other employees leave, do you have processes in place for enabling access for onboarding employees and denying access for exiting employees? Are there multiple logins and systems (Office 365, domain login, phone systems, office printers, etc.) that your new employee needs in their daily functions? Most of us rely on the IT department to do this. But, what happens if you have a single IT employee, and that’s the employee that just left? Do you have the processes documented so that you can disable and/or remove the various user accounts for the former employee and create the new accounts for any incoming employee? Improving and creating processes are critical for completing things efficiently, as well as tightening the security surrounding your business files.
Onboarding a New Employee
Document your processes, and review them periodically so they are updated as your technology changes. Your documentation can be as simple as a Word document with the first page listing what every new user would need. The following pages detail how to setup each account using screenshots and a brief explanation of the requirements. If your business has domain access for networked servers, Office 365 with email, Intacct, Sage CRM, a VoIP phone system, and a Multifunction Office printer with the ability to email scanned items, each system needs to be set up for everything to work correctly. The scanner won’t email if you don’t set up the Office 365 account since the user won’t have a valid email address, and the employee can’t log into their computer if you haven’t set up their domain access.
With so many logins and setup for one new user, you need a standard for creating usernames. Three of the most commonly used standards are first initial last name, first name last initial, and firstname.lastname. Use the same user name standard across as many accounts as possible to avoid having an employee email address of firstname.lastname@example.org while his domain login is email@example.com. That gets confusing, time consuming, leads to failed logins (and accidently lock someone out of their account), and leads to mistakes, such as John giving a prospective client the wrong email address. Software such as Intacct and Sage CRM may be administered by multiple or different people who specialize in that specific software. They must be aware of the company username standards. My personal favorite is firstname.lastname. You occasionally may have two people with similar first and last names, but most of the time there will be a slight difference in spelling between them, for example John Smith and Jon Smith. If two people have the exact same spelling, include a middle initial for the newest employee (jon.z.smith).
Deleting Access for Exiting Employees
You also want to create and document a standard for how to deny access for employees leaving the company. Do you want to disable, delete, archive, forward, or monitor the email account? If that employee had several projects in progress and the departure was sudden, you may not want to delete or disable the account, as any client attempting to email your company have their email denied. You want to reset the password and either forward the emails to another employee or manager to review, or add that mailbox to an employee’s mailbox until you communicate the new contact to clients. Same goes with the phone extension. You need to document how to forward the extension to another employee’s extension, while taking the physical phone offline. This will help ensure that you do not accidently drop the ball while transitioning as you always have someone monitoring any incoming contacts from clients. Then document how to delete or disable the employees’ domain account and remove them from the multifunction office printer.
If you don’t know what the processes are, or if they are documented, get with your IT department and ensure these are set up so that those with administrative access can properly handle adding new users and removing former employees. If they are not, make sure to create these processes and document them.
Over a period of time, we will address several of the issues or concerns raised about viability of cloud-based accounting (ERP) solutions.
As cloud computing continues to gain popularity, it is also accompanied with the expected, healthy skepticism. When a firm decides to incorporate cloud computing into its business, it must decide if the cloud computing benefits will outweigh the costs and risks, such as security. A recent report, "Cloud Computing: Benefits, Risks, and Recommendations for Information Security," conducted by the European Network and Information Security Agency (ENISA), points out the advantages and disadvantages of cloud computing and gives advice on how to avoid risks. Read More...
A recent breach of a local church’s bank account has raised awareness over the proper use of security measures. Having gained illegal access to the church’s bank account using legit security codes and passwords, a hacker was able to withdraw over $170,000 via the Internet. Only $30,000 was recovered from the bank - the remainder of the amount never to be refunded.
Incidents such as these emphasize the importance of reviewing your
internal financial procedures at your firm as well as securing your own
personal accounts. One precaution a bank has taken involved installing
programs that change passwords every 30 seconds. On the less extreme
end, you may want to consider implementing a regular process to amend
and change your codes and passwords every few weeks. The costs of
having a security breach far exceed the costs of regularly changing
your passwords. Embezzlement of this sort can lead to further fraud and
even identity theft. Other steps you can take include limiting access
to bank accounts and seeking advice from your bank and insurance
carrier for ideas to keep this from occurring to you.
- Brian Terrell, CPA and Managing Partner