IT managers fear Microsoft Access because of its poor security controls and its role as a substitute for bona fide enterprise applications. CEOs and CFOs should fear Access as well because it presents a deficient internal control that could be spotted by SOX auditors. Rein in unsanctioned MS Access applications in the enterprise to improve security and mitigate the risk of material weaknesses.

Access as a Business Process Killer

As a tool for individuals or small teams, Microsoft Access does have productivity benefits. However, Access was never designed to function as a production database, yet many small workgroups use Access to build mini-applications that are ultimately pushed out to more and more users in a production environment.

Worst-case scenarios occur when the unstable Access application becomes a source of "truth" within the business, a data source that does not have any relation to enterprise data stores or processes. As such, this faulty information is used to make important business decisions that are not aligned with corporate goals and compliance or financial reporting requirements.

Some potential Access nightmares include:

• Few users are experts, and often make errors in calculations that end up skewing entire files. Planning sessions consequently go awry when executives show up with their own data sets and cause confusion over whose information is right.
• Access files quickly become overly cumbersome and complex, ultimately breaking down. IT is brought in to sort it all out, only to discover that no documentation was written regarding the creation or purpose of the Access files.
• Financial statements are prepared using poorly-designed Access tables. The data's accuracy becomes compromised, and Finance staff ends up wasting many hours verifying the validity of the numbers rather than performing their jobs.
• IT has little or no knowledge of an Access file's existence, so the valuable data contained within the file is not backed up, secured, or checked for quality.

Access as a Security Risk

Not only does Access itself pose several types of risk to business, Access's lack of certain controls mean that users can enter corporate databases via Access and steal or alter sensitive data without any record of the transaction taking place. Another problem is that the front-end application and database are combined in the same file. This means application controls and database controls are one in the same, which is a security threat. In fact, Access lacks some controls altogether:

• Audit trails or logging.
• Native backup or recovery features.
• Error messages or logs.
• Validation and data code controls.
• Run-to-run batch controls.

Recommendations

1. Ban Access where applicable. The problem with Access is that it's readily available and easy to use for accessing existing data on the network. Some executives are becoming so fed up with business decisions being made from the bad data generated through various Access databases, they are banning Access altogether. Bring IT staff in to evaluate the data and the risks posed by it, then build a plan to migrate the data (or kill it entirely) to a more stable and controlled platform. While this can be an expensive and time-consuming exercise, it is well worth the effort to eliminate suspect data and the subsequent costs of misinformed decisions made from it.
   • To ensure Access is not used, set controls that prohibit users from installing software on PCs without administrator permission. Also, add Access to the list of restricted software in the enterprise's technology acceptable use policy or software installation policy. To help you with the task of implementing a software installation policy in your organization, refer to the Info-Tech Advisor, "Software Installation Policy & Request Form."
2. Lock down Access whenever and wherever it is used. As mentioned earlier, Access is fine provided that files are being used by small workgroups in a non-production environment. In any case, Access security controls should be deployed across the enterprise; Access does indeed have security features, just not the backup and reporting features required for auditing. For information on Access's native security features, read "Important, But Often Dismissed: Internal Control in a Microsoft Access Database," from ISACA (membership required).
3. Consider alternatives. Where accurate data is required for business decisions, the release of 2007 Microsoft Office System for Business Intelligence has features that will allow business data to be managed centrally by IT, including Excel support for SQL Server 2005 and SharePoint. These capabilities will enable users to share and manage data over a secure server or through a VPN-based browser. In cases where Access is being used as a production database, replace it with Microsoft SQL Server 2005.

Bottom Line

Access has business benefits when used appropriately. However, it is equally important to recognize Access's limitations and the dangers it poses when left to novices and operated outside of IT's purview.