Evaluating security risks in the Supplier Electronic Fund Transfer (EFT) process in Yardi


As part of our evaluation of customer Yardi Voyager implementations for Segregation of Duties and Sensitive Access Risks, one area of concern is always around the management of Suppliers. These risks focus on areas such as employees setting themselves up as Suppliers and then paying themselves. This type of fraud is a common one, that impacts organizations of all sizes.

Outside of Supplier creation is the opportunity to just change bank accounts or change the electronic fund process itself. This last process can wreak havoc on the payment life cycle, and create tension with Suppliers in the process.

Yardi Voyager has a very comprehensive Security model with over 4,000 Permissions that can be granted to your user's Groups. Many of these Permissions are also granted solely through a Menu. These Permissions relate to Reports that can be run on a Menu, and for some of they update Data. As part of our review, we also have to make sure that we take into account whether the Group/Role with the Permission has more than just 'Read-Only' access. With Read-Only a User technically can't process the transaction and we get a false positive.

Yardi Permission Chains

An additional area of analysis that we conduct is based upon a User needing (via their Group) multiple Permissions to complete a task. Without considering these Permissions in a chain we end up with false positives - the idea of having the ability to perform an action, but the user can't. This leads us onto Supplier Electronic Fund Transfers, we found when evaluating this process that in order to complete the process a User needs Permissions including the Suppliers Permission itself, along with the EFT Setup and Pay processing.

Be sure that if you are reviewing the Permissions for Supplier Payments that you are encompassing all of the Permissions required. In many cases, part of the security comes from a Permission on a menu, which is secured and reported on in a different way.

Without such evaluation there is a danger of creating false positives in your security and compliance analysis

Segregation of Duties and Sensitive Access control in Yardi Applications

Seecuring provides evaluation of your security and controls within your Enterprise Applications, including updates and patches. In addition, our services help resolve security issues through better security design and ensuring the right controls are in place.

  • Segregation of Duties.

  • Sensitive Access.

  • User Access Reviews.

  • Patch Impact Analysis & Configuration Changes.

For a comprehensive review of your Yardi suite of applications for security risks and control issues, get in touch wit us below. We have a comprehensive suite of software and services to assist you in ensuring your applications meet your security and compliance requirements.