Accounting Firm Loses Access to Critical Systems After Failed Security Audit Reveals Misconfigured User Permissions
The Challenge
In 2025, Crestline Advisory, a growing management consulting firm, uncovered a troubling gap in access management during a scheduled internal audit. The audit revealed that several former employees still retained access to payroll systems and compensation records, even though they had left the organization months earlier. More alarmingly, employees from departments with no business need were also found to have privileges that allowed them to view sensitive payroll data.
These access rights had been inherited from outdated permission templates, which had never been recertified. With each acquisition and new hire, the legacy permissions were simply copied, resulting in bloated and inaccurate access control across multiple systems. Although there was no confirmed misuse, audit logs showed multiple instances of file access that could not be easily explained.
Our Solution
We were engaged to help Crestline rebuild its identity and access management protocols from the ground up. First, we worked with the compliance and HR teams to audit every active user account against current role requirements. Unnecessary permissions were revoked, and legacy access templates were retired.
Next, we implemented quarterly access reviews, requiring department heads to verify that their staff had only the access necessary to perform their duties. Automated workflows were introduced to connect HR systems with access provisioning tools, ensuring that promotions, transfers, and terminations automatically triggered permission updates.
Real-time dashboards were developed to provide department leaders with visibility into who had access to what systems, and to support immediate revocation if risks were identified.
The Value
By addressing the audit findings swiftly and comprehensively, Crestline avoided potential regulatory penalties and reputational damage. The improved governance posture reassured clients, particularly in financial and public sectors where data confidentiality is a core requirement. Internally, the project reinforced a culture of accountability and highlighted the importance of tight coordination between HR, IT, and compliance.
The reforms are expected to prevent costly insider incidents and significantly reduce audit fatigue. More importantly, they enable the firm to scale with confidence as it continues to grow through new projects and acquisitions.
Implementation Roadmap
- Audit all active permissions against role requirements
- Revoke unnecessary and legacy access privileges
- Implement quarterly access recertification
- Integrate HR status changes with system provisioning
- Deploy access monitoring dashboards for department heads
