Each account owner may access security options from the “Account & Billing” page. From the page, they may click the “Security” tab to open up the security options as below.
Every security option affects all users on the account so it is a good idea to let all users know of any changes to these options.
Each change is saved automatically in real time. The security option will affect the users as follows:
If the timeout option is checked, then when the user is not active on Audit Assistant for the timeout period, they will be logged out and any changes made in Audit Assistant after that will not be saved. To ensure work is not lost, a small prompt to log back in will appear. If a timed out user logs in successfully they may continue without any loss of work.
Automatically rollover completed jobs
Sometimes jobs are signed off but users forget to roll them over. Activating this option will roll over jobs 59 days after signoff if they have not already been manually rolled over. This will only work with clients that can be rolled over (i.e. not using one-off templates)
Two Factor Authentication
If the Two Factor Authentication option for the account is set, whenever Audit Assistant detects a user is logged in from a different device the user will be locked out of Audit Assistant and is emailed a security code to unlock their account. Every log in attempt will create and send a new security code to the users email address and the old code will become invalid.
NOTE: Even if this option is not activated every time a user's login name and password is being used on a different computer than they normally log in on they will be informed immediately by email. If they have not initiated this login they may click a link that immediately cancels the password and generates a new one, thus defeating the forced entry. Or they may simply ignore the email.
Login warning emails
This raises a warning email whenever a login attempt on new device is detected. If this login is being made by the user, say from a second device, just ignore. It is intended to alert the user to possible unauthorised access if their login details have been obtained by another person.
A reCAPTCHA is a type of automated test that is used to tell machines and humans apart. If this option is checked a simple checkbox to verify the user is human will appear on the login page for the account. If the captcha suspects that the user is a robot it will ask for further tests such as identifying images.
Audit Assistant uses Google’s captcha system which is designed to be simple for humans and does a wide variety of checks in the background to detect machines. Most automated systems attempting to login will be stopped by it. To do these background checks, Google may use old cookies stored on the machine (only cookies Google made themselves), information about current browser, number of clicks made on the login page, etc. Google WILL NOT have access to any Audit Assistant account, user and client data.
The first security option is to require all users on the account to have strong passwords. When this option is set new password changes on the account will be rejected unless the password is considered strong by our algorithm.
Old passwords will NOT be affected by this. If the account owner wants everyone on the account to start using strong passwords they may generate new random passwords for each user using the “Generate new password...” checkbox when editing users. Information on this can be found here here.
There are no specific rules outlining what a password needs (e.g. Capital/Lowercase letter, number, certain length, etc) so it can be difficult to know if a password will be considered strong. To indicate whether or not Audit Assistant will accept a password change, there is bar displaying the password strength. When the strong password option is active, password changes will not be saved unless the bar indicates that the password is strong.
Only see assigned jobs
When enabled, users (other than the account owner) can only see jobs they have been assigned to. This leaves the responsibility of assigning people to jobs to the person that created the job.
Strict review mode
When enabled, users will not be able to review pages they have concluded themselves. So another partner, manager or external peer-reviewer will need to review each workpaper.
Complete review mode
When enabled, every page (workpaper, table, datasource, document and attachments) in a job is required to be reviewed before the job can be signed off. All of these pages can be seen on the client index page as well as on "pending review" page found in the sidebar.