IT Controls Related to Ticketing Applications

If you work in the collegiate athletics industry, you know the importance of ticket revenue to the fiscal health of your program. This makes your choice of ticketing application a critical decision for your athletics department.

Most collegiate sporting events are ticketed events, requiring involvement from the ticket office and the use of a ticketing application. As fans buy tickets from far and wide, large amounts of transactional and consumer data run through that application. The right ticketing application will help you increase efficiency, strengthen internal controls and maximize revenues.

While there are a number of ticket solutions available, most have similar general IT controls to consider.

User administration process. The ticket office should have a formalized process for adding, removing and modifying users within the ticketing application. Utilizing groups and roles also helps with security and efficiency when adjusting user access. Additionally, the ticket office should ensure everyone understands and follows the process so employees don’t create work-arounds to circumvent it.

User access review. A formalized periodic review of user access within the application should be performed. The intent is to verify access is appropriately restricted to only authorized employees, and the review should be performed at least annually (if not more frequently). This process should include a review of current access to verify appropriate segregation of duties are in place. It’s important that this review is performed either by a non-administrator individual or as a dual review.

Password settings. The ticket office should verify that all application password requirements are in line with internally developed and/or university-wide documented policies and procedures. These policies should provide guidance on password requirements such as minimum length, password age, complexity requirements and password history.

Application administrator access. The ticket office should restrict ticketing application administrators to authorized employees, reducing the risk associated with a lack of segregation of duties due to their involvement in ticket office processes and procedures. When determining appropriate access, consider group rights by user and current manual controls to ensure appropriate segregation of duties.

Application security logging. Work with the ticketing application customer support team to explore security logging capabilities within the software. Then, determine activity that should be monitored (including frequency of review). This review should be formalized and be performed either by a non-administrator individual or as a dual review. Additionally, controls should ensure that administrators cannot modify reporting prior to review.

SOC 1 report review. The ticket office should request a System and Organization Controls (SOC 1) Report. This report includes control objective and supporting controls that are part of the service organization’s control environment.  This report should be reviewed annually. Management should also perform a documented review of the opinion, controls objectives and complementary user entity controls.

Ensuring your ticket office and ticketing application are operating efficiently, securely and profitably can be a daunting task. With your teams spread so thin these days, it’s tough to find time for the tasks that keep your athletics department going.

That’s where our Ticket Office Advisory services come into play. Sometimes you just need the advice of an industry expert, or you may want help with a particular aspect of ticketing. Regardless of which, we take a holistic approach to help you get the most from your ticketing operations.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.