Review of user access to network and financial apps. 2162



  • How often would you recommend a company review the access rights for all the users? Quarterly, monthly, annually?
    Is this allowed: When doing the access review should a company do a full access review once a year and just do a review of the users with the changed rights and the other 3 quarters or should they do a full review every quarter?
    Thanks in advance…



  • Is it allowed?’
    Your organization has to decide that. The approach sounds pretty logical, it is more of a roll-forward test that we do.
    Carry out a complete review in Q1 and then subsequent quarters, review the changes to applicatoin access( include the SOD for Dev and Prd as well.)
    Your auditors will certainly be ok with this…



  • I would suggest a quarterly review would be good practice.
    Genereally it shouldn’t be too big an ask for an application owner to confirm that a list of people validly has access to the system.



  • Quarterly is reasonable although it depends on the number of systems you have, etc. We do half yearly because of that reason.
    I also feel that it is more important to ensure you have strong controls over starters and leavers. Then your reviews should only be identifying those in post who have changed responsibility but were originally entitled to have access and who are still bound by code of conduct, etc.
    That is why when we have come across poor management of such reviews (it happens.) we have not lost sleep from a SOX point of view because of the overall control environment.



  • I also agree with quarterly reviews, depending on resources and time constraints. I also like WL’s focus on new employees, terminations, and access changes (e.g., promotions, office changes, backup roles, etc). As suggested, you may want to perform an application risk assessement ranking. This would identify your most important financial applications for quarterly reviews (and maybe some of the indirect or less important systems could be reviewed annually if needed).



  • I like the idea of an annual full assessment of -
    access rights from an SOD perspective
    access rights from a perspective of who has access
    quarterly reviews of access for staff who have changed positions should be adequate.
    Not to hijack the thread, but what tools are you using to assess SOD from an acccess perspective? Those that we have looked at are quite expensive and it is hard to justify the purchase price. The right tools, however, will not only tell you where potential SOD issues lie, but will also proactively warn you should you try and grant access to different portions of the same ERP system which would create potential SOD issues. With such a system, you could benchmark the tool and then manage via change control (security settings) without having to do the quarterly reviews.



  • for SAP we can look at approva and virsa, but only if the number of users are sizable, else these are not cost effective.
    I guess even these tools, even if pre-configured with a bunch of SOD rules, need to be re-configured for the SOD rules specific to an organization.l
    A tool by itself cannot help us in ensuring SOD.


Log in to reply