Email Approvals 2292
-
Are email approvals sufficient evidence of authorization? We have users that are on the road but need to approve access to financial applications that are in SOX scope. They would have to login via VPN, open the client app and then electronically approve as opposed to approving via a Blackberry.
I’m leaning towards no, they’re not since they can be easily edited (when saved as an attachment to an approval request). The other concern is - do I have to start archiving my mail server bc emails are being used for approvals - audit issue.
Thanks
A
-
Hi Ajju - Yes, email is often used to capture approvals in the change management process and other functions. Some ideas below:
– The design of procedures and workflows are equally important (for example, a special email account(s) could be created for the process that’s less likely to be manipulated or deleted than personal email accounts … It also keeps history concise and if employees change, you don’t have to readjust the accounts or map out prior history)
– Usually email timestamp and the original messages are maintained on servers (and I know for our Lotus Notes system these cannot be manipulated unless you are an admin - esp. if a special email account is used for the process)
– Archiving may be an issue when reviewing long term history, but these messages should still be present (it’ll just a while to retrieve and store through the history)
– You all may also want to explore a true change management system (but it will cost the company more than the homegrown email based system)
While I would favor the more true change management system, I could also see a well designed email approach working with the proper workflow and controls. A lot depends on how active the business process is and how important materially the approvals are. I would ensure that the designs are electronic and as efficient as possible, as you don’t want to encumber the flow of sales or other financial data.
-
Thanks Harry, by using emails as an approval mechanism, we would have to keep a copy of the approval email.
I believe we’d have to somehow capture all email approvals, at the mail server, and not simply attach the approval to a tracking ticket, for example, since this is where it can be altered. I’ll need to get a better understanding of how we manage email and the retention policies around them… I just started with this company 6 weeks ago.
What about allowing Admin Assistants to approve access requests on behalf of the authorized approver? This has raised some stink since the AA now has the ability to approve unauthorized requests.
Thanks
A
-
Emails are often acceptable as a means of evidencing key controls for SOX, but they are not ideal. Emails are often mistakenly deleted, misplaced and/or renamed. While they can be a quick and easy go-to for many companies, we have found that relying on them as a key control is a nuisance. Instead, you may consider instituting electronic forms (w/ electronic signatures) rather than normal emails. This is the road that we have SLOWWWWWLY begun to take. Best of luck to you.
-
Are email approvals sufficient evidence of authorization? We have users that are on the road but need to approve access to financial applications that are in SOX scope. They would have to login via VPN, open the client app and then electronically approve as opposed to approving via a Blackberry.
I’m leaning towards no, they’re not since they can be easily edited (when saved as an attachment to an approval request). The other concern is - do I have to start archiving my mail server bc emails are being used for approvals - audit issue.
Thanks
A
E-mail approval is just part of access provisioning. Look at this workflow- Ticket is raised for access request by user.
- Approver sends an email to helpdesk approving the request
- Helpdesk copies the e-mail approval to worklog
- The application admin looks at the approval and grants the access. Updates the worklog
- Helpdesk informs the user and approver that access has been granted. Closes the ticket.
- On monthly basis Application admin pulls the reports of new user/ existing user and gets it reviewed by the process/LOB owners.
At any point of time multiple people are in loop including application admin, Application owner, user and helpdesk resource. You can further reduce the risk by limiting e-mails approvals to only when necessary like as you mentioned when the approver cannot access the system to approve.
We use e-mail approvals frequently (for many other things apart from access, as and where the need may be). The point is any system can be circumvented given time and sufficient interest. The idea is to reduce the chances of circumvention through preventive and detective controls.
-
As one more idea for Ajju …
An internal web based application (Intranet) could even be used with automatic email notifications and with autonomy level controls (for the approval process) The system could capture events along with any special remarks and approval information. It would represent a homegrown version of popular change management or change control products in the marketplace. The feasiblity of doing this would be based on how much material risk needed to be more tightly controlled.
-
What about allowing Admin Assistants to approve access requests on behalf of the authorized approver? This has raised some stink since the AA now has the ability to approve unauthorized requests.
Thanks
A
I worked in a provisioning access area for 10 years. From an access perspective, we would never allow an Admin Assistant to authorize requests using the manager’s name. Just because they have access to the email account, does NOT mean that they are permitted to grant access to others.
You should have Information Security standards that set requirements for approvals. If they aren’t at the level that is specified in those documents, then they should not be approving the requests. Even in cases where the email is sent by the manager’s email but shows ‘sent by Administrative Assistant’, they should, in my opinion, be rejected.