Access Control Terminated emp/vendor/contractors 311



  • A SOx audit finding indicated we had user accounts of a few terminated employees/contractors/vendors still enabled.
    Our termination process requires Business mgrs to notify Corp Human Resources and Corp IT System Admin of terminations, this notification is either not done in a timely manner or never done.
    Additional Note: We have regional offices with HR and IT mgmt that are responsible for notifying Corp IT of terminations and account removal.
    How does your company handle terminations of employees/contractors/vendors? What are the roles and responsibilities? And for regional IT Systems etc…?
    Are you aware of documented policy/procedure standards to follow?
    Thanks in advance. Jonathan



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • It sounds like your user termination process – as defined by your business managers contacting HR – isn’t working. Perhaps HR should play a larger role in this process by being the liaison to IT. I’m sure the business manager’s notification to HR happens as soon as the employee leaves - they don’t want them receiving any more paychecks. As soon as HR gets that information they might want to consider compiling a weekly terminations list for IT so that all users can be removed from key financial systems. Of course, in the spirit of SOX, it’s probably a good idea to review this document and sign-off on it as evidence of your review and action.
    Some things I’ve seen in other organizations that work well for their environment have to do with user certifications. Quarterly, IT can produce a list of users in all key financial systems and send them out to the business units. They would then have the responsibility of validating that each and every user should still 1) have access to the system and 2) have the appropriate level of access. Once this list is reviewed and signed-off, it can be returned to IT who will perform the necessary housecleaning.
    Hope this helps.



  • To answer how this is done in my company:
    All the information between line managers, HR, payroll and IT is automatic.
    When an end date is entered into the personnel database, the rest is electronicly notified accordingly
    Regarding contractors/vendors, it is not possible to remove them in our system. They are only inactivated (search criteria changed to inactive, and marked as inactive in the name), but the procedure is almost the same.



  • This is fairly common and the onus for this has to rest, primarily, with HR. Companies should have a policy that indicates the steps to be taken by line management and HR on termination, including notification of IT.
    There are a couple of things that IT can do to help though.

    1. Inactive profiles should be identified, disabled and investigated.
    2. On a semi-regular basis you could confirm with line management whether user profiles are still valid - and indeed whether individuals access rights are still appropriate.

Log in to reply