User Access Rights 732



  • As part of controlling user system access, our company has built a matrix that states which accesses a user can have without causing a segregation of duties issue - for example, a user who can change the vendor master file cannot have access to enter invoices. My question is - as we are building this matrix, we have come across several different accesses that when paired with another access do NOT cause a segregation of duties issue, but in the current environment were not needed for any business purpose. We are trying to decide whether to ‘allow’ such accesses because there is no SOD issue, or to disallow any access for which we cannot determine a reasonable business purpose for the user to have such access.
    Is there any guidance on whether having access that is not ‘needed’ for a job function is a bad internal control, even if there is NO risk that the user could perpetrate any unauthorized transactions?



  • Is there any guidance on whether having access that is not ‘needed’ for a job function is a bad internal control, even if there is NO risk that the user could perpetrate any unauthorized transactions?
    yes, there is the concept of ‘least privilege’ where you only provide the access required to peform the job function. No more and no less.
    if you provide access to resources that are not required to get the job done, then it is an issue because it is human nature to go exploring to see what data is out there. employees think it must be ok because they have access. [/quote]



  • It is important to meet the standards. It is also important to have a good reason for everything you do.
    The external auditors will ensure that the principles of separation of duties, least privilege, and user provisioning are applied to all users of any systems owned/used by the organization that are considered to be in the scope of the audit.
    One of the most important security principles is the ‘least privilege’ principle . Every user must have the absolutely necessary access to do his job, no more, no less. This principle should be enforced at the operating system level, the network (component) level, the database level, and the application level.
    It is the Sarbanes-Oxley IT auditor’s job to check that individual IT permissions and roles are organized in such a way as to not make the company vulnerable to fraud.


Log in to reply