User Access Review 1878

  • When writing up controls around reviews of user access to applications/systems that are relevant for the 404 assessment, would it be appropriate to have these reviews conducted quarterly with the test of the control occurring semi-annually? Or is it acceptable to perform entity wide user access reviews twice a year with the test of the control/review occurring annually?
    I think the issue that might arise by having the reviews only twice a year is that an unauthorized person could then potentially have access to a system for up to 6 months.
    Another question: When assigning operating frequency to a system control (i.e., the system is configured to reject duplicate PO’s) should the frequency be annually or should the frequency be based on the number of PO’s that are subject to this control? I tend to think annually, but have gotten some push back from process owners who believe the frequency should be based on the transactions involved. In the end, it really doesn’t matter as the test of the control will be annually, but I’d like some feedback to help support my methodology.

  • I would suggest basing user reviews on staff turnover. If you have frequent turnover in various positions, whether internal transfers or people coming and going, you should test more frequestly. however, if you have a pretty stable workforce with minimal turnover, you could probably test 1-2 times per year.
    As for system controls, you should only have to test them once per year IF you have good change controls in place to ensure that changes are not made to the application software without testing and documentation. The Volume of transactions should not matter in this situation.

  • If your review frequency is low you can add a system control which disables an inactive account after say 45 days. Approval is required to open the account again. This reduces the risk from unauthorized access from an open account when the user has left the organization in between the reviews. This can be made more granular based on what privileges an account has.

  • As I used to work in Information Security for many years, you might ask for their help as well. Using tools like MSBA, KSA, or Bindview, they may be able to run reports for your area and assist in the process.
    The COBIT 4.0 standards (you can search forums here or Internet) share many of the SOX 404 checklist items, many external auditors look for. This might be helpful and certainly any dialog with audit (internal or external) might help in planning for the frequency of both reviews and testing
    Calvin shares some excellent comments on the need to automate where possible, even if it’s a little more cumbersome for folks who go out on short term disability, etc. Hopefully as folks are terminated from employment, the security team disables all email, network, and application accesses everything. That best practice should allow you to pass the test everytime 🙂

Log in to reply