Generic 3rd party user account 2712

  • Hi auditors,
    I have a general IT audit (not SOX) question regarding shared account used by 3rd party vendors (providing ERP development and support).
    My ERP system has a user account ‘ABC123’ which is shared by employees of 3rd party vendor ‘ABC Ltd’ to provide support and data fix work. It’s not an admin account but have significant access privilege.
    Personally, I think the above shared a/c situation is not an issue because if anything happened with ‘ABC123’, I would be able to point responsibility to ‘ABC Ltd.’. From there on it should be beyond our company’s responsibility to find out who in ‘ABC Ltd.’ is the culprit, ie. I don’t care who in ABC Ltd. did malicious action, I only care that ABC is responsible.
    However, the auditor doesn’t quite agree. They insisted that each employee’s of ABC Ltd. who have access to account ‘ABC123’ should be given individual user account. If account is shared, they need evidence that there’s a logging process in ABC Ltd. to identify who uses ‘ABC123’.
    I can understand the auditor’s argument, but practically, if I provide individual account for each employee… that actually creates more risk, because I don’t have much visibility of ABC Ltd.'s employee movement. It’s more administrative work, and I don’t see much value in it.
    What do you guys think? I really need your opinion.
    Thanks in advance

  • I agree with you. The shared account allows you to determine that it was one of the employees of th third party software company. It is this company’s problem if they allow their employees to share the account and their problem which employee was active at which time.
    In case of problems you simply sue the software company for damages. Then the software company will internally have to find and sue their employee to comensate the software company for the damages that it had to pay.

Log in to reply