User Access Reviews - Help. Need quick answer 2726

  • Here is the issue. I am auditing a user access review for an application. This review looks at all the sensitive functions for a given application. There are several hundreds users within this system and approximately 20 reviewers.
    The control states that all sensitive access is properly reviewed and one of our test attributes is that the reviewers do not review their own access. Well, it looks like a handful of reviewers reviewed their own access and approved it. To me, that is an issue. Their argument is that they are the owners of the application\sensitive function and should be allowed to review their own access. I argue that although they are the owners, they should not be reviewing their own access. But that is not a compelling argument.
    So what is the real risk of somebody who owns an application review their own access?

  • When you have a question concerning a risk due to an ineffective control, you should describe the entire process and any other controls in the process. Without the full picture and how different steps and controls in the process interact it is difficult to answer your question.
    How does the process of granting user access rights work? The user who wants access rights has to write a request that is reviewed and approved by the access reviewers and later an access rights administrator creates the access based on the approved requests? If yes, then a reviewer could request inappropriate access and approve the access and the administrator would later create the access.
    However if the review happens after the access rights administrator has already created the access and if there are effective controls for approving the access before its creation, then I do not see much risk because the review is just a compensating control.
    What can somebody do when he can get any access he wants? If a user has access to create a supplier (including bank account details) and to create an invoice from that supplier, then the next automatic payment run will pay this invoice to this new bank account. In other words the person can fraudulently misappropriate the company’s assets (i.e. cash).

  • I think the management should define the User ID (Authorization) Maintenance.
    This would include the following:

    1. process of obtaining the UserIDs including the authorizations (access rights)
    2. segregation of duties (SOD) -
      Approvers - authorized approvers who validates authorization,
      Implementor - who is the application administrator(s)
      (normally this is the one who executes the request concerning the user id maintenance and authorization - create, modify and remove.
      Security Officer or a third party personnel - this person monitors all the transactions of authorized users. (I think this is the one lacking in their process)
      Recommendation might be necessary.

Log in to reply