HR database 2813
i got a query
lastely; during our control requirement in compliance matter; we had been asked by our regional compliance officer to give him access to our *human ressources databases, including all confidential and critical datas.
this has issued a huge argue. when we had asked him relating which control requirement he’s asking to have access while we have a local compliance officer within our Cie which can do thit control, hi said that it is his duty to do it, he said that the control is relating to the master data control.
my understanding is that the master data control is digging deep inside the customer and supplier db and not the HR.
and additional to that; the local officer can do this control and in case of gap finnding it make sense to ask to have access to the concened files.
i have to add that the regional officer is located in another unit which have some interest to go inside our org
thanks in advance
harrywaldron last edited by
Hi - From a SOX perspective, IT requirements are primarily related to Financial systems (e.g., Treasury, Accounting, Sales, etc). While payrolls certainly have an indirect or minor impacts related to corporate finances. In the companies I’ve helped with on SOX related projects, they were not examined in detail during SOX audits.
Certainly, commissioned based sales could factor in and be manipulated as a potential financial exposure. However, special accounting system entries usually occur for these. Finally, there are privacy dangers in opening up payroll/personnel information outside of the control of the system owners.
– Have compliancy officer document exactly why they need access to this information from a Sarbanes-Oxley perspective (which is an unusual request)
– Look for ways that the HR department can provide information back to the compliancy officer if they need to search payments to specific individuals – without having to share any sensitive information found in the data base. They could request payment info for specific employees and only get back that data for example.
– Allow the system owner only (HR) to approve any permissions to grant access if it is truly needed (so they are fully informed and can take any precautions).
first of all, thanks for reply, i really need a feedback on that matter
for your answer, i was realy suprised when i hear this requirement from the person to get access to our confidential data. and he’s asking for that by mail, so the evidence is here. now i digg deep into the control requirement and i just notify on the master data control slide, there is notification about the HR database, but the control ask more about the Customer and supplier data.
i have suggest that the control could be done by our entity and in case of any abnormal variations is shown in the result, it could make sens to ask about more detail and in my opinion it won’t be just the compliance dept which will seek to understand such variation aren5t you ?
but this people has asked to get a copy of the whole HR Batabases uncluded the salaries detail for every one, and this, in my sens don’t have any adding value to the sox matter
aren’t you agree with that ??
Thanks in advance
gmerkl last edited by
What is your position in the company? Could you provide more details about the background of this request?
In principle there should be a process for granting access rights to information systems. Requests for access rights should clearly specfiy why a person needs access to this data and an appropriate person should approve this request.
Some HR data is personal and may be protected by local data privacy protection laws.
In my opinion, the requester should specify in detail for what tasks and controls they need the access and why nobody else could perform those tasks and controls instead of him or her.
kymike last edited by
To bring this back to SOX relevance, your company should have policies in place as far as access to systems and data. Is the request within the policy or would granting access be an exception? Is there a policy in place for approving exceptions to the general policy? SOX would be concerned about whether or not policies are being followed in granting access.
I agree with the comments on protecting sensitive data. If access is absolutely needed, then it should be read-only access so that data cannot be changed. Here, SOX would be concerned about segregation of duty conflicts if read/write access was granted to someone who had conflicting read/write access in other areas.
you are right
and this guy ahs been stopped by our headquarther
noramly we have with him one service agreement and he’s supporting us on compliance implementation but in the same time; he’
s from another unit of our multinational , regional one and which attempt to get as under them
as you said, the right access is enough protected and sensitive to be asked as this