Access for terminated employees not taken away timely 2255



  • During our SOX testing, it came to my attention that the server access for a couple of our terminated employees were not taken away. Those employees left about 2 months ago so I would say it is longer than a reasonable amount of time for IT to respond. Our process is that the business manager submits a request to terminate all access for terminated employees, and that request gets routed to different IT departments. For these couple of employees, most of the access was taken away, but some are still there at the time of testing.
    We never came across an exception like that in the past few years. It seems that some groups missed the termination request. I am in the process of gathering more information on it, but am I over-reacting? Does this issue have the potential of becoming a big issue?



  • Two employees out of how many? Could they have remotely accessed the server. If not, did they have physical access?
    I wouldn’t get too excited, but would also ensure that the hole in your controls gets remediated.



  • KYMike,%0AIn the particular test where the exceptions were found, we were only using the population of Corporate Accounting staff, and there were only 2 terminations, so that was 100% of the population. In these incidences, their remote access was taken away. In my mind, we were just lucky that the remote access team picked up the termination request. %0AMy concern is that there is a gap in the process to cause the access (some access, which could have been remote access) to remain. %0AThank you for the input.



  • I certainly think that you have an ITGC deficiency over system access. You should determine what, if any, procedures are in place to communicate employee terminations to the systems security team. Hopefully your payroll team is notified and can add systems security personnel to the communication of employee terminations.



  • Hi - Using the search facility at the top of screen, you might get a few more ideas if you enter the keyword terminations …
    Below are a few that might provide further ideas:
    Terminations for non-employees
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=2014-and-highlight=terminations
    Review of user access to network and financial apps
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=2162-and-highlight=terminations
    SAP termination of employee/system access
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=2120-and-highlight=terminations
    Altering Termination Policies
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1916-and-highlight=terminations



  • Clearly this is not the ideal situation however the evaluation of the deficiency will depend on many factors eg

    • do they access the system via another system that is properly controlled?
    • can they access the system offsite? If not is there an adequate control preventing leavers to gain access to the building after they have left?
    • are appropriate controls in place to add someone to the system? So you know that when they were on it was valid.
    • what are the users accessing, how significant is the system to financial reporting?
    • what controls do you have over financial reporting that could detect material errors/frauds oustide of the IT system?
      etc.
      On the whole I would expect there to be sufficient other controls to indicate that for SOX this would be classed as no more than a deficiency but it is an IT audit issue that needs to be raised with management.

Log in to reply