If you haven’t noticed yet, you likely will soon: A lot of recent auditor scrutiny has centered on access management. External auditors appear to be taking a much stricter position when auditing access controls. They’re offering little leeway for process errors and are declaring a deficiency for even a single finding.
Are we seeing the ushering in of an era of “zero tolerance” for any finding related to the provisioning and deprovisioning of account access to software applications? Whether we are or not, many of the tasks involved in provisioning/deprovisioning are prone to the possibility of errors, and companies—especially IT departments—need to be extra vigilant that good processes are in place and are followed.
When we work with companies doing internal auditing to get ready for auditor scrutiny, or helping companies prepare for SOX compliance, we come across some common slip-ups that have occurred, as well as areas of concern that would catch the attention of auditors, based on their top areas of focus these days. These include:
- Acting promptly after a termination: Timely removal of former employees’ account access from the network and applications has become a major focus for auditors. Selecting large samples (sometimes 100%) means the opportunity for auditors to find an oversight is high. Whether the finding rises to the level of a deficiency (or worse) depends on the risk associated with the access (how long the inappropriate access was in place, what data the account had access to, and whether that access was actually used).
- Keeping track of contractors: Who is responsible for tracking the comings and goings of contractors (HR or IT?)? Without a centralized way to report and process when a contractor relationship has ended, multiple contractors might have account access to applications and data long after their ties to the systems should have been disabled or removed.
- “Sign in as” is used too liberally: Can one user (other than the application administrator) log in using someone else’s user account?
- Single sign-on: Single sign-on means that access to applications is controlled centrally, via a network login (to the Active Directory or similar system tool). Even if IT removes a user’s access from Active Directory (the network access), the account could remain active on the application. Despite a very small risk that the account could be used by an insider, auditors can still identify this as a deficiency.
- Inadvertently providing access to the wrong person: This issue sometimes arises when two people have the same name or when a company doesn’t have a strong policy around naming conventions when creating accounts on the network.
- Inadvertently creating a segregation-of-duties conflict: These conflicts may open up when adding new access permissions to an existing account, especially if an application has multiple customized roles (with special functionality) rather than using the standard roles.
- Inadvertently providing access that is not appropriate for the job: When managers hastily ask IT to provide their new employee with the same access as someone else on the team, they may not realize the full extent of access that existing employee has. IT should be cautious of these requests, and check that the manager has thought each one through.
- Giving developers too much rein: Auditors may raise a concern if they notice developers have administrator access in the production environment without mitigating controls.
- Application password policy: By design and of necessity, application administrators have the ability to sign into applications directly—bypassing the single sign-on process.. Thus, IT needs to ensure that applications’ password policies for administration passwords enforce periodic password changes.
User Access Management and Mitigating Risks
Getting your team’s arms around user access, including effective reviews of user access, can save a lot of downstream headaches. By learning how to self-detect potential problem areas, you can reduce your business risk for unauthorized access, and avoid issues with external auditors, remediation efforts, lengthy SOX memos, and potential deficiencies. RoseRyan consultants can help with identifying and mitigating risks, as well as with training and supporting your team. Reach out to RoseRyan today and ask for one of our SOX compliance experts.
RoseRyan consultant Pankaj Jalan has steep experience with SOX implementations and designing, documenting, and testing IT controls. He was previously Security and Controls Director at PepsiCo and a Senior Manager at Deloitte.
As a RoseRyan consultant, Moira Berman has steep experience working with IT organizations in developing and testing controls. Currently she advises public companies on SOX compliance and assists IT teams with identifying and resolving their areas of risk. She has worked at corporations, including as Director of IT at LEGOLAND, and she has held senior level roles at Big 4 accounting firms.