IT General Controls over access to programs and data ensure that authorized and appropriate access exists to systems and transactions. The processes for granting, modifying, and removing access are often manual and prone to errors and exceptions. This is even more likely in the current environment with quickly changing business needs, work-from-home scenarios, furloughed employees, etc.
A mix of controls, including a strong detective control, ensures that access risks are mitigated even when controls over approving, granting, and removing access have failed. The periodic user access review can be a strong detective control when designed to address all the risks related to access. It is a weak control when it is incomplete in addressing all access risks. The control becomes even stronger when it is designed to correct exceptions in addition to detecting them.
When designing and performing an access review consider addressing the following questions with some simple suggestions:
- Review questions:
- Is the user is a current employee or contractor?
- Is access to the transaction is appropriate (should this user have this access)?
- Was access to the transaction appropriate for the full period?
- Do the user’s current job responsibilities create conflicts with the access held (are they manually reviewing transactions they have the ability to post)?
- Suggestions to address:
- Do a full compare to an HR termination listing. Remove all terminated employees and contractors.
- Have the user’s manager review their detailed access; or a process/transaction owner.
- When noted a user should be removed, consider if you need to perform a “did-do” analysis – a lookback into inappropriate transactions they may have performed. This often only needs to be done for higher risk access.
- When reviewing compare to a segregation of duties matrix for defined conflicts. Remove access with conflicts and risk assess impact as necessary.
The above suggestions can be performed manually or there are automated tools to help with these tasks. A few quick-steps can great increase the effectiveness of your access reviews.