Free

Manual Access Recertification: An Audit Nightmare Atlanta

  Marketing & Advertising

The importance of access recertification was established with Sarbanes- Oxley Act of 2002 (SOX). Section 404 states: “Registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting”. Simply put, companies are required to maintain the integrity of reports by ensuring right resources have access to the right systems that generate these reports. Manual access recertification seemed like a great way to maintain compliance when the law was enacted. Unfortunately, with proliferation of IT assets and growing sophistication of hackers, manual access recertification is an anti-pattern for security and compliance:



1.Audit Nightmare: Without exception we keep hearing about organizations that have their internal audit teams do assessment of access over spreadsheets spanning hundreds of tabs and then undertaking back and forth emails among stakeholders to capture audit evidence. It is no surprise that many of these organizations have audit findings.



2. Productivity Drain:Manual process is tedious execution of repetitive tasks that are non value add to the company and employee morale. A typical quarterly acmes recertification for a 1000 plus employee company requires many paid hours to collect and transform information from applications, databases and files under review. The process generates endless volumes of data found in excel sheets or unstructured formats such as emails. The same process is repeated every so often. It is not uncommon to see some anti patterns such as reviewers taking to rubber stamping.



3. High Error Rate: Today companies have multiple systems, databases and applications (enterprise, custom and cloud). Authentication methods typically vary between connected and disconnected applications. Therefore, employee, contractors and vendors have multiple account IDs across today’s IT eco-system. Without a unique identifier or identity source between these accounts it is nearly impossible to attribute these to corresponding employee, vendor or contractor identity information. Reviews just can’t make out with 100% accuracy the abbreviated IDs, roles and access rights coming out of the systems. We keep hearing about many manual recertification yielding audit findings.



4. Challenging to Enforce Segregation of Duty (SOD): An Excel based recertification of users and privileges can after very tedious effort yield information on SOD conflicts. However, this manual process cannot be used to proactively enforce SOD with new-onboarding and employee changes. Every time a employee’s job duties change owing to promotion or moving to a different department, the data needs to be manually updated to check for any SOD conflicts.



5. Lack of Centralized Visibility: Depending on the company’s risk appetite and internal IT controls, access recertification may be needed on quarterly or semiannual basis. However, managers who need to review and approve user access often don’t take serious ownership owing to their day job. Sieving though the inbox for access review document is not ideal for anyone. This lack of centralized visibility and review communication that ensures all parties involved understand the significance of access recertification and the importance of timely closure is missing with a manual process.

6. Non Integrated De-provisioning: Completing the review process is just one aspect of the user recertification. Getting to that end game in a timely fashion is nearly impossible if upon completion of the reviews there is not tie up with the task to remove user access.

Manual Access recertification’s is not only daunting, inefficient but also a big anti pattern to achieve continuous SOX, IS0 27001, HIPAA, GLBA etc compliance. In our survey of 13 CISO’s across Financial Services, Credit Unions, Healthcare and Manufacturing industries automation of access recertification’s ranked among the top three priorities. SecurEnds is leading the market with its lightweight, highly configurable and industry first flex-connector product that keeps companies secure while meeting audit and compliance requirements.

Our software allows you to load user data from multiple system of record, connect dynamically to applications, match identities with user credentials, manage heartbeat identities across connected and disconnected, schedule one-time or periodic access recertification and create proof of compliance for external auditors. In only 30 minutes we can demo why our SAAS software is now a leading choice for identity governance.

Read More:




Request for demo:


 

 Region:

Georgia

 City:

Atlanta

 City area:

Atlanta

 Address:

1 Glenlake Parkway, Ste. 525 Atlanta, GA 30328

 Views

20




Comments

     Leave your comment (spam and offensive messages will be removed)






    Useful information

    • Avoid scams by acting locally or paying with PayPal
    • Never pay with Western Union, Moneygram or other anonymous payment services
    • Don't buy or sell outside of your country. Don't accept cashier cheques from outside your country
    • This site is never involved in any transaction, and does not handle payments, shipping, guarantee transactions, provide escrow services, or offer "buyer protection" or "seller certification"

     Company

    Contact publisher

    You must log in or register a new account in order to contact the publisher

    Login Register for a free account