Periodic Access Reviews (aka User Certification) are an important part of audit reporting, but they can be painful.
For most people involved in the process, a Periodic Access Review is a very time-consuming exercise, and they may also perceive it to be a bit pointless. How can we make this audit reporting situation better?
In most modern ERP systems, security is complex, which makes it very difficult to find out exactly who has access to what.
As a result, providing business managers with the information that they need to be able to review their users’ access can require considerable development effort. The reports they produce are often “one-offs,” so need to be recreated every time. Due to the complexities of the security, the results are often inaccurate, and they provide no drill down capabilities to help managers investigate issues.
Periodic Access Reviews – who needs them, anyway?
It’s usually the Internal Audit department who drives the Periodic Reviews – and they have good reasons for doing so. The objective is to enable managers to review and verify their users’ access privileges. This process helps to:
- identify and manage user privilege accumulation over time
- maintain compliance with Sarbanes-Oxley and other regulations.
But the true importance of this core business process often gets lost among the difficulties of preparing and reviewing the information.
What is the value of a good Periodic Review process?
Done well, Periodic Access Reviews can:
- Ensure that IT General Controls related to access are authorized, reviewed and approved
- Increase management’s confidence in internal controls such as Segregation of Duties
- Involve the Business – committing them to ownership of the problems and the solutions
- Help you to formulate a prioritized remediation plan
- Prevent fraud
The core elements of performing a review are:
- compiling the data on who has what access, and then
- getting the business to understand and review what can be dense and very technical data.
It’s time-consuming and reports are often unintelligible, so the task is complex and dull as ditchwater – so business managers often end up signing off documentation that they don’t really understand. And in many cases the data is simply not accurate.
Here’s an 8-stage plan to streamline the Periodic Access Review process
Decide what type of review works best. Can you work from the last valid review, or is a net change always going to be easier? Define timescales, commit the business, and set up the necessary IT functions.
2: Define Business Owners
Who owns each responsibility (or role), and who owns access for each user? In large multi-divisional companies, there can be complex ownership issues that need to be resolved. A responsibility (or role) can be used in different divisions, by groups of users who are assigned to different owners.
3: Produce access reports for each Business Owner
They must provide meaningful information, with descriptive language to describe objects and applications, rather than incomprehensible codes.
The reports also need to show the true net effect of all access controls. Each ERP has its own quirks, such as how it handles multiple roles, and how menu exclusion controls affect access. Reports need to provide precise information, otherwise the business will lose respect for the process.
4: Monitor the progress of the review
A spreadsheet can work, emails can be used to chase, but it is personal contact that will resolve the issues.
5: Define a process to handle issues raised
If you’ve asked the business to understand and own the access, you need to put in place processes to work through the issues that they raise. How are Critical Access or Segregation of Duties issues going to be resolved? How will you deal with Role redesign issues? Be prepared.
6: Sign off is required
Electronic is always best, so long as everyone understands what they are signing, and why.
7: Finalize and print the review report
It should detail all the items reviewed, their current and previous values, and who approved them. It makes the Business Owners accountable, giving you a proper audit trail and evidence for your auditors.
As with any other process, it’s good to review how it went; what went wrong? How can you improve next time round?
With careful planning and specialized tools to help, the pain and effort of Periodic Access Reviews can be greatly alleviated. Find out more about our Periodic Review tools for Oracle E-Business Suite and JD Edwards EnterpriseOne.