User Access Reviews: 16 Tips to Meet Auditor Expectations

How can you understand and meet auditor expectations on complete user access reviews?

While access reviews can range in complexity, the goal is the same, determine if current users have appropriate access rights. Users could be overlooked within termination processes or simply no longer require access due to changes in organizational responsibilities.

A simple user access review could take less than an hour to complete, while complex reviews that involve many reviewers can take several months to complete. Over the years, auditors have become more critical on the requirements to satisfy a passable user access review for Sarbanes-Oxley compliance, audits and assessments.

So, how can you set yourself up for success with user access review auditors?

1. Define your scope. It is good hygiene to complete user access reviews on your computer environment, especially production-critical and sensitive applications and technology, including applications, tools, databases and operating systems.  You should first start with the highest-risk items.
2. Assign ownership. Access should be reviewed by appropriate personal with the right competence and authority. It is good practice to assign both IT and business owners to share responsibility.  Ensure the owners take the review seriously and do not just “rubber stamp” access.
3. Understand the control frequency and deadlines. User access reviews usually range from quarterly, semiannual to annual. Quarterly review reports should be generated within the quarter of the review and preferably be completed in the same quarter.  Most auditors will allow 15 days after the quarter to complete them.  Auditors will be stricter at year-end, though.  Semiannual reviews should be completed six months apart in the second and fourth quarters.  Annual access reviews should be completed in the fourth quarter.  The final review with security changes made should be completed within the period of review.
4. Determine the scope of the access review. Reviews need to start with active users and their role assignments. Auditors also expect that reviews include whether the security privileges are appropriate within the roles and the assessment of segregation of duties. Applications should consider using a segregation-of-duties (SOD) matrix, document the steps of the review and document role descriptions to aid owners in completing access reviews.
5. Use technology solutions. For complex environments, consider GRC solutions to automate the access review and to automate the segregation-of-duties analysis. Joining employee titles also can make for more effective and efficient access reviews
6. Utilize a template. To ensure reviews follow a consistent process and that no steps are missed, the review should use a template to document the steps followed, a summary of the review and an overall sign-off.
7. Use Information Produced/Provided by the Entity (IPE) Parameters. Parameters/IPE should be retained to validate the completeness and accuracy of the security report(s) used in the access review.  Pre- and post-parameters should be included.  Key questions that the review support should be able to answer are:
   • How Many – The transaction volume should be included with the parameters, which should be able to tie to the security report number of transactions.
   • Who – Who generated the report?
   • When – IPE parameters should include the date and time stamp and the date range of the report.
   • Where – What was the source of the report?
   • How – Was the source a canned report or a custom report?
   • What – What was the scope of the report (e.g., all users, select group of users)?
8. Retain original security reports. The original reports should be retained and a working version copied to perform the review. Auditors need to have the ability to evaluate completeness and accuracy of the security reports with the IPE.
9. Review at the right level of precision. Access should be checked at the individual access level. The reviewer should not just sign off on a cover page template.
10. Ensure proper segregation of duties. Users are not permitted to review their own access. Secondary reviewers will most likely be required to ensure segregation of duties when an individual performing the review also has access to a system.
11. Ensure completeness of the review. All access should be reviewed. Read-only or low-risk roles could be scoped out; however, this scope change should be well documented.  However, read-only or low risk roles may not pose a direct risk to financial data, there is a data privacy concern associated with this type of access.
12. Note security changes. The review should signify if the access is appropriate or not. If not appropriate, the review should define the reason why access is not appropriate (e.g., termination, transfer, no longer requires access, unauthorized user, etc.).  This original review and results should be included in the review support.  Requests to modify access should follow the company’s access provisioning process.
13. Conduct a lookback exercise. For the inappropriate access, the review should include an impact analysis if the access was used inappropriately using last login dates, historic transactions, logs or other mitigating controls.
14. Validate security changes. After the security changes have been made, changes need to be confirmed if access was removed. The easiest way is to regenerate the access report and validate that the access has been removed.  Then, retain this second report with the review with the original security report.
15. Perform a final sign-off. The application owner(s) or designee should perform a final sign-off. A secondary sign-off will help ensure proper segregation of duties.
16. Save the User Access Review. Save user reviews in a central repository where access review materials will be obtained for future reference.

How Can Schneider Downs Help?

For more information on user access reviews, contact a member of Schneider Downs’ IT Risk Advisory Services department.

About IT Risk Advisory

Schneider Downs’ team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.

To learn more, visit our dedicated IT Risk Advisory page.