Author(s): Sruthi Korlakunta
ERP Audit — What an Auditor wants from your Access Management
Enterprise Resource Planning for IT Compliance
It’s that time of the year! No, not Christmas, the year-end audit. When the rest of the world is shopping for presents, some auditor somewhere is going through your system trails and hoping to go back home to his family before 12.00 AM. EY, PWC, Deloitte, KPMG for some name-dropping. If you are working for a big company, one of these is most probably your auditor.
So why not do him a favor and give him what he is looking for?
The next time you are building a new system up from scratch or training yourself as the access-giver and manager of any system or you are an auditor crouching upon an unsuspecting company, and there are certain things around access management that you want to do most certainly, definitely, and without fail.
Keywords: Identity management, IT Compliance, Risk Management, Security
Why should I bother, you ask? The reasons are multitude. For starters,
- You don't want this to come back and bite you in your posterior in a year’s time when your company hires an auditor to check your systems.
- So that your clients trust that you have a system in place that is not f-ing up their information.
- So that your boss's boss's boss doesn't think about firing you when your company fails the year-end review.
If that did not convince you, there is an option. Find yourself a new job. Access Management is not for you. The following article deals with General Computing Controls or IT General Controls, which auditors check for in an ERP system— Specifically Access management.
Let’s talk basics. What is Access Management?
Access Management (aka Identity Management) is the organization of who can access what at what capacity (Royally christened as “privileges”). How does it look in your day-to-day work life?
You cannot, for example, see what that employee gets paid for the same job you do. You cannot log in to your boss’s HR account and quit on his behalf (alas), you cannot manage someone else’s time or calendar, and cannot use some functions in your own system. Your boss may or may not be eligible to read your emails, depending on where you live. All this is regulated under access management.
The laws that determine how your access is managed are provided by both your company’s policy and the law of the land in which your company operates.
If you are in the USA, you might be facing the Sarbanes Oxley Law, Health and Information Privacy Law, Gram-Leach-Bliley Law, and what-not laws that you have to look twice to pronounce.
If you are in Europe, you are dealing with GDPR (General Data Protection Regulation) and other dreadful tedious laws that you don't want to get entangled in by being in the red.
What does an Auditor Look For?
Incidentally, access management is THE GREATEST risk that an auditor checks for during IT Compliance in an Enterprize Resource Planning system.
Imagine you are responsible for a system that tracks the incoming supply of cafeteria food, the amount of food in the house, who is allowed to buy and supply. As a system administrator, it is your duty to see that:
1. The correct people have access to the correct system
For example, a regular employee should not have access to the pricing system of the cafeteria. He should also not be allowed to change the menus, take home tonnes of food, and record them as “sold.”
When an auditor visits you, he will sample a percentage of users from your system and see if they have all the accesses they need — not too much and not too little. If you have a couple of tens of thousands of people and access types in your system, and no proper authorization concept for it, consider yourself screwed.
So divide accesses into roles of hierarchy and decide who needs the power (privileged access) and who just needs purchasing power. In this example, cafeteria manager, cafeteria food-seller, clearer-upper, regular employee, etc. Decide what permissions each of these people need.
2. There is a user life-cycle
The user life-cycle management is to make sure that not only you have a procedure in place, but it is alive and kicking. If your chef has quit because he is mad at you, his card shouldn't allow him to come in at night and “make funny” with the food.
You have to prove that there is a secure and legit process in place to add new people, delete users that you don't want looking into your books anymore, and there are no conflicts because of the change of roles and accesses.
3. There is Segregation of Duties
Meaning the same person cannot ask and approve. Most healthy businesses are not a one-man-show. I don't like to use strong words, but a failure of SoD might smell like Fraud.
It is important for the auditor that you have a process in place that ensures, where possible, that there is the “four-eye-principle” where and when necessary.
4. System Configuration Access is Restricted
This rule is meta. Not only should there be system configurations that are ensuring all the above rules, but the configuration itself should be privy to only those people who are supposed to know and do it. Every change and new configuration should have a predefined and approved authorization process. Every such change should be recorded for audit purposes and regularly monitored.
5. There exists a regular User Access Review
Regular User Access Reviews should be included in the process of every healthy company. It should answer questions such as
- Do these people still need access
- Are there any fishy users in fishy places
- Any users who have expired roles still floating about in the system
6. Change Management goes through a proper funnel
This means, every time you identify a necessary change in the system, you have to make sure that this change is properly:
- authorized by someone else
- migrated safely into the productive system.
If you are going through this funnel, think back and ensure that SoD in step 3 is ensured.
So that’s about a little something on IT Compliance and Audit rules. Say hello to EY or PwC or whoever comes knocking for your year-end.
ERP Audit — What an Auditor wants from your Access Management was originally published in Towards AI on Medium, where people are continuing the conversation by highlighting and responding to this story.
Published via Towards AI