It’s that time! The year-end audit is not Christmas. While the rest of the world shops for gifts, an auditor is looking through your system tracks and hoping to return home to his family. 00 AM. For a few more examples, EY, PWC and Deloitte are just a few. One of these auditors is likely to be you if your company has a large workforce.
Do him a favour and tell him exactly what you are looking for. If you’re building a system from scratch, or training yourself to be the manager and access-giver of any system, or if you’re an auditor looking for a company that isn’t in your sights, there are some things you should do about access management. You may be asking yourself why you should bother with identity management, IT compliance, risk management, security There are many reasons. First, you don’t want it to come back to bite your in the future. Your company should hire an auditor to review your system.
Your clients will be able to trust you that there is a secure system that protects their data. To ensure that you don’t get fired if your company fails to pass the year-end evaluation. There is another option if that didn’t convince you. You might be looking for a job. You might not be suited for Access Management. This article will discuss General Computing Controls (or IT General Controls), which audits look for in ERP systems. In particular, Access Management. Let’s start with the basics. What’s Access Management? Access Management, also known as Identity Management is an organization that determines who has access to what information (also commonly called “privileges”)). What does this look like in your daily work life? For example, you cannot see the salary of another employee for doing the same job as yourself. Logging in to the HR account of your boss is not a way for you to quit. You also cannot control someone’s calendar or time, nor can your system use certain functions. Your boss might be able to view your email depending on where you are located. Access management regulates all of this. Your company policy as well the laws of the country in which you operate determine the rules for managing your access. You might face the Sarbanes Oxley Law (Health and Information Privacy Law), Gram-Leach-Bliley Law and other laws you need to know how to pronounce. You will be dealing with the GDPR (General Data Protection Regulation), and many other tedious, dreadful laws. What should an auditor look for?
Access management is the most important risk an auditor should be looking for in IT Compliance within an Enterprize resource planning system. As an administrator of a cafeteria system, you will need to track the supply and consumption of the food. You also have the ability to control who can buy the food. It is your responsibility as a system administrator to ensure that the following: You must ensure that the right people have the access they need. For instance, regular employees should not be allowed to see the pricing system in the cafeteria. An auditor will not allow him to modify the menus or take back tonnes of food and report them as sold. You are in trouble if you have access to tens or thousands of users and different types of access within your system and there is no authorization scheme. Divide accesses in roles and determine who has the right to purchase power and who is privileged. Cafeteria manager, cafeteria foods-seller, clearer, regular employee are all examples. Your decision-making process will determine which permissions are required for each person.
2. A user life cycle
The purpose of user life-cycle management, is to ensure that you not only have a process in place but also that it is still alive and kicking. Your chef should not be allowed to “make fun” of your food if he quits because he’s mad at you. It is necessary to show that the process for adding new users, deleting existing ones, or changing access rights has been established. 3. The Segregation Of Duties means that the same person can’t ask for approval and give their opinion. Healthy businesses do not operate as a solo-preneur. Although I hate to be harsh, a SoD failure might make me think of Fraud. The auditor should ensure that there are procedures in place to make sure that the “four eye-principle”, where applicable, is followed. 4. System Configuration Access Is Restricted. This rule is meta. System configurations should ensure all of the rules are followed. However, the configuration should only be accessible to those who have the authority to do so. Each change or new configuration must be subject to a defined and approved approval process. Each such change must be documented for audit and should be regularly monitored. 5. Every healthy organization should have a User Access Review. This should address questions like: Do they still have access? Are there fishy users or places where users are not allowed to use the system? Users with expired roles that may still be in existence in the system. The proper process of Change Management involves a funnel. This is because every change you make to the system must be properly authorized, approved by another person, tested and then migrated into the production system. You should think about the steps in this process. Make sure that Step 3 has been completed. This is a brief overview of IT Compliance and Audit Rules. For your year’s end, say hello to EY and PwC. Connect with me if you’re interested in writing articles about Data Science, Technology, and Social Competence. You can find my Medium profile and my Linkedin. We hope to see you there. ERP Audit — What an Auditors Wants from Your Access Management originally appeared in on Medium. People are responding and highlighting this story. Published via