Chasing user access and SOD problems
Some years ago, I was the head of internal audit and running the SOX program at Maxtor Corp, a $4bn global hard drive manufacturing company (since acquired by Seagate).
We were an SAP shop and one of the headaches we had related to user and IT access, in particular segregation of duties (SOD). We also had issues at the beginning with superuser access, but brought that under control fairly quickly, so I won’t cover that in this post.
The headache was this. We had software that would report who had what access, and who had multiple access capabilities that represented a risk of fraud and/or significant SOX weakness.
We ran the software at the end of the 1st quarter and there were several hundred issues. It took a lot of work by both IT and user management to decide how to handle and then to correct the access.
Three months later, with everything fixed, we ran the reports again. But there were still nearly 200 issues: all of which were new ones. Users and IT went to work again.
One of the problems was that access to certain SAP transaction codes was being approved by the user’s manager, but not the owner of the information that could be changed by the codes. We beefed up the provisioning process, telling IT to check with the data owner before granting these access privileges.
We were now into the third quarter. The next run still identified problems, but the number was down to about 100. More work, by tired and frustrated IT staff and management followed and we ran the report with about a month to go in the year.
All the prior problems were fixed. But the number of people with excess access had risen to about 120.
We went back to work and ran the software in December.
I got the call that the report was back and the staff had reviewed the results. Knowing that there wouldn’t be time to remediate any SOX deficiency for the year-end, I had a little prayer. Fortunately, the number of issues was small and not a problem. But that was pretty much pure luck.
If I was still with Maxtor, I would be looking to improve how we manage this whole area. This is what I would look for:
1. Provisioning workflow that would route access requests to the data owner (or process owner) in addition to the user’s manager.
2. Where a key control might be impacted, I would also route the request to the SOX manager.
3. The provisioning workflow should include the ability to add the requested access to what the user already has, and identify whether the additional access would create an SOD problem. If so, the access would be denied or compensating controls (such as detailed monitoring) put in place with the approval of the user’s manager, the process owner, and the SOX manager.
4. The ability to monitor for potential issues on a continuing basis, without the hassle of running the extracts and reports we did that year.
5. The ability to apply all of the above to our non-SAP systems, including cross-application SOD.
There’s more that I would look for, but these would be the start