Home > Risk > Chasing user access and SOD problems

Chasing user access and SOD problems

Some years ago, I was the head of internal audit and running the SOX program at Maxtor Corp, a $4bn global hard drive manufacturing company (since acquired by Seagate).

We were an SAP shop and one of the headaches we had related to user and IT access, in particular segregation of duties (SOD). We also had issues at the beginning with superuser access, but brought that under control fairly quickly, so I won’t cover that in this post.

The headache was this. We had software that would report who had what access, and who had multiple access capabilities that represented a risk of fraud and/or significant SOX weakness.

We ran the software at the end of the 1st quarter and there were several hundred issues. It took a lot of work by both IT and user management to decide how to handle and then to correct the access.

Three months later, with everything fixed, we ran the reports again. But there were still nearly 200 issues: all of which were new ones. Users and IT went to work again.

One of the problems was that access to certain SAP transaction codes was being approved by the user’s manager, but not the owner of the information that could be changed by the codes. We beefed up the provisioning process, telling IT to check with the data owner before granting these access privileges.

We were now into the third quarter. The next run still identified problems, but the number was down to about 100. More work, by tired and frustrated IT staff and management followed and we ran the report with about a month to go in the year.

All the prior problems were fixed. But the number of people with excess access had risen to about 120.

We went back to work and ran the software in December.

I got the call that the report was back and the staff had reviewed the results. Knowing that there wouldn’t be time to remediate any SOX deficiency for the year-end, I had a little prayer. Fortunately, the number of issues was small and not a problem. But that was pretty much pure luck.

If I was still with Maxtor, I would be looking to improve how we manage this whole area. This is what I would look for:

1. Provisioning workflow that would route access requests to the data owner (or process owner) in addition to the user’s manager.

2. Where a key control might be impacted, I would also route the request to the SOX manager.

3. The provisioning workflow should include the ability to add the requested access to what the user already has, and identify whether the additional access would create an SOD problem. If so, the access would be denied or compensating controls (such as detailed monitoring) put in place with the approval of the user’s manager, the process owner, and the SOX manager.

4. The ability to monitor for potential issues on a continuing basis, without the hassle of running the extracts and reports we did that year.

5. The ability to apply all of the above to our non-SAP systems, including cross-application SOD.

There’s more that I would look for, but these would be the start

  1. Premraj kaushik
    May 30, 2011 at 8:36 PM

    Thanks Norman for sharing your live and True exp . Your way of approaching and suggestions are good to follow .
    Prem

  2. May 31, 2011 at 8:15 AM

    Hi Norman,

    I might also suggest that running that report weekly as a control could be an option.

  3. Norman Marks
    May 31, 2011 at 2:08 PM

    Don, running reports weekly just means you can catch problems faster, and spending a lot of time in the process. Better to prevent – right?

  4. June 8, 2011 at 2:47 PM

    Our controls required running the SOD software for all non display only access requests.
    Any conflicts reported were presented to the SOX department and the business process owners before granting.
    If enhanced authorizations could only be temporarily granted,we would employ the Firefighter tool and its logging to provide us ongoing compliance.

    Anthony Croasdale

  5. Charmaine Greene
    June 23, 2011 at 8:47 AM

    Hi Norman

    I would expect the software to check the access at the authorisation object level also as there are some authorisations that will give backdoor access to unauthorised data without having the access to certain transactions.

    Charmaine

  1. January 17, 2012 at 9:45 PM
  2. April 16, 2012 at 6:30 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: