Last week we looked at issues around managing emergency access to systems. This week I discuss the third major concern around managing access risk which is taking a piecemeal approach which does not address the ongoing risk.

Reactive and fragmented approach to managing risk resulting in recurring audit issues

Clients typically fall into 3 levels of maturity around managing access risk;

1. No process: The auditors will deliver their report and the client will address the issues which existed on that day which is only a short-term, band-aid fix. It is reactive and doesn’t constitute a process.

2. Manual process: Many companies manage their SoD's by extracting data from SAP and manipulating it in spreadsheets. What's wrong with doing this?

• As soon as it is extracted it is out of date
• It is subject to human intervention and is therefore error prone (or worse, manipulation)
• It is very time consuming and not easily repeatable! May not capture all risks.
• Auditors will not generally rely on this for the above reasons
• Unless a process is able to be repeated continuously access issues will creep back into the system over time

3. Automated process: By having a central repository of agreed access risk rules, management of these risks becomes transparent. This enhances the collaboration by providing a common language between the business (who typically do not have enough technical understanding) and IT (who often don’t understand the risks in a business context).