Attention to Detail
With a risk-based audit approach, you can leverage your understanding of your own organization to define how you approach risk and compliance. No longer do you need to apply a “one size fits all” approach to appease your auditor – instead, you can choose to focus on what matters to you.
When it comes to assessing access risk in your business systems, you can take a variety of approaches. The traditional model is to look at access granularly (e.g. security object) on a regular basis to determine if risk exists, and then to remediate or mitigate. A more contemporary approach is to leverage roles (e.g. AR Clerk) in your business systems as the defining building block, and to review at that level.
This approach is often driven by (a) the cost of granular application security analysis tools, and (b) the desire to reduce time spent on compliance activities.
While the role-based approach seems more advantageous, it can often require more work than the object-based approach. For a role-based approach to work, you need to:
- Begin with a security rationalization exercise to clean up access, remove anything above ‘least privilege’, and define roles that map to job descriptions and are SoD conflict free – this latter piece is extremely challenging and can require outside expertise to execute.
- Build out new access policies that are specific enough to drive positive outcomes – examples include listing roles that cannot be combined, and guardrails that IT and business users must follow to avoid introducing risk.
- Implement additional controls such as annual role assessment, robust change management controls around role maintenance, regular reviews of roles for changes, and substantive procedures in response to identified discrepancies during the year.
In addition to the added rigid structure, there will be additional procedures to be developed around access that are not role-based, such as administrative functions (eg. AZN menus in Oracle) and system accounts.
There is a reason that professional audit firms and regulatory agencies opt for object-based access analysis. Less structure is required to avoid risk as each “peek” into the system is all the way down to the most granular security object. Want to see who can process Journal Entries? Just run a report. A lot of change in your organization? Automate your access review to assess SoD at the object level. Rather than build a house of cards and hope that nothing fails, you can be absolutely sure that you aren’t exposed 365 days a year.
Leveraging Fastpath’s Assure platform, you can be up-and-running in days, with integration into all of your business systems allowing quick and easy access-risk analysis at the most granular level possible, all for pennies on the dollar that you are used to paying.
Discover more resources and articles available on access security for your specific ERP by visiting the Resources section of our website.