Under the umbrella of SOX, we may be required to ensure user access is accurately administered in our
network and critical in-scope financial systems. Since that is the case we need
to coordinate Quarterly Access Reviews (QAR) to confirm that only active
employees and contractors have access to these systems, and that the users
associated access is appropriate for their job function.
Consistent with SOX
requirements, the results of the QAR review will be signed off by the
appropriate Business and IT Owners, to attest that only the employees and
contractors approved by the business units have active accounts and authorized
access to our environments.
Where do we begin?
Scope – always
seems to be a common theme, but is crucial to ensure that we know exactly what
to review. The scope for these reviews may be defined
differently and may change for each quarter depending if there is a change in
applications used, or changes of a corporate nature.
Next we will want to
take a look at a few components to get the review off to a good start:
1: Review & Clean-up
The purpose of this step
is to review the current state of our environments and identify any areas that
we already know need to be cleaned up. After the actual QAR you will identify
areas for improvement which you can summarize in a post review document. Key
things to determine
A few things you
should nail down before you begin the review:
What are we going to review – Scope
Identify who the business application owners
are (if you don’t already know)
Determine the source of truth of who the
“active users” are
Identify who will generate the list of
application users and their current roles
Put together a training package for all the
participants – it is possible that they have not done this before
3: Implement Review Process
The purpose of this step
is to conduct the physical reviews of in-scope Applications for the quarter.
The “reviewers” (whoever is designated) have been given responsibility to
ensure that the Quarterly Review of User Access rights to in-scope SOX systems
are scheduled and completed in a timely manner.
The following is a list of tasks that they may be accountable for:
the schedule which will include the period under review, the start and stop
date for the review, list of in-scope systems under audit for the current
period, and the associated Business Application Owners.
2. The “reviewers”
will coordinate the following activities:
a list of Active Employees and Contractors from the source of truth.
the appropriate Business Application Owners or delegate reviewers to perform
the progress of the review and follow up as necessary.
that the review has been completed as required including the appropriate
signoffs by the Business Application Owners.
any access changes identified as a result of the review in accordance with the
IT Change User Process.
Internal / External audit results and review as part of post-mortem.
4: Elevated Access Review Process
An elevated access
review will also be required to determine who has access to what impacted
systems from a database level for example. You will need to:
Identify the infrastructure which is impacted
by the above SOX applications.
Extract a list of all elevated accounts and
determine who has access to them and when they were last logged on or had the
Where applicable remove access to accounts or
accounts in their entirety as they applied
After the completion
of the review, and all subsequent activities have been completed, you will be
able to review the results and findings. It will be from this step that you
will identify any additional process gaps you were unaware of and may need to
correct before the next review. It is at this time you should create a document
that outlines the findings and share them with the appropriate stakeholders.