COVID has forced organizations to change the way they work, from social distancing, remote working, furloughs, responsibility changes to disrupted approval processes and more. Even before COVID, our research confirmed that up to 20% of user accounts for financial applications in major enterprises were outdated and invalid, creating a very real threat of unauthorized access and resultant fraud!
For years ownership around user access risk has been a tetchy subject for organizations with blurred responsibilities across, finance, audit, business operations and IT, and many expecting IT to take the lead. User Access is a risk that affects IT but has a central role in the assurance that business transactions are appropriately authorized. User access needs to be seen and managed as an end-to-end business process and clear ownership that needs to be defined and sustained.
On July 9th we hosted a webcast to discuss some of the ways in which the COVID crisis has raised the threat level of user access risk, and what to do about it.
We’ve seen over the past few years clear examples of what happens to organizations when there is no clear ownership, accountability and process underpinning user access risk. Money is stolen, fraud is committed, confidential data is breached and so much more. These consequences are the result of poor governance around the Joiners/Leavers/Movers process within a business, misconceptions and assumptions about how this is managed, poor knowledge around who has access and why they need it and a lack of focus on the identity, the ‘who’ behind the Userid.
Since COVID the attention to detail has been even harder to maintain with many employees taking on multiple responsibilities, operating remotely and many under job security pressures – with policies designed for a different operating model – making oversight and effective control a major issue. The impacts on the business can be significant:
- Financial statement errors
- Fraud activity
- Brand damage
- Theft of Intellectual Property and Personal Data
- Business disruptions
- Unnecessary software license fees
- Waste and error
The combined effect is one of weakened control over financial processes and reporting and the resultant financial implications at a time when cash is king!
During our webcast, our polls indicated that 37% of organizations allocate responsibility and ownership across the 3 Lines of Defense. But there are major concerns, with 51% of respondents stating that user access is currently regarded as high risk with ongoing senior management attention.
Even before COVID, User Access risk was getting increased attention from auditors in terms of Material Weaknesses and Significant Deficiencies. Why is that? We asked a Big 4 Audit Partner and this is what she said: “The sudden rise in attestation over user access is linked to the fact that PCAOB Audit Firm Inspections last year were very hot on this issue and so external audit firms have been taking a firm line on this with their clients, which in turn means the clients are getting audit issues raised where they might not have done before.”
In the webcast, we discussed the big inhibitors to progress in this area, which include scope of the user access risk process, stakeholder commitment and management, business impact, complexity, technology and a host of misconceptions.
So what can we do to improve management of user access risk and mitigate the threat? We took a “pragmatist’s journey to Utopia” to answer this. We discussed the need to understand the AS-IS as well as the TO-BE process for Joiners/Movers/Leavers, and the concept of an actionable User Access Review (UAR) process that addresses the needs of all 3 lines of defense.
We discussed a rapid, low cost way to develop the road map, confirm authorization of users and execute without the need for a capital project. We also described the mechanism for a “User Access Audit” as a service which can go a long way to quantify your risk exposure and mitigate.
If user risk is a high priority in your business, invest 45 minutes in this webcast recording here.
Take a look at your UAR process and governance and consider some of the rapid response suggestions. As our business environment and threats are shifting, now is the time to raise the bar on how we manage risk.
Thanks for reading….
We were delighted to be sent numerous engaging questions from those who attended the session. We thought the answers might be of interest to the wider audience, so we have collated the ones with common themes with greatest relevance below:
1) How long does it take to do a one time UaR for a company of 10,000 employees?
This will vary per organisation. From the moment we get the required data delivered it will take 1 week to provide the results of the analysis to you and your organisation. Typically we will allow your ‘attesters’ to look at and work with the material for 2 weeks and after that we will provide you with the resulting reports. So a duration of 4 weeks is realistic. Preparation of the required data and any correcting action upon the UAR results of course will be different per organisation.
2) Isn’t the simple answer to ensure the HR processes are working in a timely manner?
It can definitely help, especially for “Joiners” which is a predictable process, and the joiners will also ‘alert’ if they don’t have the access to start their job.
But typically HR-systems at best have the notion of a persons job function and no “intelligence” on details of required application access. This is a process or line managers decision.
For Movers, this is even more complicated as it includes questions of changed access requirements and the potential need for temporary overlap.
One would expect Leavers information in HR to be accurate, but again the granularity of the access that needs to be removed and by when is far more complex (think of garden leave, end of contract falling on a weekend, etc.)
And what about temp staff who are not covered by HR processes?
3) It’s not enough to review, you need to remove access automatically. How can you do this without a new IDM system?
Yes, in a business-as-usual implementation, removing access automatically as result of an UAR should certainly be something we strive for.
A signal to an IDM is an option, assuming the IDM has the capability to manage ALL identities and access rights for a user in ALL applications, office suites and other company platforms (e.g. intranet).
But a good UAR implementation can also trigger this by firing automated de-provisioning commands to any number of access managing functions.
Combining UAR with an adequate access request and approval system with automated provisioning, can be a pragmatic alternative to a full blown IDM system.