Or do you take into account other factors that might affect the risk?
What if one of the factors is an existing audit issue that has not been remediated?
While evaluating the risk posed by the lack of a periodic user access review, I took into account that the organization also had issues with adjusting or terminating user access when employees or contractors transferred jobs or left the company.
The audit manager challenged me, “You have to evaluate the periodic review issue on its own [in other words, in the dark]. If you include the transfer/terminate issue, you effectively raise the risk of the review issue.”
Why should they be separated? The purpose of the periodic review is to support the upstream control, transfer and terminate. Since transfers and terminations are problematic, doesn’t that raise the importance of a periodic review? If so, doesn’t that increase the risk of NOT doing a periodic review?
Yes, the manager said, but if you include that risk, the periodic risk is ranked higher than it should be.
No, I said, it raises the risk to where it should be. If the review is done, it will at least catch the problems caused by the poor transfer/terminate control. If the transfer/terminate process is fixed, the risk of not having a periodic review is reduced, but the review is still needed to catch errors and collusion.
Especially if the review occurs only once a year.
What do you think?