I’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.
My previous post focused mostly on server access￼. In this post, I want to look at normal user access.
For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.
Assume the control you are testing states that user access is reviewed annually.
Some Chief Audit Executives (CAEs) and audit managers tend to think that audit automation is a set-it-and-forget-it process. NOT.
In this post, I want to expand on a problem I mentioned in an earlier post , 10 Signs Mgmt Doesn’t Really Support Analytics.
Audit management too often thinks that once a process or an audit is automated, ALL auditor/staff hours previously spent performing that process can be reassigned elsewhere.
That is not the case at all.
Whether you script your projects or use menu commands, you need to review your ACL log carefully.
Good analysts review their results and the log as they work in ACL, after they think they are done, and have others review their log before the ACL project is relied upon.
(You can’t imagine the dumb mistakes my team and I found that saved us a lot of embarrassment later.)
If you’re looking for FREE practice questions for the CISA exam, I found a good resource.
The site provides over 900 questions for you to test yourself.
I consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.
That wasn’t the only move that was questionable…
In case you missed it, ACL released the next version of their Acerno product, renamed it ACL Excel Add-in, and made it FREE!
So I thought I’d update my review.
For my original review of Acerno, see A Review of ACL Acerno. It still seems that I’m the only one who ever took the time to review the product (versus marketing blurbs, which are all over the ‘net), which appears to be a statement regarding its popularity.
Despite the poor popularity, since they updated it AND made it free, I decided to dive in for another look.
Note: This add-in is not just for auditors! Any one who regularly reviews data should consider using this simple, EASY-to-use software.
Please take the new & improved poll at the bottom of this post (also free).
One of my current clients is trying really hard to do periodic access reviews.
They know that mistakes are made in granting access, that users get access and eventually don’t need it anymore, but don’t tell anyone, and that some users leave the company without their manager’s knowledge (I never have understood how that happens, but it does; it has happened in every Fortune 500 company in which I’ve worked).