More

    ERP Audit and Access Management Control

    Auditors, as part of the audit of ERP applications, examine the general controls in your ERP system. The General Computing Controls (GCC), also called IT General Controls (ITGC), aims to ensure the integrity of computer operations, the correct development and implementation of applications, and the integrity of the program and the data files.

    Risks and Controls Associated with Access Management

    One of the highest threats to the security of ERP applications may be a flawed access policy in which improper access might be granted to users, which can lead to unauthorized activities. It can have a significant impact on data protection and could result in financial loss. Auditors will certainly test management control over the access policy.

    The best practice is to allow users access only to the applications they need to do their jobs (also known as ‘least privilege’ or ‘need to know’); a role-based access control with a well-designed security model can help you get that done.

    Risks and controls pertaining to access management, as part of your ERP audit reporting, include:

    An Inappropriate Role Design or Provisioning

    Roles should be associated with business processes rather than with individual users or jobs, as this will make it easier to ensure that all users are given requisite access. Improper role design also makes SAP Segregation of Duties (SoD) challenging to implement.

    Privileged Access

    Particularly risky are privileged users. Some users, like CNCs, or IT administrators, may have complete access to everything. In a situation where the same person is the administrator of the database and the administrator of the operating system, the CNC will lock anyone out of the system and essentially hold the business to ransom. It would be best if you have policies and procedures that document privileged access management, and you should track those users very closely.

    End Users with Access to IT Applications

    Some business users will need broad access to business applications. Still, they should not have access to system configuration options and IT applications, particularly security and the ability to assign different roles to themselves.

    Using Generic User IDs

    Discourage the use of shared accounts or generic user IDs to ensure complete transparency during the audit.

    User Administration

    To cover the entire user lifecycle, you need well-defined procedures, and you should maintain an audit trail of all activities. It involves introducing new users, modifying current users, disabling, and terminating users no longer with the organization.

    User provisioning procedures should have management control to ensure that the access is required, approved, and delegated by appropriate staff. Specific roles should be separated to ensure that one person cannot complete the entire process.

    You may be asked by the auditor to provide proof of your user administration controls during the audit. If you use an external ticketing system, logging ticket numbers within your ERP system can help.

    You need to be aware of the possible risks when granting current users additional access. Your access policy should provide proactive management control to avoid creating disputes over SoD when new access is granted.

    Periodic Access Review

    It will help if you have a mechanism in place to recertify access annually. This process is called Periodic Access Review. This procedure ensures that responsible business managers review and validate access rights for their users and identify any possible changes that might be required.

    The analysis will help you overcome the risks associated with unauthorized access and, if well documented, demonstrate compliance with SOX, where necessary.

    The review process may also provide a valuable way of tracking system integrity to help keep the system clean and find any loopholes that might exist.

    System Configuration Access

    Access to system configuration options is highly critical, as this affects how the system operates. You need controls to limit access to the applications that allow users to set up or alter configuration options for the system. 

    All changes should be subject to change management processes and should be documented appropriately. You can also track changes to crucial configuration data and keep a full audit trail of all changes.

    Recent Articles

    Identity and Access Management: Some Challenges

    In today's digital age, there are more apps that are cloud-based, more resources, more devices, and more users. 94 percent of Chief...

    Insider Threats: Some Ways Of Detection and Prevention

    The leading cause of data breaches worldwide is insider attacks, and it is also among the most expensive. As per a recent...

    Strategies To Deal With Identity Management Oversights

    In today's digital age, the foundations of companies' cybersecurity are focused on 'identity.' In fact, the new digital perimeter is identity. Businesses...

    Tips To Prevent Business Risks in SAP Transactions With Access Control

    Since SAP's controls that are harnessed by fraudsters have certain crucial vulnerabilities, SAP transactions could be a fertile ground for data theft...

    Tips To Enable Easy Access To ERP Applications

    In this digital era, enabling mobile access to ERP data is one of the main priorities for many enterprises. And it has...

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox