ποΈUser Access Review
π§ Planning:
Quarterly access reviews assessed across high-risk systems (finance, HR).
π― Objectives:
-
Ensure periodic user access validation
-
Validate manager sign-offs and exception handling
π Procedures:
-
Reviewed Q1/Q2 access review logs
-
Verified reviewer identity and sign-off
-
Sampled 10 users per system for appropriateness
π Working Papers:
-
WP-ITGC-AR001: Access recertification control -
Access review calendars, approval logs
π Findings:
-
β Missed sign-offs in 2 of 4 departments
-
β Reviews conducted without system owner input
-
β οΈ Limited audit trail of post-review remediation
π§° Tools Used:
Excel, email approvals, manager review sheets
β Recommendations:
-
Enforce system owner accountability
-
Use automated certification platforms
-
Establish escalation path for late reviews
