🔐 User Access Provisioning
🧭 Planning:
Identified user provisioning as a key risk in the ITGC audit. Sample included 25 new users provisioned across Active Directory and ERP systems over 6 months.
🎯 Objectives:
-
Validate formal access authorization
-
Confirm alignment with job responsibilities
-
Verify least privilege and segregation of duties
📌 Procedures:
-
Reviewed onboarding requests and access logs
-
Matched access with predefined role matrix
-
Verified approval timestamps and provisioning dates
📑 Working Papers:
-
WP-ITGC-UP001: Provisioning control assessment -
Evidence: AD exports, access forms, role matrix
📊 Findings:
-
❗ 2 users lacked formal approval
-
❗ 1 user over-provisioned beyond role requirements
-
⚠️ Manual processes prone to errors
🧰 Tools Used:
Active Directory, onboarding tracker, ServiceNow/email logs, Excel, RCM
✅ Recommendations:
-
Automate access provisioning workflows
-
Enforce role-based access matrix validation
-
Implement 7-day post-provisioning access review
