User access reviews and compliance: The auditor’s perspective

by | Mar 27, 2023

Protecting company assets and maintaining control over access to and usage of these assets is a critical management responsibility. In the world of information technology (IT), this is all about information security and, more specifically, access control. Without a robust approach to access control, an organization can experience events like data loss, data breaches, fraud, and impairment of brand reputation. Years ago, when most organizations had a fairly centralized and contained IT function, access control was generally straightforward and could be well managed by personnel within the organization. However, as businesses grew, organizations became more decentralized and increasingly dependent on third-party contractors for processing and hosting. As a result, gaps in control effectiveness began to appear in some organizations. Companies worked hard to protect their brand and reputation in these times of change, seeking ways to demonstrate their focus on quality controls, including access control. This led to the rise of SOC2 and other control reports being leveraged across all industries.

An auditor’s historical perspective on user access reviews

After nearly four decades of conducting information control examinations, I can say that the one control area requiring the most effort, and unfortunately, resulting in the most testing exceptions, was access control. Early on, and for most of this time – and quite honestly, still the case with many organizations – the controls related to access control are manual-intensive processes. Initially, user access reviews were carried out annually to “clean house” of unneeded access. Over time, as the number of findings increased, proactive organizations began conducting access reviews semiannually or even quarterly. However, even with improved integration with HR systems (to better track employee transfers and departures), the periodic reviews struggled to keep pace with the rate of employee hires, transfers, terminations, and especially the growing use of third-party contractors. This issue was compounded by the fact that these reviews were heavily reliant on human input and were only as effective as the capabilities and diligence of the personnel conducting the reviews. 

An important note: even if these reviews were performed well, there was always the question of whether they were timely, as access exposures could exist for much of the testing period. For example, if an organization conducted access reviews every June and December, an exception noted during the December review could result in excessive access for a period as long as July through the date of the review. In that case, additional procedures would need to be implemented to ensure that no unauthorized activities occurred.

Lastly, everything discussed above has been and continues to be an important risk management effort for organizations that operate “in-house.” However, many organizations are moving in a different direction. Embracing the cloud, integrating with SaaS providers, and increasing dependency on third-party business partners have only intensified the need for a better approach to access control management. This improved approach ensures that access control reviews are performed in a complete, accurate, and timely manner, reducing the associated risk to an acceptable level.

As auditors, we aim to achieve the confidence necessary to assert that control objectives have been met successfully. In addition to the design and execution of an organization’s access controls, the reviews must provide supporting documentation related to complete and accurate data used in the review. Furthermore, there should be evidence that all items noted during the review were resolved in a timely manner.

What the audit professional is promoting

As organizations grow larger and more complex, and user interaction with third parties increases, audits will also continue to become more complex. Today, it is not uncommon for a single SOC report to cost hundreds of thousands of dollars. As compliance costs continue to rise, audit professionals have responded with new guidance and training. Much of this focuses on finding opportunities to increase testing efficiencies through automated testing. Organizations like the AICPA and ISACA have emphasized the benefits of testing automated processes, which include increased efficiencies, reduced audit risk, and the implementation of innovative testing approaches.

Efficiencies are created when the manual/human element is removed, and “tests of one” can replace cumbersome sampling-based testing.

A reduction in audit risk can be achieved when entire populations are tested, including data and applications at third parties, providing complete knowledge of potential exposure. Additionally, the reliance on the underlying data’s completeness and accuracy is improved.

Finally, automation can act as a catalyst for innovative testing strategies such as continuous monitoring and shifting the audit perspective from “the ends justify the means” to “the means justify the ends.” By gaining confidence in the quality and effectiveness of day-to-day controls, significant efficiencies, and reduced compliance costs can be realized.

Implementing Identity Governance and Administration (IGA) can be a daunting task due to the complexity of IAM systems. The difficulty lies in comprehending the specialized facets of user validation, authorization, identity management, and access control. To ensure the successful implementation of IGA solutions, organizations must have a clear understanding of their existing infrastructure and how it interacts with new technologies. Furthermore, they must also have an accurate assessment of their security requirements for each system or application that will be part of the solution.

Data security is another major challenge when implementing IGA solutions, as there are many points at which data can be exposed if not properly secured. Organizations should evaluate their existing data security protocols and methods to guarantee that all sensitive information is guarded against unapproved access or misuse. Additionally, proper encryption techniques should be used to secure any data stored within the IGA system itself, as well as any communications between users and applications using the system.

Finally, organizations must consider regulatory compliance requirements when implementing an IGA solution. Organizations may have to take extra steps to safeguard customer data while allowing approved users access to the required resources for the effective and secure performance of their duties, depending on industry-specific regulations such as HIPAA or GDPR. This could include restricting certain types of activities by setting up role-based permissions or requiring two-factor authentication for more sensitive areas within the organization’s network infrastructure

Despite the challenges with implementing IGA, organizations can successfully implement it by developing a comprehensive plan and utilizing automation to streamline processes. To ensure the successful implementation of IGA, organizations must establish clear goals and objectives as well as develop a detailed plan for its implementation.

Streamline audit processes with Zilla Security

Zilla Comply is a solution designed to help auditors streamline their access review processes and ensure compliance with various regulations such as SOX, HIPAA, GLBA, PCI, and SOC 2. Built on top of Zilla’s unique identity security platform, it collects data from all audited applications, including SaaS applications, cloud platforms like AWS and Azure, on-premises applications, and even homegrown solutions.

The solution normalizes data, automatically correlating application accounts with identities in the corporate directory and resolving role and group memberships and their mapping to permissions. This provides a clear and complete picture of what users can do with their access. Zilla Comply enables auditors to run automated review campaigns, replacing manual spreadsheets with a streamlined, automated, and auditable system of record.

Auditors can use Zilla to ensure application review readiness by inspecting apps to determine if they’re ready for review. If an app is not quite ready, they can assign checklist items to the technical owner of the application.

Zilla’s identity security capabilities help audit privileged access, establish who has privileged access and who doesn’t, and enforce the principle of least privilege. This streamlines organizational compliance and reduces security risks. The solution makes it easy to automate and track revocations, ensure access review actions are implemented promptly, and monitor revocations and other permission changes required due to access review campaigns.

Furthermore, Zilla simplifies auditors’ work by providing an exceptionally intuitive user interface, comprehensive audit logs, and reports. It automatically generates auditor-ready reports that include timestamps, summaries, applications in scope, ownership details, filters used, review settings, and line-by-line decisions made during the access review.

To learn more how Zilla Comply helps companies achieve and maintain compliance, saving countless hours of time and effort, contact Zilla Security.

About the author

For almost 40 years, Scott Taylor has served clients in the identification and management of risk in areas such as financial, business operations, information systems, information security, business continuity, and process reengineering. He has teamed with his clients’ personnel to assess systems of internal control, manage risk and control issues, and develop practical solutions. During this time, he has performed hundreds of financial statements and SOC engagements in various industries worldwide.



Recent Posts