In my last post on this topic, User access risk and SOX compliance, I talked about how a top–down, risk-based approach can help right–size the SOX scope when it comes to user access. It can reduce the number of access rules in scope as key controls from hundreds to less than twenty for many organizations. I also talked about how software is essential in managing access risk.
I believe software is essential in managing user access risk, not only for SOX but also for other business risks.
In fact, the potential harm from inappropriate access is typically greater for other business risk (such as the possibility of disruption of activities such as revenue generation or manufacturing, reputation risk, and the protection of valuable intellectual property) than it is for SOX.
The first step to selecting software, for this or any other purpose, is to define your needs. What do you need, which are the priorities, and how valuable is satisfying each need?
Is this just for SOX or, as I prefer, to manage all access business risk?
For most organizations, these needs will probably include:
- A report that will identify violations of each access rule
- A report of changes to access rules
- The (provisioning) ability to scan requests for access, before such access is granted, to identify potential rule violations so they can be denied
- The ability in the access provisioning system to ensure that the owners of each system, the manager of each employee, and others as needed, approve all requests for access
- Reports for each owner of a system that will enable a review of who has access to each system he or she is responsible for
- Reports for each manager so he or she can review what access their employees have
- The ability to manage access within and across multiple systems, i.e., not just the financial systems or ERP, but every system where access needs to be managed
- …and more
In many cases, a single software package will be needed. But where access to multiple systems is needed, it may be necessary to obtain a combination of software products.
For example, different software may be needed to run reports of access to the financial systems; a manufacturing system; a wire transfer system; and a system that manages physical access to buildings.
Given that, here are some criteria I would consider in selecting a software package:
- Does it meet my needs, in particular those of the highest priority? Will it meet my needs for the foreseeable future?
- How will I have to change my business processes? Will it support the way I want to do business?
- What do current users of the software have to say about the vendor?
- Do they say that the software meets their needs?
- Are their needs similar to mine?
- How easy is the software to implement?
- How easy is it to maintain?
- Is the vendor’s customer service excellent?
- What other solutions did they consider?
- Do they recommend this software?
- What is the vendor’s reputation? Are there complaints or lawsuits against the vendor and do they relate to this piece of software?
- Is the vendor financially sound? Is it committed to this software (if it has a small market share, it may limit future investment) or is this a small part of a larger offering? Is the vendor a target for acquisition?
- How does the vendor manage upgrades or new releases? If there is a problem with functionality, how does it decide whether and when to issue upgrades?
- Does the vendor have not only sales but also support staff who understand the business? Do they understand access management and how it needs to be managed?
- Is the support and development staff substantial and able to maintain and upgrade the software when needed?
- If, as is likely, consulting services will be needed to assist in the implementation of the software, are reliable consultants available, at a reasonable cost, who have the necessary expertise and experience? How good are their references?
- What is the cost of the software, considering not only the initial acquisition cost but the cost of services that will be required to implement and then maintain it, and the ongoing software license cost?
- Will the IT staff be able to provide necessary internal support? Will it be compatible with the network strategy?
A couple of thoughts from experts at consulting firms build on my points:
- “When choosing your software, you want to make sure the vendor has the expertise to keep the methodology up to date. Otherwise, you may be constantly training your vendor,” Said Matt Bonser, Risk Assurance Director at PwC. “Choose a vendor that is making investments in their tools instead of making changes by only reacting to customer issues.”
- “We recommend to our clients that they prepare a technology-agnostic solution design as the first step in selecting a GRC tool or any other enterprise-level application”, said Ronan O’Shea, Protiviti’s Global ERP Solutions practice leader. “Analyze the business processes, business rules, data, event triggers, reports, etc. from an optimization and automation perspective and let the solution design, supported by critical use cases, drive the choice of technology, not vice versa.”
A vital consideration is the question of who will own the software within the company. I have seen situations where nobody takes ownership of the responsibility for managing user access risk.
I highly recommend resolving that question before acquiring software. Whoever will be responsible for managing the business risk from inappropriate access should lead the acquisition process.
Over the years, I have been involved in acquiring access software for several companies. Sometimes, it was straightforward but the more complex the business and the variety of access rules that need to be managed, the more critical it is to get this right.
If I was to leave you with one message it is this: make sure you have a robust provisioning capability. If you are able to prevent excessive access being granted, you will save the cost of the software quickly—IT and management won’t have to spend many hours chasing and correcting exceptions only to see new ones every month.
Most important, you will be able to maintain user access risk at acceptable levels.
In the previous blog post, I shared my story at Maxtor. The reason that new access violations kept appearing was that while reports were available to identify violations, the process for granting access was very weak. Our risk was high until we fixed the provisioning process.
I hope these two posts will strengthen your selection process.
Your comments are welcome.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management