Have you ever imagined learning what an external auditor using SAP GRC Access Controls does in his daily life? I decided to share my knowledge about controls for SOX -Sarbanes Oxley evaluation. Before we get into the controls, here are some of the terminologies used in the secret world of Auditing. TOD- Test of design, TOE- Test of Operative effectiveness, PCAOB- Public Company Accounting Oversight Board.
Here goes the story…The SEC (Securities exchange Commission) set up a board called PCAOB sometime in 2004 to oversee the auditors of public companies in order to protect their interests of investors. The external auditors follow the rules or auditing standards set by this board. Here are the auditing standards defined by PCAOB: http://pcaobus.org/Standards/Auditing/Pages/default.aspx
The general documentation every external auditor on this planet uses is something called ITGC – IT general controls. The ITGC has four sections where the controls are defined and evaluated. This is a template used by these auditors to evaluate the company’s processes after mapping them from the ICOFR-Internal Control over Financial Reporting. The four sections are as follows:
- Access to Programs and Data
- Program Changes
III. Program Development
- Computer Operations
TOD or test of design is used to document the control objectives, control numbers and their descriptions. Ever since SAP bought VIRSA, the world has changed in terms of auditors having to spend less time with their clients. SAP Solutions for Governance, Risk, and Compliance: SAP GRC Access Controls (comprising applications formerly known as Virsa Compliance Calibrator, Virsa Firefighter, Virsa Access Enforcer and Virsa Risk Terminator)
Virsa Compliance Callibrator is a fantastic tool to solve the SOD conflicts and streamline a steady definition of roles and authorization. This tool will satisfy the section I.E section of the ITGC and there is no chance they can mark you down with any kind of deficiencies. The Virsa Access Enforcer is another tool which will satisfy the I.C controls. The I.B controls can be satisfied by using another tool called Virsa Firefighter which handles exceptional access requests. The Virsa Role Expert is another web based tool. Auditors love to snap your monitors with their tool called (Alt+Prt Sc). So get ready to snap your own monitors and make your printer auditor friendly. The I.A controls involve the following solutions:
- Maintain a policy document that provides security related guidance for your SAP system landscape.
- Make sure every user has his own unique ID and no system accounts exist.
- Make sure the user access to the SAP system is done with the use of profiles defined.
Auditors use a system generated report (No excel sheets involved) to assess the periodic review of user access which will satisfy the I.D controls. So generating reports to satisfy their strict controls can only help you from seeing a deficiency in their Test of Operative Effectiveness.
- I. Access to programs and Data
- The Company has established an information security function that is appropriately aligned within the organization.
- The company has adopted a formalized security policy that provides guidance for information security within the organization and includes within its scope all aspects of the IT environment relevant to financial reporting applications and data (e.g. networks, perimeter security, operation system security, application security, acceptable systems use).
- The organization has established an authentication mechanism for in-scope information systems that provides individual accountability.
- If passwords are used for authentication, the organization should have established rules for password management and syntax.
- The organization has established a rule based authorization mechanism that provides access to system and application resources based on job function.
- An effective mechanism is in place to ensure that access is appropriately modified or revoked when changes in job function through transfer or termination occur.
- Changes to access rights are performed immediately after the user is terminated to minimize the likelihood of system abuse or sabotage.
- Security administration personnel effectively communicate changes to access rights to appropriate management.
- The organization has controls in place to ensure proper management of data access settings (i.e., data file permission)
- The organization performs a periodic review of active users and user access rights to identify and remove inappropriate system access.
- Inappropriate system access is removed.
- Access changes due to the review process are appropriately documented and the documentation is retained.
- Access groups and roles are periodically reviewed to identify inappropriate or incompatible access rights that conflict with segregation of duties (as established in Audit Objective E below).
- Controls are in place to allow for effective translation of business rules into system access rules.
- Example Control Considerations:
- The organization may group compatible system access privileges into roles or profiles to facilitate security administration.
- Controls should ensure that segregation of duties conflicts do not exist for users having access to multiple system profiles or transactions.