In our previous posts, we have talked a lot about “what”. Today we will look at “how”.
How to implement a robust ITGC Change Management process for User Access definitions (Roles and Responsibilities) using a Segregation of Duties and Sensitive Access Solution
After the dust has settled from an ERP implementation, there usually comes a wave of requests to fine tune the roles and responsibilities that were designed as part of the project. It’s inevitable. Let’s take a look at what the major components are that need to be in place to ensure that these change requests comply with your Segregation of Duties and Sensitive Access Controls framework, thereby reducing the risk of creating new violations prior to your production release.
The Five Pillars of a Successful SOX Compliant Role and Responsibilities Landscape
ITGC Change Management Policy
An ITGC Change Management Policy guides the planning, execution, and monitoring of changes to an organization’s IT systems, focusing on general controls affecting data integrity, confidentiality, and availability. In this case it specifically addresses changes to user roles and responsibilities ensuring SOD and SA compliance. Use the following to establish the guiding principles and requirements.
ITGC Change Management Process
An ITGC Change Management Process for User Access Definitions is a structured framework designed to govern the planning, execution, and monitoring of changes related to user access within an organization’s information technology systems. This process focuses specifically on managing alterations to user roles, responsibilities, and access permissions, aiming to ensure security, compliance, and effective access governance.
ITGC Change Management Solution
An ITGC Change Management Software Solution helps keep user access changes in check and ensures SOX compliance. It offers a central hub to plan and document access modifications, making sure they follow internal rules and avoid unauthorized adjustments. The software simplifies approval processes and increases transparency. For SOX compliance, it aids in thorough testing, maintains detailed records, and provides clear audit trails for all user access changes. There are all shapes and sizes of software solutions in the market and likely, your organization already has one in place. Use it!
Design Standards
Develop a Design Standards document that addresses
- Naming Convention of all attributes of the access
- Global Modeling of the functional access (menu tree)
- No Customization to standard objects
- Assignment of a three-layer risk rating to the access definitions that ties into how user access is provisioned and reviewed according to policy
SOD and SA Solution
THE GOAL: Prevent new changes to user access definitions from creating violations to your SOD and SA ruleset PRIOR to production release.
Having an SOD and SA solution in place is paramount to ensuring changes to user access definitions are SOX compliant. In the case here, incorporating it into the ITGC Change Management process requires the following regardless of the solution your organization chooses.
Need help? HALEY Consulting and Advisory Services are here to support you every step of the way.
