You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

UCIrvine:  Delegated Access Control and Periodic Access Review Workflow Problem Statement.   As part of a SAS-112 audit by PriceWaterhouseCoopers,  UC Irvine needs to create much tighter process to control access to financial business transactions and formalize periodic access review.  Internal Audit and the Controller roles must validate that a user's request for access to financial data is required by job duty, poses no conflict of interests, and maintains separation of duty, even in an environment where employees wear multiple hats.  An enterprise workflow solution with clearly defined roles becomes critical both for streamlining yearly SAS-112 audits as well as to better track who provided access to whom and when, and,  when access was last reviewed. 

Business Driver:

Delegated access controls require multiple steps and roles, and all activity must go through a well-defined and easily audited process.  It must answer not only who requested initial access but also, why, whether required training was successful, who provided access to what and when, and, when access was last reviewed.  Our financial transaction access process is complex and involves several systems, including the Employee Training/Learning Management System, General Ledger, Payroll System, Reimbursement System, and Purchasing System.  Modern and legacy systems must be provisioned or de-provisioned as employees separate and often, another workflow is needed to reassign roles as access is revoked.  Several steps are needed in complex workflow, including the first step, where anyone on campus can request access to a transaction, a second step where the business data owner must validate that the user's job duties require access to this transaction, a third step where training or certification requirements must be met, and possibly another step, where Internal Audit may need to provide possible exception to  separation of duties since one employee may wear multiple hats.    There are multiple systems that may need to have the new user access propogated to.  The user requesting access must also acknowledge that they have read and reviewed all campus policy.  Only parts of this entire process are currently automated and an enterprise workflow would greatly help coordinate and monitor this problem.

Why is this a Workflow Problem:

The initial request for access to a system is currently paper based. The paper is signed both by the employee and department head, indicating that the employee needs access to a transaction to perform their job duties.  The paper is then sent to a Delegated Access Administrator that works on behalf of one or more departments, to grant access to this employee.  Likewise,  the same occurs when the employee moves to another department and their role changes, or separates.   With large departments, the paper works becomes a management problem and as audits require this paper, if it gets lost, an audit could result in serious penalties.

What we would gain:

  1. The access control and review process would be easier to audit.
  2. A more standardized process would reduce training and learning curves..
  3. At any time in the process, we could see who was waiting on access to what function and where the bottleneck was; as in a deadline for submitting a federal report is set and this function required granting access to specific data.
  4. The time it would take to answer auditor questions and provide audit reports would be greatly reduced.
  5. Roles could be changed or reassigned more easily, with less people being "hard-wired" to handling access control.
  6. Escalation and vacation backups could be handled better.
  • No labels