You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

UCIrvine:  Delegated Access Control and Periodic Access Review Workflow Problem Statement.   As part of a SAS-112 audit by PriceWaterhouseCoopers,  UC Irvine needs to create a much tighter process to control access to financial business transactions, formalize periodic access review by data proprietors, and enforcement by Internal Audit.  An enterprise workflow solution with clearly defined roles becomes critical for tracking who requested access, when and why; who approved this access; who last reviewed access and what problems were identified; and who revoked access, when, and why.   This effort is also required for streamlining manual and paper based yearly audit reports, that are currently collected from multiple systems. 

Business Driver:

Delegated access controls require multiple steps and roles.  All activity must go through a well-defined sequence of steps and be easily audited and reported on.  It must answer not only who requested initial access but also, why, and when; whether required training was successfully passed; who provided access to what and when, and, when access was last reviewed.  Our financial transaction access process is complex and involves several systems, including the Employee Training/Learning Management System, General Ledger, Payroll System, Reimbursement System, and Purchasing System.  Modern and legacy systems must be provisioned or de-provisioned as employees separate and often, another workflow is needed to reassign roles as access is revoked.  Several steps are needed in complex workflow, including the first step, where anyone on campus can request access to a transaction, a second step where the business data owner must validate that the user's job duties require access to this transaction, a third step where training or certification requirements must be met, and possibly another step, where Internal Audit may need to provide possible exception to  separation of duties since one employee may wear multiple hats.    There are multiple systems that may need to have the new user access propogated to.  The user requesting access must also acknowledge that they have read and reviewed all campus policy.  Only parts of this entire process are currently automated and an enterprise workflow would greatly help coordinate and monitor this problem.

Why is this a Workflow Problem:

The initial request for access to a system is currently paper based. The paper is signed both by the employee and department head, indicating that the employee needs access to a transaction to perform their job duties.  The paper is then sent to a Delegated Access Administrator that works on behalf of one or more departments, to grant access to this employee.  Likewise,  the same occurs when the employee moves to another department and their role changes, or separates.   With large departments, the paper works becomes a management problem and as audits require this paper, if it gets lost, an audit could result in serious penalties.

What we would gain:

  1. The access control and review process would be easier to audit.
  2. A more standardized process would reduce training and learning curves..
  3. At any time in the process, we could see who was waiting on access to what function and where the bottleneck was; as in a deadline for submitting a federal report is set and this function required granting access to specific data.
  4. The time it would take to answer auditor questions and provide audit reports would be greatly reduced.
  5. Roles could be changed or reassigned more easily, with less people being "hard-wired" to handling access control.
  6. Escalation and vacation backups could be handled better.
  7. The cost of maintaining access in multiple systems would be reduced with a single, workflow enabled access control system, for multiple business systems scattered across the campus.
  • No labels