IT User Access Reviews – It’s a dirty job but someone has to do it.

Under the umbrella of SOX, we may be required to ensure user access is accurately administered in our network and critical in-scope financial systems. Since that is the case we need to coordinate Quarterly Access Reviews (QAR) to confirm that only active employees and contractors have access to these systems, and that the users associated access is appropriate for their job function.

Consistent with SOX requirements, the results of the QAR review will be signed off by the appropriate Business and IT Owners, to attest that only the employees and contractors approved by the business units have active accounts and authorized access to our environments.

Where do we begin?

Scope – always seems to be a common theme, but is crucial to ensure that we know exactly what to review. The scope for these reviews may be defined differently and may change for each quarter depending if there is a change in applications used, or changes of a corporate nature.

Next we will want to take a look at a few components to get the review off to a good start:

Step 1: Review & Clean-up

The purpose of this step is to review the current state of our environments and identify any areas that we already know need to be cleaned up. After the actual QAR you will identify areas for improvement which you can summarize in a post review document. Key things to determine.


Step 2: Pre-Implementation
A few things you should nail down before you begin the review:

  • What are we going to review – Scope
  • Identify who the business application owners are (if you don’t already know)
  • Determine the source of truth of who the “active users” are
  • Identify who will generate the list of application users and their current roles
  • Put together a training package for all the participants – it is possible that they have not done this before

Step 3: Implement Review Process

The purpose of this step is to conduct the physical reviews of in-scope Applications for the quarter. The “reviewers” (whoever is designated) have been given responsibility to ensure that the Quarterly Review of User Access rights to in-scope SOX systems are scheduled and completed in a timely manner.  The following is a list of tasks that they may be accountable for:

  1. Implementing the schedule which will include the period under review, the start and stop date for the review, list of in-scope systems under audit for the current period, and the associated Business Application Owners.
  2. The “reviewers” will coordinate the following activities:
  3. Obtain a list of Active Employees and Contractors from the source of truth.
  4. Trigger the appropriate Business Application Owners or delegate reviewers to perform the review.
  5. Monitor the progress of the review and follow up as necessary.
  6. Verify that the review has been completed as required including the appropriate signoffs by the Business Application Owners.
  7. Implement any access changes identified as a result of the review in accordance with the IT Change User Process.
  8. Obtain Internal / External audit results and review as part of post-mortem.


Step 4: Elevated Access Review Process

An elevated access review will also be required to determine who has access to what impacted systems from a database level for example. You will need to:

  • Identify the infrastructure which is impacted by the above SOX applications.
  • Extract a list of all elevated accounts and determine who has access to them and when they were last logged on or had the password changed
  • Where applicable remove access to accounts or accounts in their entirety as they applied


Step 5: Results

After the completion of the review, and all subsequent activities have been completed, you will be able to review the results and findings. It will be from this step that you will identify any additional process gaps you were unaware of and may need to correct before the next review. It is at this time you should create a document that outlines the findings and share them with the appropriate stakeholders.

Leave a Reply

Your email address will not be published. Required fields are marked *