16 Dec 19 Part 4: Simplify and Streamline Your User Access Reviews with Software Automation
Simplify and Streamline Your User Access Reviews with Software Automation
If you have been following our previous articles in this series then you will understand what an access review is, why they can be difficult to perform, and how often you should conduct them.
In this article, I discuss how user access reviews can be greatly simplified and streamlined using software automation.
I will also introduce you to our user access review solution for Oracle E-Business Suite, CS*Provisum.
Just gathering all the required information needed for a user access review can be a difficult and time-consuming task.
The access for every user needs to be collated and presented in a way that is easy for reviewers to understand.
This information must then be distributed to each person who will be reviewing access; this could be a handful of people or dozens or even hundreds depending on the type of review being performed and the size of your organization.
With CS*Provisum, the “initiation” process becomes as simple as running a single process. It will gather all the required information and create the “review” in the system (for the reviewers to use later). It will also notify each person involved in the review (via email).
Using CS*Provisum, you can schedule the review initiation process to fully automate this initial step.
So, already we have saved a whole truckload of time and greatly simplified the process of initiating a new user access review.
Conducting a Review
Without any sort of software solution, reviewers will likely be annotating a report or else filling in a spreadsheet or some other form. This is time-consuming, error-prone, and likely lacking in terms of the information being presented to them.
With CS*Provisum, reviewers are presented with exactly what they need with some simple options to allow them to flag any given access as approved or rejected (along with any appropriate comments).
CS*Provisum also gives the reviewer a lot of additional information to help them make the correct decision during the review…
- When the user last accessed the responsibility under review
- What else a given user has access to
- The results of previous reviews
- What access related risks are present
- The functionality a given responsibility provides
All of this information is at the reviewer’s fingertips which can help them determine if access is appropriate or not.
At this stage, we are now saving each reviewer time as well as making the process easier and more effective.
Ongoing management of a review without any sort of software automation can be a major headache.
With CS*Provisum, the Control Owner (the person who is managing the review) has complete control over all aspects of the review, from checking on progress, reassigning parts of the review to other reviewers, completing parts of the review on behalf of somebody else to finalizing the review.
CS*Provisum even sends reminders automatically to reviewers who have not completed the review.
So, we are continuing to save time and simplify the ongoing management of the review process.
Actioning a Review
Beyond the reviewers doing their bit, the Control Owner must then gather up all of the results from each reviewer, and then perhaps reformat the information so that it can be presented to the security administration team, who can action the review once complete (i.e. revoke any rejected access).
With CS*Provisum, this final part of the review process can be fully automated so that it does not need to go back to the Security Administration team.
We are continuing to save time for the Control Owners and we are removing the Security Administration team from the process altogether (which obviously saves them time) as well as simplifying the process of actioning the review once it is complete.
Beyond the Review
Furthermore, CS*Provisum keeps a full history of every aspect of the review; this information can then be presented to auditors after the fact to demonstrate that a full and complete access review is being conducted correctly.
Yet more time is saved and the means by which evidence is presented to auditors is greatly simplified.
Above and Beyond
In addition to conducting normal reviews, CS*Provisum can also automatically initiate “transfer reviews”. A transfer review is performed when a person’s situation changes (i.e. they change job). This alone can greatly simplify things as well as save a lot of time and effort.
Using CS*Provisum, you can even conduct multiple, focused reviews at the same time or at different frequencies if needed. For example, alongside your main quarterly review, you might want to conduct additional reviews for specific types of access such as system administration, in-scope for SoX…etc.
Without some sort of software automation, reviews will be time-consuming, error-prone and likely costly, yet inefficient and possibly ineffective. CS*Provisum solves all of these problems to make the process of conducting a user access review a walk in the park.
Want to know how we can help you streamline and automate your Oracle EBS user access reviews? Get in touch and ask us about CS*Provisum.
Want a quick overview of CS*Provisum, check out the video below…
If you want to get access to these articles before anyone else, please subscribe to our newsletter.