Your director just shared the news that your department’s annual IT audit is next week. Details are limited, but you have heard from colleagues that the audit will include access governance. You still have a few days to prepare yourself and get a clean audit. What can you do? Step one: do not panic. A week is plenty of time to get your house in order.
Your next step is to use these eight access governance questions to prepare yourself. Nobody can promise a perfect outcome – auditors are unpredictable after all – but we can save you from making the most common mistakes.
Check Your Access Governance Foundation
- Have you studied your organization’s access governance policies and procedures recently?
Yes, we are going to start with refreshing you on the basics. If your organization has published procedures and policies covering access governance and you are not fluent with the details, you are going to face problems. In reading these documents, keep an eye out for the following items:
- Manager Responsibilities. What are you responsible for as a manager? If you have a centralized access governance department, your responsibilities might be minimal.
- Documentation Requirements. You might normally document your management activities in casual emails. However, your organization’s policies might require you to complete a form when access governance is involved.
- Access Governance Tools. Do you have a centralized access governance tool?
Tip: some departments, such as finance, might have additional access requirements to manage. Read “How to Improve Access Governance for Finance” for more advice on that issue.
- Have you removed access from former employees?
Finding out that an ex-employee still has access to an important system is a red flag for many auditors. To address this situation, you will need to conduct a “mini audit” of your own. Start by creating a list of any employees who have left your company or department in the past two years. Next, look for any checklists, emails, and other documents that show you have requested to have their access removed. If you cannot find any documentation, assume the change was not completed and start working on it.
- Do you have any outstanding access or security audit findings?
Whether you are dealing with external or internal auditors, both of them have long memories. If your department had audit findings last year, expect that auditors will follow up with you. To address this issue, search through your files and email archives for the previous audit report. Once you find it, write yourself a short report – a one-page document will be enough in most cases – on how you have responded to each item.
Tip: What if you have not addressed every audit finding from last year? If you can demonstrate that you have a plan and have made progress in addressing the issue, those facts will stand in your favor.
- Are you managing access to consultants and contractors?
Does your department regularly use outside experts, consultants, and other non-employees? If so, those individuals were likely granted access to company systems to do their work. It is your responsibility as a manager to govern those systems. You might need additional access controls in highly sensitive situations, such as working with investment bankers and external auditors.
Optimizing Your Access Governance Framework
Now that you have a handle on some of the access governance basics, let’s turn to how you can optimize your practices even further.
- Do you provide employee training on access governance?
Unless you reinforce the importance of access management as a manager, your employees might not appreciate how important it is. We recommend adding access governance as a topic at your team meetings three or four times per year. Your mission is simple; reinforce the company’s overall access policy, explain what you will check, and invite employees to reach out to you if they have questions.
- Are you addressing access governance in current and upcoming projects?
IT projects are a fun break from the usual routine at the office. You have the chance to innovate and bring something original to the marketplace. Unfortunately, in the scramble to meet project deadlines, your team might forget to take care of certain controls, such as access governance. To address this risk exposure, review the projects your team is currently working on and those completed in the past 12 months. Ask yourself if you have followed company policy on those projects. In particular, make sure you have terminated access to inactive systems and completed projects.
To be fair, we realize that some managers are unfamiliar with the intricacies of access governance. There’s no need to become an access expert at this stage. To guide your team, we recommend leveraging existing company resources (access governance procedures). For the best results, you might even invite a guest speaker from the IT security department to give a short presentation to your staff.
- Have you encouraged the use of multi-factor authentication?
Does your staff have direct access to the company’s financial books? Or live customer data? In those cases, it makes sense to look for ways to enhance access controls further. Our suggestion is to use multi-factor authentication. With this approach, employees use a password and one other method, such as an app on their phone, to authenticate themselves. It’s an emerging risk management technique that is becoming more popular every day.
Curious to learn what other companies are already using multi-factor authentication? The list includes Amazon, Microsoft, and Apple.
- What suggestions can you make to improve access governance?
From time to time, internal auditors will ask for improvement ideas when they interview managers. Why do they do this? It is a way for them to gauge whether or not you are thinking critically about access governance and risk issues. Don’t worry; we have you covered! Suggest looking into an access governance system, such as Avatier’s Compliance Auditor. It helps staff become more productive and manages all the documents that auditors require.