#2224775 - 10/30/1902:48 PMUser Access Review vs User Access Audit
leo_bsayer
Platinum Poster
Joined: Aug 2006
Posts: 645
Can someone share their bank's processes for performing user access (or employee access) reviews? In your bank, who performs the reviews? Are the reviews then audited on a sample basis to ensure proper controls are being met? I'm looking for interagency guidance or best practices, too. Thank you.
#2224793 - 10/30/1904:38 PMRe: User Access Review vs User Access Audit leo_bsayer
osucpa
Diamond Poster
Joined: May 2011
Posts: 1,406
With respect to the core process system, management performs a user access review on an annual basis. IA will then review it for accuracy by testing a sample.
Howdy, the department head is responsible for reviewing the access of their employees, as that's part of the control. IA typically looks if it's functioning correctly like reviewing quarterly reports and comparing access to human resource records to ensure accuracy and performance.
Would also sample a privilege group to ensure that it is inline with least access necessary and segregation of duties issues.