authorization review ebook
TRANSCRIPT
-
8/12/2019 Authorization Review eBook
1/47
A Publication of Xpandion
AUTHORIZATIONREVIEW
A GUIDE TO CONDUCTING A SUCCESSFUL AUTHORIZATION REVIEW*
* Also called Access Review or the Authorization Inspection process.
-
8/12/2019 Authorization Review eBook
2/47
Overview
ALL-IN-ONE
AUTHORIZATIONREVIEW
SOFTWARE... brings your whole process
together in one, powerful system
Significantly lower overhead costs
Easily manage process via web browser
Please auditors with well-documented andcontrolled processes
Reach accurate decisions based on actual
authorization usage
No need for ERP expertise
Share This eB
www.xpandion
Request A Demo
http://www.xpandion.com/GRC/authorization-review.htmlhttp://www.xpandion.com/http://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://www.xpandion.com/http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefbhttp://www.xpandion.com/GRC/authorization-review.htmlhttp://www.xpandion.com/GRC/authorization-review.html -
8/12/2019 Authorization Review eBook
3/47
Share This eB
www.xpandion
WRITTEN BY MOSHE PANZER
Moshe Panzer has over 15 years experience as a recognized ERP expert. Mr. Panzer ha
worked as a senior ERP consultant, project advisor and project leader for large privatecorporations worldwide and as development, conversions and interface manager for the
Israel Ministry of Finance.
Mr. Panzer has developed and managed large scale software integration, interfacing and
architecture, and has played pivotal roles in more than 50 complex ERP implementations
Israel, Europe, and the US. He led the development of the largest ERP implementation in
Israel, led by the Ministry of Finance and thought to be the largest IT project in Israel. Mr.
Panzer was regional director, responsible for Microsoft-SAP solutions connectivity, and
personally developed a connector for MS-SAP. Over the years, ERP, as well as other macompanies in Israel and Europe, have called upon him to lead dozens of courses in ERP
management systems.
His technological vision is the driving force behind Xpandion's product development. In
addition to his technological expertise, he has founded and run three successful software
companies.
Mr. Panzer has a B.Sc. in Information Systems Engineering from the Technion, and a
Masters degree in Information Systems (MSIT) from Clark University. He is also on theBoard of Directors of Enshav, a non-profit organization for the safe use of the internet.
FOLLOW ME ON TWITTER.
@moshepanzer
https://twitter.com/moshepanzerhttps://twitter.com/moshepanzerhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
4/47
TABLE OF CONTENTS
1. INTRODUCTION
2. TERMS AND DEFINITIONS
3. RELATED PROCESSES
4. INDIVIDUAL AUTHORIZATION REVIEW
5. MANUAL VS. AUTOMATED6. LOCAL VS. CLOUD
7. AUTOMATED TOOL: KEY FEATURES
8. 6 IMPORTANT TIPS FROM THE FIELD
9. CONCLUSION
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
5/47
CHAPTER ONE
INTRODUCTION
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
6/47
WHAT AN AUTHORIZATION
REVIEW IS,
AND WHY YOU NEED IT
Why should I be performing authorization reviews?
The process of reviewing authorizations enables enterprises to
verify that authorizations granted to employees are still valid. The
process entails that a manager must go through eachauthorization allocated to each of his/her employees, and decide
whether to remove or keep it. In some cases, the authorization
review process ends after a single managers approval. In other
cases, additional approval steps from senior management are
required. At the end of the process, a list is produced of all the
employees whose authorizations were not approved and will need
to be removed.
The authorization review process is required by SOX and
equivalent regulations, so companies need to review their
authorizations at least once a year. Many organizations perform
these reviews twice a year or even quarterly, depending on legal
obligations and the requirements of the companys auditors.
Authorization Review is also often called Access Review or the
Authorization Inspection process.
nly after achieving a complete view of all authorizations can organizations rem
unused ones.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
7/47
The importance of the authorization review process is not only
related to financial regulations like SOX. In addition to being a
regulatory obligation, a periodic review of authorizations ensures that
employees are holding authorizations for justifiable reasons. Over
time, a full overview of employee authorizations is achieved via acomprehensive list detailing all of the authorizations, the usage
pattern per each authorization, and the name of the manager that
approved the authorizations.
After achieving a complete view of authorizations, organizations can:
Remove unused authorizations.
Identify usage of sensitive authorizations.
Investigate irregular behavior. Comply with SOX regulations.
This eBook will detail how to conduct a sound authorization review
and why using an automated tool is highly recommended.
Sources
This document is based on extensive hands-on experience withauthorization-related processes by Xpandion, selected CISOs, riskmanagers from leading companies, and various external and internalauditors, all in the hopes of helping improve how companies conduct theirauthorization review processes.
THE IMPORTANCE OF THE
AUTHORIZATION REVIEW
PROCESS
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
8/47
CHAPTER TWO
SIGNIFICANTTERMS
&DEFINITIONS
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
9/47
Term Description
User/User Account The employees account in a specificsystem. For example, JOHN_S in the
ERP ERP system, or account
[email protected] in the
Active Directory system.
Employee The term in information systems forthe logical entity that represents the
human employee. An employee can
have a number of user accounts in a
number of different systems. For
example, the employee John Smith
has a user account JOHN_S in the
SAP ERP system and the user
account JOHN_SM in the CRMsystem.
Organizations Auditor External or internal auditors. Ingeneral, the requirement for
conducting an authorization review
process and its related follow-up
actions come from the organizations
auditor. Therefore, this document
refers to both types of auditorsinterchangeably.
Provisioning Performing an actual change inauthorizations via an automated
method for adding or removing
authorizations.
TERMS & DEFINITIONS
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
10/47
CHAPTER THREE
RELATEDPROCESSES
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
11/47
RELATED PROCESSESHow do they relate to my workflow processes?
In general, the authorization review process is one of four
significant authorization-related workflow processes:
1. Authorization Reviewthe process discussed in thisdocument.
2. Authorization Requestthe process in which an
employee requests additional permanent authorizations toanswer a specific long term business need, or a temporary
authorization due to organizational needs such as replacing
someone on vacation. The process begins with an employee
requesting an authorization to a certain system and ends with
either granting the authorization or rejecting the request.
?
For information about authorization request, click here.
http://www.xpandion.com/Security-Authorizations/authorization-request.htmlhttp://www.xpandion.com/Security-Authorizations/authorization-request.htmlhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefbhttp://www.xpandion.com/Security-Authorizations/authorization-request.html -
8/12/2019 Authorization Review eBook
12/47
RELATED PROCESSES
3. New Employee/Account Creationthe process ofcreating a new record in the HR system for a new employee,
then creating usernames in the relevant systems and
allocating the required authorizations according to
organizational needs for the purpose of commencing work. In
most organizations, creating new accounts for an employee isperformed by copying an existing employees account, which
can result in also replicating many unnecessary
authorizations.
4. Closing Employees User Accountsthe process ofclosing all user accounts in the event an employee leaves the
organization. The term closing changes from system to
system according to a companys standards for saving data.
Some user accounts are erased, some are only locked, and
others receive an expiration date earlier than the current date.
The trigger for this process is an event of an employee leavingor prior notice from the HR department.
+
-
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
13/47
RELATED PROCESSES
Emergency AccessThe emergency access process interfaces with the four previous
processes and deals with an immediate need to perform irregular
entry into the production environment. SOX regulations require
enterprises to do this only by enabling privileged and timelyaccess into the production systems.
Emergency access comes in answer to a situation where an
employee who is not supposed to access the production
environment needs access for a limited amount of time and for a
specific ad hoc reason (for example, to inspect a bug or train an
end-user for a specific purpose). Rather than allowing IT users to
freely log into the production system (creating unnecessary useraccounts and the possibility for security breaches), it is
recommended to implement an emergency access process.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
14/47
RELATED PROCESSES
Emergency Access Process Flow
1. Employee opens a request for immediate, privileged access
and provides a reason for this request.
2. Supervisor grants defined, privileged access or additional
authorizations to the user account.
3. Employee logs into the production system and performs the
required task.
4. The account is automatically locked when the defined time for
the privileged access is over.
5. A detailed report on all activities performed in the production
environment is sent to the supervisor for approval/inspection.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
15/47
THE AUTHORIZATION
REVIEW CONNECTION
Authorization Review by Employee
Departure ofemployee and
closing allusernames in all
systems
Authorizationrequest across all
systems
Emergency accessto specific system
Opening newemployee and user
accounts in allsystems
Authorization review related processes. Some processes occur
across all systems and some per a specific system.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
16/47
CHAPTER FOUR
INDIVIDUALAUTHORIZATION
REVIEW
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
17/47
INDIVIDUAL
AUTHORIZATION REVIEWWhy perform authorization reviews for an individual
In many companies an authorization review is performed
immediately after an employee changes positions. This is
because when an employee switches positions, the organizationmust verify that all authorizations from the previous position are
still relevant for the new position. If not, changes must be made
immediately to the current authorizations in order to adjust them
to the responsibilities of the new position. Other organizations
adopt more strict approach, removing all authorizations first and
only then allocating the required authorizations, as if they are
dealing with a new employee.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
18/47
INDIVIDUAL
AUTHORIZATION REVIEW
Removing all authorizations can interfere with ongoing business
process, even if an employee does not protest.
While the latter method makes sense, it may disturb the employee
and/or companys proper and functional performance, as many
employees receive authorizations outside their formal position,
such as access to personal network folders and the ability toexecute special queries. An individual authorization review that is
performed automatically after an employee switches positions is
strongly recommended. Such a process prevents unpleasant
surprises that tend to occur during a periodic authorization review.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
19/47
CHAPTER FIVE
AUTHORIZATION
REVIEWPROCESS
MANUAL VS.
AUTOMATED
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
20/47
MANUAL VS. AUTOMATEDWhich way should I go?
Choosing between a manual or automated authorization review
process is dependent on the amount of available resources and
the complexity of the project. The more systems an organization
has, the more complicated the authorization review process can
be, and the more resources are needed. Therefore, in such acase, an automated process adds great value to a company,
saving time and unnecessary hassle.
Similarly, if an auditor demands complex requirements for the
review process (such as exact documentation for each step, the
reason behind each authorization, second approval by senior
level management, etc.) an automated tool becomes a must. In
addition to the great savings in time and resources, authorization-related information is more up to date and can be documented
easily, which pleases auditors and management alike.
Furthermore, an automated tool allows for the process to be
repeated easily (based on previous reviews) without requiring
additional resources and without depending on the organizations
experts.
Rule of thumb: organizations with more than one system and
500+ employees should unquestionably favor an automated tool
for reviewing authorizations.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
21/47
MANUAL VS. AUTOMATED
Many small organizations with just one system also prefer using
an automated tool in order to be prepared at all times for any
changes or new requirements. Changes can include a new
auditor, a new organizational structure, a request to view records
from a previous process, etc. Small companies also see the valuein an automated tool for improving the quality of the process and
for obtaining accurate cross-organizational information so they
can perform the review in the most professional way.
Rule of thumb: organizations with more than one system and
500+ employees should unquestionably favor an automated tool
for reviewing authorizations.A screen shot from ProfileTailor Dynamics depicting an overview of the process bydepartment.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
22/47
MANUAL VS. AUTOMATED
From a departmental point of view, an automated tool enables the
process-owner and the auditor to know the exact status of the
review by business units or business processes at any given
moment. The process owners can be in control and easily see
different views: how many authorizations need to be reviewed,
how many authorizations have already been reviewed by secondlevel management, and how many authorizations have not yet
been reviewed. With an automated tool, departments are able
to control the entire process, provide clear reports to
management and reach accurate decisions.
Rule of thumb: organizations with more than one system and
500+ employees should unquestionably favor an automated tool
for reviewing authorizations.Majority advice: Our findings are that most CISOs recommend
conducting authorization review processes using an automated
tool, like ProfileTailor Dynamics.
http://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
23/47
CHAPTER SIX
AUTHORIZATION
REVIEW TOOLINSTALLED
LOCALLY VS.CLOUD
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
24/47
INSTALLED LOCALLY VS.
CLOUDWhats the best platform for me?
In general, Cloud-based applications usually do not involve
continuous connection between the organizations internal
systems and the Cloud; rather they require loading occasional
data to the Cloud. For example, a CRM system in the Cloud, likeSalesforce.com, means, in most cases, that employees work only
in the Cloud and do not use data from internal systems inside the
organization. Therefore, there is usually no need for continuous
connection between Cloud applications and the organizational
network.
Surprisingly or not, due to the many services available in the
Cloud, more and more organizations are reviewing their
employees authorizations of the internal systems using the
Cloud. The data is obtained from the internal network (either
automatically or manually) and then transferred to the Cloud.Emails are sent to managers via a server in the Cloud, and
managers work on web pages that are located in the Cloud and
not inside the organization.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
25/47
INSTALLED LOCALLY VS.
CLOUD
The main advantage of performing an authorization review
process using the Cloud is the fact that no hardware is needed.
When servers are not installed in an organization, there is no
installation cost, no need for ongoing maintenance, nordetermining password policies, nor for technicians if something
goes wrong. In addition, working in the Cloud facilitates
organizations to allocate resources exactly as needed. The Cloud
entails payment only for the exact amount of time required to
complete the process and saves upholding hardware costs after
the review ends.
What about the data itself? The most common belief is that data
is not totally secure in the Cloud. However, even if we ignore the
robust security methods of the Cloud, (like SSL access, security
reviews, penetration tests, etc.), most Information-Security
Managers will agree that exposing data required for theauthorization-review process such as usernames and roles,
cannot be compared to the larger risk of exposing business-
related information. Not that exposing usernames and
authorizations should be taken lightly, but in most cases the risk is
small compared to the potential benefit.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
26/47
INSTALLED LOCALLY VS.
CLOUD
In the end, in regards to authorization review, the choice between
on premises installation or Cloud is mainly based on the
organizations policy and its approach to innovation. The more
traditional organizations, such as banks and insurancecompanies, are expected to choose classic installation. The more
innovative companies, especially companies that already use the
Cloud for other services, may consider conducting an
authorization review process using the Cloud.
*** Xpandion supports both on-premises and in Cloud
authorization review. Read here for more information.
http://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
27/47
CHAPTER SEVEN
AUTOMATED
AUTHORIZATIONREVIEW TOOL
KEY FEATURES
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
28/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURESWhat should I be looking for in an automated tool?
An effective automated authorization review tool includes, at the
very least, the following features and abilities:
1. Review optionsThe tool must be able to support the following review options:
Review of all basic activities allocated to an employee, such
as opening supplier accounts, updating records, etc.
Only reviewing sensitive authorizations, per employee (for
immediate and rapid review). Only reviewing specific activities such as financial activities,
per employee.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
29/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
1. Review options, continued
Reviewing authorization groups (roles) allocated to
employees. If there is a need for a quick review, some objects
can be removed (but this will result in a less thorough review).
Only reviewing some employees, a specific user group,
department, etc.
Reviewing only changes in authorization allocation that
occurred since the last successful review.
Advanced Reviews:
Reviewing business objects as authorizations to
warehouse, to company codes, etc.
Reviewing activities that havent been used.
Reviewing authorizations according to position.
Reviewing authorizations resulting from an
organizational change.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
30/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
2. Requirements from a process point of view
Support the ability to retrieve authorizations data andmaintain a centralized database for employees in operational
systems.
Obtain the HR systems organizational structure and upload
it to the main system.
Emailmanagers with a link to their employees authorization
review.
Allow managers to highlight the authorizations they want to
cancel and keep, according to the following options:o Approve/reject authorizations per user.
o Approve all authorizations in department with just one click.
o Reject some authorizations and approve the rest.
o Approve some authorizations and reject the rest.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
31/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
2. Requirements from a process point of view, cont.
Continuousness of Review. Permit managers to reviewsome authorizations, shut down their computers, and return
later to complete the review of only the authorizations that are
still open.
Requests to Cancel. Allow those authorizations marked as
canceled to be sent to a special database where they can be
handled by the person responsible for the relevant system.
A note from the editor: These recommended features werecollected from numerous RFQ documents over the last few years.
ProfileTailor Dynamicssupports all of these requirements and
more.
Improve Your
Authorization Review Process.
http://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
32/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
2. Requirements from a process point of view, cont.
Data owners must have the ability to review
authorizations.This means that the key financial user
reviews all financial authorizations, the asset expert reviews
all authorizations related to asset accounting, etc. Note: Even
if this option is not relevant to your current review
requirements, it is important to ensure that the tool supports it
in order to allow future modifications based on current reviews
and changes in the auditors direction.
Quickly obtain authorizations data from the various
systems.In many organizations this is done manually and
repeatedly for each and every system! By the time the data is
fetched from last system, time has elapsed and the
information from the first system is no longer 100% accurate.
Therefore the tool must be able to repeat the process quickly,
and to recover in case of a technical malfunction.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
33/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
2. Requirements from a process point of view, cont.
Upload user and authorization data from Excel. Thisfeature is needed for systems that do not support direct
connectivity or if connecting to them is complicated. It is very
frustrating to discover in the middle of the process that there is
a legacy system for which the auditor demands a full review,
yet there is no easy option to upload the data from it to the
main system.
Current status of the review:It is critical to be able to
understand the status of the review at a glance: how manyauthorizations needed review, how many authorizations have
been reviewed and how many authorizations still need to be
reviewed? The status should be divided into different views for
departments, managers, user groups, etc. Sage advice: The
report should be understood not only by system technicians
but also by business managers.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
34/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
2. Requirements from a process point of view, cont.
Thorough documentation of the whole process for later
access. The entire process, each approval, rejection, change
in definitions, and every ticket for cancelling authorizations
must be easily accessible after the review, even after a long
period of time. Many times, during an audit or investigation, the
question Who asked to remove this authorization, and why?
arises, and the answer must be easy to find.
3. Requirements from a business performance pointof view
Review employees, not users. Managers tend to have a
limited amount of time for audit-related tasks and therefore
need to be able to review an employees authorizations in all
systems with one view. This is vital for satisfying managers
and for getting a quick response from them. In other wordsit
should be possible to review each employee only once for allof his/her authorizations.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
35/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
3. Requirements from a business performance point
of view, cont.
Resend a reminder or the full request again to managers
that did not perform or complete it. Many managers tend to
take the review seriously only after receiving a reminder (or a
couple of them).
Support Cancellation Tickets. Cancellation requests need
to be documented in relevant ticketsone ticket per each
cancellation request. These tickets can be handled later by the
Helpdesk or relevant authorizations manager. In many cases,the auditor needs to see the full flow of the cancellation
requestso, supplying cancellation requests by tickets is a
rather good solution.
An effective automated tool enables sending a reminder email to
managers that did not perform the review according to the defined
timeframe.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
36/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
3. Requirements from a business performance point
of view, cont.
Provisioning.For certain systems in an organization, such as
the main systems, provisioning is strongly recommended for
changing authorizations automatically and documenting the
actions in the appropriate ticket. This ensures that no one will
make manual mistakes during the tedious process of removing
authorizations, and also increases the level of security.
Multi-language user interface support. It is proven that
responsiveness to the authorization review process issignificantly higher when the user interface is in the managers
native language.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
37/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
3. Requirements from a business performance point
of view, cont.
Simple and clear language. The language of the user
interface needs to be understandable by business managers
so they can make educated and accurate decisions. Role
names like ZLO_NOCHANGE provide little or no information to
non technical people, so managers may inadvertently sign
authorization reviews without really knowing if the
authorizations are required, which causes a rubber stamp
situation.Instead of unclear names, use role descriptions thathave a meaning, like Logistic authorizations: reports only, no
change options.
Employee details. Employee details like names and positions
must be displayed clearly because managers usually refer to
employees by personal information and not to user accounts.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
38/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES
3. Requirements from a business performance point
of view, cont.
Automatically indicates sensitive authorizations in the full
authorization list.This is critical, because when managers
can visually identify sensitive authorizations, they can focus on
them quickly and make smarter decisions. For example,
opening an account entry can be defined as a risky action
that should be highlighted clearly in the managers review
page.
Display last usage for each authorization.If the system
being reviewed includes usage records, the review needs to
provide information regarding the last time the authorization
was actually used. Managers find it easier to remove an
authorization from an employee when they see that the last
time it was used was over a year ago, as opposed to one that
is being used frequently.
Its always better to have an experts advice. Contact us about
your situation now.
http://go.xpandion.com/aradvicehttp://go.xpandion.com/aradvicehttp://go.xpandion.com/aradvicehttp://go.xpandion.com/aradvicehttp://go.xpandion.com/aradvicehttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
39/47
AUTOMATED
AUTHORIZATION REVIEW
TOOL: KEY FEATURES4. Additional RequirementsThe tool should also support the following important capabilities:
Delegation option.One manager can transfer the review to
another manager, as in the case when an employee does not
work directly under this manager. In addition, delegationshould be permitted for certain authorizations if there is a more
than one appropriate manager to approve them.
Saving the data to a file. The output can be saved to external
files, such as saving audit reports to Excel and user forms to
Word or PDF. Managers and many other users require saving
capabilitiesusually for backup purposesand the tool
should enable this action. The output must be able to be saved
in a nice, graphical style to guarantee user satisfaction.
ProfileTailor Dynamics provides simple overviews of the
status of all authorizations.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
40/47
CHAPTER EIGHT
6 IMPORTANT
TIPSFROM THE FIELD
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
41/47
6 IMPORTANT TIPS
FROM THE FIELDI need the inside information.
The following useful suggestions come straight from customers
and consultants that implemented an automated authorization
review process in their organizations:
Tip #1:Prepare enough time in advance.The average time for the first implementation is between two
weeks to three months, depending on the number of systems, the
readiness of the databases and the organizational culture.
Therefore, it is recommended to be prepared ahead of time,
especially if additional resources need to be included.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
42/47
6 IMPORTANT TIPS
FROM THE FIELD
Tip #2:Get top management support.It is essential that higher managers like the CEO and CFO
support this process. Involving senior management and sending
them status reports promises that the review will end on time andsuccessfully.
Tip #3: Involve the auditor.At the end of the day, the auditor is the real customer in this
process. It is recommended to involve them along the way to get
professional guidance and to increase their level of satisfaction
and confidence in the process. It is also a good idea for the
auditor to appoint a representative to participate in regular status
meetings, while the auditor him/herself should be present in the
companys executive meetings.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
43/47
6 IMPORTANT TIPS
FROM THE FIELD
Tip #4:Prepare proper infrastructure.To avoid issues that might slow down the implementation process,
and to maintain an atmosphere of success, it is important to
prepare proper infrastructure. The infrastructure may include the
required hardware, additional software programs (such as
Microsoft Office in a certain situations, graphical elements, etc.),
preliminary installations (database, Windows), and allocation of
authorizations to the different systems.
A delay in any of the above will postpone the implementation and
the auditor might disqualify the authorization review for that
period. Preparing the proper infrastructure shortens
implementation time, improves the level of satisfaction and
enables the review to begin as scheduled.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
44/47
6 IMPORTANT TIPS
FROM THE FIELDTip #5:Hold regular status meetings.During the implementation process, from the beginning and until
the end of the review, its a good idea to hold meetings about the
progress. In the meetings, determine the timetable and remaining
tasks. This way, enough time is left dedicated to the authorizationreview and for implementing any changes in authorizations
accordingly.
Tip #6:Train the reviewers.Hold a central training meeting in the organization for all
managers that are supposed to use the authorization review tool.
The meeting should be run by the person in charge of the tool
(ideally, an internal employee), with the goal of increasing the
managers confidence in the process. Professional training equals
high satisfaction and fast authorization reviews.
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
45/47
CHAPTER NINE
CONCLUSION
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
46/47
CONCLUSION
Now lets run with it!
By following the requirements, advice and guidelines in this
eBook, enterprises will be able to verify that authorizations
granted to employees are valid and comply with regulations, and
they will also be able to increase control of employee
authorizations.
Reviewing authorizations at least once a year, or even more
often, will ensure that employees are holding authorizations for
justifiable reasons and allow the organization to make the proper
decisions regarding its authorization compliance.
With ProfileTailor Dynamics, Managers can easily review a single employee's
authorizations.
The recommended method for conducting the authorization
review is to use an automated tool such as ProfileTailorDynamics Authorization Review.
http://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb -
8/12/2019 Authorization Review eBook
47/47
Xpandion also offers live demonstrations of our product to
qualified companies using custom data from your applications
and your industry
Ready to be in the drivers seat when it comes to ERP security and
authorizations? Our specialists can evaluate your particular situation
and tell you how Xpandions all-in-one ProfileTailor software can help
you easily take control over ERP security and authorizations.
ProfileTailor is a powerful, end-to-end solution that requires no ERP
expertise and is installed externally to the ERP system. It gives you
the tools to reduce security breaches, get alerted about irregular
behavior, eliminate unnecessary authorizations including power
profiles, and enable monitored remote access.
LEARN HOW XPANDION
CAN HELP YOU ENSURE
ERP SECURITY &AUTHORIZATION
COMPLIANCE BY
SPEAKING WITH AN
EXPERT