Hi, Barb. Our InfoSec team has developed an application in Splunk to automate much of the UAR process. However, this is limited (for now) to those apps with Single-sign on (we use OKTA).
As to ITGC's over AD, since AD and OKTA are integrated, having good controls over AD gives comfort around timely terminations - since there is sometimes a lag between the deactivation of user accounts in the individual applications. However, if their SSO access is terminated, the user cannot get to the application.
Drop me an email at
david.gamble@smiledirectclub.com if you'd like to discuss more...
------------------------------
David Gamble
Director Risk and Advisory Services
SmileDirectClub
------------------------------
Original Message:
Sent: 10-04-2022 09:52 AM
From: Barb Terlap
Subject: ITGCs, IAM Tools, and SOX
Where IAM tools can be leveraged for user access reviews and automation of Active Directory access termination, are ITGCs over privileged access and change management warranted and subject to testing for SOX compliance? Seems excessive.
------------------------------
Barb Terlap
Internal Controls Manager
Morningstar
------------------------------