TFL Vsebine / Revija SIR*IUS

Pitfalls in the management system audit of user IS access rights

Revizorji informacijskih sistemov (IS) se pri ocenjevanju ustroja in delovanja notranjekontrolnega okolja pogosto zanašajo na sistem upravljanja uporabniških pravic, ki naj bi zagotovil, da sme vsak uporabnik v sistemu početi le tisto, kar mora po naravi svojega dela. Pri tem se zanašajo na procese odobravanja, pregledovanja in odvzemanja teh pravic ter na proces upravljanja samih pooblastil. Neustrezno opredeljene procesne kontrole pa lahko izničijo koristi še tako dobro delujočega sistema upravljanja uporabniških pravic, zato je sodelovanje notranjega revizorja in revizorja IS-jev zaradi njunega različnega fokusa in znanj pogosto nujno potrebno.

IS auditors frequently rely upon the user (access) rights management system (URMS), intended to ensure that each user performs only the activities related to their work position, based on the assessment of design and operational efficiency of internal control environment. Auditors rely on the access approval, review, revocation as well as role management processes, supported by URMS. However, improperly designed process controls can void the benefits of an effectively designed URMS. This, along with differences in their audit focus and expertise, often requires close cooperation of internal and IT auditors.