Archive for the ‘Segregation of Duties’ Category

Automating Internal Control Process

July 18, 2007

As the part of Section 404, Sarbanes Oxley Act requires the review of user access. Most companies follow similar process: once or twice a year, IT department prints out the application access and sends to business managers to confirm their staff’s access to ERP applications. This could become a big headache for corporate internal control team if the company has thousands of employees. The complication arises because of the cultural barrier between IT and business departments. Most business managers are not familiar with the ERP backend user authorizations. And in reality, the collaboration between IT and business managers is not that great. There is one independent survey by Ponemon Institute this Feb.. which mentioned that ‘two thirds of 627 respondent companies said their IT department and business functions rarely collaborate in identity management’.