Solving for incomplete and inaccurate user attestations

A user attestation review or user access review is a common, enterprise-wide control to periodically validate that only legitimate users have access to the organization’s applications or infrastructure. The goal of the user access review is not only to ensure continued access to systems, it’s also an opportunity for an application or IT owner to identify users who may have left the organization or transferred to another team/function. The user access review acts as a mitigating control in case terminated employees or if transferred employees aren’t to continue to have access indefinitely to applications or infrastructure after their access credentials or privileges should have been removed. The key risk this control tries to mitigate is allowing for unauthorized users to have access to the organization’s systems when they should not, which can result in financial and/or reputational loss. 

One of Richter’s clients was facing challenges ensuring complete and accurate user attestations for applications critical to financial reporting (SOX based applications) as well as applications critical to Service Organization Control (SOC) reports. What does this mean? It means that the not all users and their associated access privileges/entitlements within applications and infrastructure were being attested to regularly. This led to some users and their entitlements not being attested to on a regular basis and there was potential for unauthorized access to applications and infrastructure. Both the SOX and SOC-related user attestation controls were not working as expected. 

Over a span of three to four years, the client’s external auditors identified both performance and feed issues which contributed to incomplete and inaccurate user attestations. This led to audit exceptions as well as a significant deficiency that the client needed to resolve quickly; this also gained the attention of regulators. 

While Richter’s client made a strategic decision to invest in a newer, more robust user attestation application, it would take the organization over two years to onboard the scope of applications to the new user attestation application. How could the organization continue to execute its enterprise-wide user attestation control on applications and infrastructure when its existing user attestation application was failing and it would take over two years to implement the new, user attestation application? Richter’s client needed a tactical solution to provide comfort to the client’s external auditors that the feeds going into the legacy user attestation application were complete and accurate and ultimately, all users and their entitlements were being attested to regularly; all while waiting for the new user attestation application to be introduced. 

The client decided to implement a manual reconciliation process by having an external contractor reconcile application control lists (ACLs) to completed user attestation reports to demonstrate to the client’s external auditors that the feeds were complete and accurate prior to the start of a quarterly campaign. However, this manual reconciliation process was highly resource intensive, took a lot of effort and could only be performed at a point in time. In addition, for any discrepancies identified, the client required additional resources to work with the appropriate application teams to remediate any feed issues. The client needed a more efficient way to demonstrate completeness and accuracy of the application feeds on an ongoing basis and to ensure all users and their entitlements were attested to. 

Richter helped one of Canada’s top 5 banks implement a solution using a team of Richter risk management professionals and a vendor-automated toolset or ‘software bot’, Business Automation, Artificial Intelligence (AI) and Robotics (BAAR) from Allied Media Inc. to: 

1) Demonstrate that the feeds going into the legacy application for a prioritized scope of applications (including applications critical to financial reporting) were complete and accurate; and 

2) Perform an analysis on the resulting user attestation campaign by reconciling application control lists (ACLs) prior to the start of the user attestation campaign to the completed user attestation report per application and any discrepancies identified would go through a manual user attestation.  

The above would have to be performed until the new user attestation application was implemented and a prioritized scope of applications onboarded to it.

The client made the decision to continue using the legacy, user attestation application until the new user attestation application could be implemented. The client’s external auditors wanted some assurance or comfort that the application feeds going into the legacy user attestation application were complete and accurate while waiting for the new, user attestation application to be implemented.

Richter implemented BAAR, an automated workflow tool, which automatically reconciled application ACLs to the user attestation application reports for 150+ applications in a matter of three to four months. This allowed the client to run the automated reconciliations weekly and leverage some of their existing resources only for performing follow ups on identified discrepancies as a result of the reconciliation output and focus on remediation efforts of the feeds rather than focusing on the manual, mundane exercise of reconciling. The ‘heavy lifting’ of the reconciliations could be performed by the bot. 

The client was able to leverage this automated reconciliation mechanism to provide comfort to the external auditors that the feeds into the user attestation application were being monitored weekly and any feed discrepancy was identified, tracked and prioritized for investigation until resolved. 

To minimize any further discrepancies of missing user attestations, the Richter risk management team performed a prioritized analysis of the output of the user attestation campaigns for a specific scope of applications to ensure that all users and their entitlements had been attested to. As part of this analysis, the Richter risk management team worked with various client stakeholders and leveraged automated templates to perform the reconciliation. For any users who didn’t go through the user attestation campaign, those users would be sent through a separate, manual certification campaign which would provide additional comfort to the client’s external auditors that the user attestation process was complete and accurate.

Richter helped the client put other tactical solutions in place while the strategic solution - a new user attestation application – could be implemented and applications could be onboarded accordingly to ensure complete and accurate user attestations. This ultimately led to the removal of the significant deficiency as well as SOC reports that were once qualified, or control objectives not met, to be unqualified for the first time in years. Richter leveraged its external audit experience as well as a vendor-automated toolset to deliver an overall solution to solve the client’s complex problem.