Struggling with your quarterly User System Access Review? We have some tips and a template that can help!
How can you quickly document that you did a good review of the users in your system and that you removed the ones who needed to be removed?
Below is an outline of the process.
A “good review” is one that:
- Removes or deactivates inactive users AND
- Removes inappropriate system permissions
Step 1 – Run HRIS Active Employees List
Step 2 – Identify and remove/deactivate terminated employees and/or contractors in system
Step 3 – Verify in HRIS users with admin or edit/create/delete permission are appropriate or deactivate them
Step 4 – Re-run HRIS Active Employees List to share with other system owners
Step 5 – Run system-specific Active Users List, such as NetSuite or Equity Edge
Step 6 – Compare system-specific list to HRIS Active Employees List
Step 7 – Identify contractors who are active
Step 8 – Remove/deactivate termed employees and contractors
Is the person who performed the access review also a system admin? If yes, continue to step 9
Non-Admin Reviewer or Different Reviewer:
Step 9 – Verify access for System Admins is appropriate
Step 10 – Update user access if needed
We have created an easy-to-replicate template for the User System Access Review documentation.
The template has three tabs:
1. Review Info
Use this sheet to track the progress of your review and to sign off each step along the way.
Copy and reuse this worksheet for each system you review.
For each report, your Review Info should include:
- Control number
- Report name
- Name of preparer
- Date prepared
- Name of reviewer
- Date of review
The reviewer will sign off on the following:
- Checked report date, date range, totals, general information to ensure correct report (completeness and accuracy)
- Screenshot of report parameter with date run attached
- Compared total # of users in systems report to source census (HRIS) user list
- Reviewed report for terminated users
- Reviewed access for users and appropriateness of access level
- Noted users whose access should be changed (noted the name of the user)
- Submitted request for changes (noted the ticket number)
- Verified changes made in system
2. Report Data
This is where you will copy and save the imported data from your system to show the original, raw data used in your review.
3. Report Parameter Screenshot
Use a separate tab in the file to show:
- Screenshots of system report parameters used to generate the report
- Screenshot of system report output
- Output from system showing report parameters used to generate the report (sometimes exports already have a second tab)
- SQL query used to produce the report, if any used
- The date the report was run on the computer (could be date stamp on computer screen)
Here are a few samples of screenshots from a variety of systems, filters, and parameters. There are also examples of the different ways you can include a date stamp so you can document that your review was completed in a timely fashion.
Be sure to follow the guidelines listed below for making useful screenshots of your report.
What data should a User Access Review report contain?
Screenshots for your User Access Review should include the user activity log that documents which users have been removed and which groups they came out of.
Tips for making a screenshot of your reports and report parameters
Taking screenshots is a quick and efficient way of documenting your report, but only if you do it the correct way. If your report is missing any of the required data, you will be repeating your work when the auditors ask for supporting documents, or worst yet, fail the control. Follow the steps below for success the first time.
- If your report is hosted in the cloud, be sure to include in your screenshot the URL address. This helps auditors know that the information you took came out of the production system.
- Include the date parameters and selection criteria for your report. This helps verify that you included the correct timeframe for your report and that the filters apply to that information.
Your screenshot needs to have a date stamp. This is to prove that you have done your review in a timely fashion. A key question auditors will ask is if your reports, or the information used in the control, were run in a timely basis, meaning close to the end of the quarter.
- If your computer shows the date somewhere on your screen, be sure to include that. If your computer does not have the date appear on your screen, simply open your Calendar feature and include that in your screenshot.
- Be sure to capture the grand totals of any amounts or columns in your reports. The auditors will want to check that the information you exported matches up with your report, including the total amount and/or the total count. Comparing this information will help show if information was modified or omitted.
Check out our two short videos summarizing what you’ve just read.
- What to capture in system access review (5 minutes, short and sweet)
- What to capture in screenshot of report parameters (2 minutes, super short)