Founder & Executive Chairman of ERP Maestro's Board of Directors. Jody is a trusted advisor and security thought leader who is a CISSP, a CISA, and former director of KPMG. Follow him on Twitter @JodyCPaterson.
I’m Tired of Excel
I’ve been there. Your CFO, CIO, CISO… all of them pushing for a clean audit report. You’ve automated where you can—the new hire/movers/leavers process, password policy enforcements, mock your colleagues when they fail the phishing campaign.
But you know what’s been really hard to automate? Periodic access reviews.
We understand the value of having this detective control in our arsenal. It allows us to catch any failures of our automated controls and ensures we are enforcing least-privilege policies. But when I have to do my 17th vlookup, change my macro to support a new inscope app, create the 1,000th file custom to a specific reviewer’s desires, I have to wonder if the juice is worth the squeeze. Two-three weeks of my life have been spent living inside Excel. Is it really worth it?
I enjoy a nice temporary sigh of relief when I get to send the reviews out for the reviewers. I lose a bit of sleep knowing some of these reviewers are simply rubber stamping “Approved” for every row. How can auditors really feel like this control is actually operating effectively? Or even operating at all? But hey, at least I get a breather while they are actually “doing” the review.
Then the dread starts creeping back in as reviewers forward me responses from people they delegated to. Why did three people give different responses for the same line item, yet no one filled out a response for the last 15 lines? Someone else said “Remove access in three weeks” and “This person hasn’t worked here in three months.” My auditors are going to love that one.
After manually recompiling all of the responses over the course of a week, I logged into SAP and started manually removing the roles marked as “Not approved.” I know these end users are going to be miffed when they can’t do their job because of missing access, but I need to do my job and our company needs a clean audit report. Once all of these end users complain to their bosses, I’ll likely spend another week cleaning up the mess they created.
Then I have to clean up everything, so my auditors have something that’s readable. Clean up comments that were meant for delegators (and not auditors!), make sure people who were marked for removal actually had their access removed and make the report aesthetically presentable—and have an end-result compilation that might have a chance at passing.
Then I get to do this all again next quarter!
So, let’s do the math:
- Three weeks inside Excel prepping and sending reports
- One week recompiling responses
- One-two weeks removing (and then re-adding) access
- One week generating the audit report
- Total time spent: about seven weeks—every quarter
Fortunately for anyone who can relate to the above monotonous and time-sucking scenario and is still doing these processes manually, ERP Maestro has come up with a way to eliminate all seven weeks of manual work.
Introducing Access Reviewer. Welcome to the world of automation.
I know your pain all too well. I’ve been there and know it firsthand. You can get rid of it right now.
Schedule some time to see Access Reviewer before your next review.