Table 16-2 Suggested Guidelines for Policy Building Sessions
Participants Topics DeliverablesExecutives Sensitive information Sensitive transactions
and transactions and dataProcess Managers Process risks and Segregation of duties
process overlaps risks between processesAuditors Segregation of duties Risks and control
and internal controls omissionsSecurity Administrators Security design Naming conventions and
and processes approval processesMove to Strategic Adoption of Automated Controls ...............................
Manual controls can only check a sample of transactions, and the controls
have to be tested every day. Automatic controls check every transaction, and
after initial testing, can simply run, allowing you to manage by exception. Not
all controls can be automated controls, but the more automated controls you
put in place, the easier your job becomes.Adopt Strategies for Cleaning Up Access Control ...................................
Segregation of duties violations are largely prevented through effective
access control. Because these problems have evolved over time, you’ll need
to get everyone on board in cleaning up this area.Be sure to separate technical and business issues:Roles and profiles belong to IT.
User assignments and circumstances belong to business.Collaboration of both required to validate results.