fraud or gross negligence occurs, but a company makes errors and omissions.
This kind of lack of control is very expensive to companies in terms of loss of
revenue, and it is often only recognized after it is too late.
When people work in large teams, assuming that someone else took care of
a particular task can lead to work being neglected. Or, tasks might be done
twice, because one worker doesn’t realize that another worker already took
care of a particular job. In this way, the work environment becomes ineffi-
cient, but no one recognizes it until it is too late.
As companies grow and start to become unwieldy, they also lose control of
their system permissions. Some examples are
�Roles:A role contains a set of permissions in the system for an individ-
ual to complete their job in the organization. Roles need to be analyzed
to ensure they don’t contain any internal segregation of duty conflicts.
For example, a role may contain the ability to set up a vendor and make
a payment. And to make it worse, this role could be assigned to many
people across a company, thereby increasing exponentially the chance
of fraud.
�Users:Users are assigned roles to complete their assigned responsibili-
ties. In most organizations, the assignment requires an approval to make
sure that the roles are appropriate. However, many times, roles are not
removed from individuals when they are transferred or take on addi-
tional responsibilities. An individual can acquire dangerous combina-
tions of capabilities as additional roles are added and others are not
taken away.
�Superusers and temporary users: Superusersare those people who have
exceptional knowledge of the system and are given broad access. All
organizations have these key individuals and an implied trust is given
to these people that this broad access is only used when necessary.
However, having too many superusers with access that is far broader
than necessary can lead to trouble. Temporary users gain their privi-
leges for special occasions, such as year end closing. In a pinch, it’s easy
to grant temporary users those privileges and forget to revoke them,
turning temporary users into overly privileged characters.
Cleaning Up: The Mop-Up Operation.........................................................
If you’ve taken a good hard look at your company, you may see that things
aren’t as clean and efficient as they could be. You want to get compliant and
clean. How do you go about it? Since SOX was passed, companies and their
senior management have had to learn to think like auditors.
112 Part II: Diving into GRC
