1 of 1 people found this helpful
Separation of duties is the key consideration for compliance. That and making sure the people have the minimal permissions needed for their function.
Our CA are split between IT and purchasing but responsibility is data management focused. They do not belong to any of the business roles like Purchasing Agent or Invoice Manager. The BA (me) does not belong to the CA group. Any changes to the configuration and or data goes through a change control process and the CA implements. Since the CA can make changes through the UI, the number users assigned to that group is minimal. With very few exceptions, all data is imported through csv files with a bias to external systems (ERP, HR) being the source of truth.
By following a well documented Change process, audit is satisfied that the system will remain complaint to approved processes.
To ensure that the CA aren't making unauthorized changes, management reviews the audit logs on a weekly basis. Any additions/changes to the master data by anyone would be reflected there. We can also monitor any changes that Ariba makes to the system by this process.
Thanks Russ. How are audit logs reviewed and by whom since only the CAs can run these logs? Probably not a real issue since these can not be
altered in any way. Do you review all the different types of entries, or do you key on a few that show config. changes, "act as" transactions..etc?
We have the CA export the logs each week and I review them with my managers. It's less than perfect, the CA could edit the files before passing them along but it isn't easy hiding the alterations (we look at the time stamps on the files as well). You could also review them on-line which we did initially, but it is time consuming. It would be preferable having an 'Auditor' group with access to the logs but this process is fairly low risk. The goal is not to eliminate risk but to mitigate it.
We only take a look at a couple of the logs that would contain user activities. I will leave it as an exercise to determine which ones you need. I don't want a call from your SOX team asking me "why did you say use only these files?"