Additional Posts in Risk Assurance
Which one do you suggest?
I have got an offer of 30LPA (27.3LPA fixed +2.7 committed pay) from Fractal for Senior Consultant level. In offer it is specified as Grade 7 but I got to know that even Grade 6 is Senior Consultant only. I am having 6.5 YOE. Could anyone help me with below queries:
1. Is grade 7 a good match for my experience or I should be asking for grade 6?
2. Are they giving me good offer or can I ask for more?
What is the average appraisal hike in Wipro?
Conversation Starter
Additional Posts (overall)
Whats the NYM Tech risk senior salary at EY?
New to Fishbowl?
Download the Fishbowl app to
unlock all discussions on Fishbowl.
unlock all discussions on Fishbowl.
Also, the core team should tell you what they would consider sensitive access (e.g. access to post JEs) and test these separately. Mind you each of these should be a separate control to factor in for budgeting. Provisioning controls only give you comfort that these access controls remain effective for the year
So that was my point on this discussion, that's why I get so frustrated.
I was expecting that the core partner was more aware of what we do... But the whole core team thought that by testing the user provisioning control we had all the information, and that we were able to assess all that you mentioned like SAT, SOD and any other risk related to the company.
I do not think any company does that as part of the 404 audit, even more, giving an opinion on the adequacy of the access may be seen as breaking the Independence, since I am helping them on determining who should own a certain access and that is basically the determining control structure and enforcing.
But I had a situation that is going from funny to frustrating, I had a discussion with a core partner (and his team) on the fact that our "User Provisioning Control Testing" only covers the user provisioning process, and not on the adequacy of all the users on all the systems covered.
The partner didn't understood our testing and said that he was expecting us (Risk Assurance) to give an opinion on the adequacy of the users who have access to the system and also that we understood who had access to what systems, and what they were able to do. (Giving an opinion if for example the admin users were appropriate)
I do not believe that any 404 audit team can give that kind of opinion, this sounds more like a consulting project to me.
Has anyone had similar situations?
It's a good question. For my team, we generally take a risk based approach. Admin access, or roles with stronger privileges (e.g. finance manager) that should be locked down we will assess (also for SOD and toxic combos), but testing all users e.g. read only access is dumb. Plus since you're testing provisioning only, this might be out of scope.
So for the admins I do agree specific SAT testings are ok, also for SOD when there are no manual controls that address the risk, or if the client uses this to support their business process SOD. But the fact that the partner expected me to give an opinion on if the access was granted to de appropriate person kills me (he used the following example, "don't you raise an exception if an associate has too much access?" My answer was "How much, is too much access for an associate??") .
Unbelievable how little they understand our procedures
Isn’t what the core partner is asking for more akin to a user access recertification?