{ "media_type": "text", "post_content": "Does anyone else fees highly frustrated by the lack of understanding of our core counterparts of the work we perform? \nI saw this post and found it funny and felt identified https://joinfishbowl.com/post_6kxuoq\nBut (contd)", "post_id": "5c74cf9417d2d4001c243c9f", "reply_count": 6, "vote_count": 2, "bowl_id": "59fe77b3f641dc0011147d24", "bowl_name": "Risk Assurance", "feed_type": "bowl" }
like
Posting as :
works at
You are currently posting as works at

Also, the core team should tell you what they would consider sensitive access (e.g. access to post JEs) and test these separately. Mind you each of these should be a separate control to factor in for budgeting. Provisioning controls only give you comfort that these access controls remain effective for the year

like

So that was my point on this discussion, that's why I get so frustrated.
I was expecting that the core partner was more aware of what we do... But the whole core team thought that by testing the user provisioning control we had all the information, and that we were able to assess all that you mentioned like SAT, SOD and any other risk related to the company.
I do not think any company does that as part of the 404 audit, even more, giving an opinion on the adequacy of the access may be seen as breaking the Independence, since I am helping them on determining who should own a certain access and that is basically the determining control structure and enforcing.

But I had a situation that is going from funny to frustrating, I had a discussion with a core partner (and his team) on the fact that our "User Provisioning Control Testing" only covers the user provisioning process, and not on the adequacy of all the users on all the systems covered.
The partner didn't understood our testing and said that he was expecting us (Risk Assurance) to give an opinion on the adequacy of the users who have access to the system and also that we understood who had access to what systems, and what they were able to do. (Giving an opinion if for example the admin users were appropriate)
I do not believe that any 404 audit team can give that kind of opinion, this sounds more like a consulting project to me.
Has anyone had similar situations?

like

It's a good question. For my team, we generally take a risk based approach. Admin access, or roles with stronger privileges (e.g. finance manager) that should be locked down we will assess (also for SOD and toxic combos), but testing all users e.g. read only access is dumb. Plus since you're testing provisioning only, this might be out of scope.

like

So for the admins I do agree specific SAT testings are ok, also for SOD when there are no manual controls that address the risk, or if the client uses this to support their business process SOD. But the fact that the partner expected me to give an opinion on if the access was granted to de appropriate person kills me (he used the following example, "don't you raise an exception if an associate has too much access?" My answer was "How much, is too much access for an associate??") .
Unbelievable how little they understand our procedures

Isn’t what the core partner is asking for more akin to a user access recertification?

Additional Posts in Risk Assurance

What level of sponsorship have you received from your employer for your EMBA/Executive Education?

like

Why are town Hall meetings so impersonal? They are all about awards / the number of people hired. I know FCB health is large, but we never hear from people who aren’t Executives. Last town hall, when discussing inclusion efforts, there were no people of color represented and one of the 4 pillars of diversity was centered around our “reputation as an organization” (that really rubbed me the wrong way). At my last agency those conversations were always led by people of color from every level.

like

Which one do you suggest?

Post Photo
likefunny

Hey guys I have interview tomorrow for QA cloud compliance what are the questions they may ask can you please guide me. ?

I have got an offer of 30LPA (27.3LPA fixed +2.7 committed pay) from Fractal for Senior Consultant level. In offer it is specified as Grade 7 but I got to know that even Grade 6 is Senior Consultant only. I am having 6.5 YOE. Could anyone help me with below queries:
1. Is grade 7 a good match for my experience or I should be asking for grade 6?
2. Are they giving me good offer or can I ask for more?

like

I'm really good at taking constructive feedback and hardly ever take it personally but I switched teams early this year and everything discussed as a team, always feels like a personal attack. One of my team members constantly feels the need to call out my work and I get constant feedback from my manager about what I'm not doing right.
I feel mentally tired trying to do my best work and keep them happy at the same time. I don't understand how to think about this in the right light.

like

What is the average appraisal hike in Wipro?

like

Wish apps like BetterHelp were free. I can’t afford healthcare or therapy (I’m unemployed, and yes, I’ve tried seeking pro bono therapy options — no place anywhere nearby offers it.) I really need a therapist I can talk to on at least a weekly basis to just unpack so much that’s bogging me down to the point of being unable to function some days, but it’s just so cost prohibitive! What sucks is everyone assumes this career hands you median wages on a platter but I’m worse off than I’ve ever been.

like

Thoughts on Dentons? (I.e. pay, culture, perks, etc.)

like

I just had the initial call with HR. I was told that Senior Analysts start at 56k and Business Operations Specialists start at 67k. I was told the next step was Junior Manager but they rarely started anyone at that level. I'm shocked. Is that accurate or are they trying to lower my expectations? I have an MBA and an MHA and 20 years military experience.

like

Does anyone have insight into the PwC annual performance bonuses for FDD? Are they normally above 10%?

like

Hi Folks! I am sophomore majoring in Computer Science, I want to make a career in software development and actively looking for internships. I am confused about the skills required, every job posted has a different skill requirement that’s why I am hesitant to apply. Can anyone help me with this issue. I would really appreciate.

like

I started with a Firm remotely back when Covid hit. They then asked me to come in the office. My god I understand why it’s so they can micromanage me every step of the way…. I’m already interviewing but it takes time In my area at least 1-2 months

like

So my understanding of the EO is: pending AOS is not affected but no more 485 application, and no more immigrant VISA processing for consular processing - which applies to mostly family based GC?

like

About to start interview process at Facebook (Meta) for Growth Marketing Manager role. Looking for any and all advice, tips, & insight from start to finish I’m trying to put as much effort in as possible to ace the interview. That’s in advance

like

I have an interview with Chemonics please share some advice or tips. Thanks in advance.

like

Best underrated / unknown / best value restaurants in DC? Looking for casual spots for lunch or less than $30/main for dinner! Thanks

like

Wild shot here - Law of One. Comment if this resonates.

like

Anyone at Strategy& in the Toronto office willing to chat? want to learn more about the firm

like

Which companies can I join which provide a good work life balance?
I have around 10 months of exp. Skills: SQL, Python, SAS

like

Additional Posts (overall)

How Long will the current batch of associates slog before becoming a partner?

funny

Looking for info on SM salaries. If you know, also add what market level and YOE.

like

Can someone tell me more about the data group (legacy ARCA/DRS)? I’m a manager in process assurance and want to know how the transition would be. I don’t have a coding background or anything like that

like

Hi,

If you moved to internal audit in industry from a big4 external audit, can you explain the work you do & how does the end to end process work like scoping, testing and reporting ? How different is it from external audit ?

I am trying to move to industry but due to my lack of experience in IA , haven’t been able to answer the IA related questions well.

E.g for FSA you always do scoping with your financial audit team, but I guess that’s not how it works in IA.

TIA

like

Has anyone transitioned from IT risk into a finance internal audit role? How was the transition and how did you get the role?

like

Anyone else feel like we got suckered into IT audit because we went to a state/less competitive/less prestigious/etc university for undergrad? I started looking into careers that people from top schools go to and noticed they don’t trend to pick IT audit/accounting when there is consulting, IB, PE, product, etc.

likefunny

Does anyone work in EY Enterprise Risk for financial services? What’s the work life balance like? Is the work interesting?

like

What's the average IT risk Advisory Director salary at mid tier firms - BDO, GT, RSM etc.

like

☝️What's your best hard-earned advice for someone interviewing, job seeking, or negotiating a salary?

Drop it below! 👇

like

When the EY split happens, FAIT will be on the Assurance/EY side. Even if the split doesn’t go through I heard FAIT will be moving to Assurance next year as well. Do you think salaries will be lower than what they would have been when we were part of Consulting and FAIT will have a harder time getting talent?

likefunny

I have an opportunity with the PCAOB, should I take it or remain in Risk Assurance?

like
like

Crowe is hiring for quite a few positions across the US (Internal Audit, IT controls and cyber/digital security, Compliance,etc)… I’m a manager and would think some of these niche areas have great opportunity for new folks to excel rather quickly. Great flexibility and mobility policies. I’d be happy to chat if interested and get you directly in touch with the right people internally.

likefunny

Hi! Does any one know if their firm is still hiring entry level/associate positions?

likefunny

If I put in my two weeks during the Christmas break, will they terminate me immediately?

like

Currently working in security compliance and have a CISA. Thinking of moving into tech risk management. What skills or background do I need to pivot over?

Is anyone here a HITRUST CCSFP 9.4? Was the exam hard?

like
like

Whats the NYM Tech risk senior salary at EY?

like

Should I get my CPA even though I’m doing IT audit and cyber related assignment? I’m not accounting trained.

New to Fishbowl?

Download the Fishbowl app to
unlock all discussions on Fishbowl.
Download Fishbowl to see what others are saying
That was just a preview…
Sign Up to see all discussions
  • Discover what it’s like to work at companies from real professionals
  • Get candid advice from people in your field in a safe space
  • Chat and network with other professionals in your field
Sign up in seconds to unlock all discussions on Fishbowl.

Already a user?
Login here

Share

Embed this post

Copy and paste embed code on your site

Preview

Download the Fishbowl app

Sign up for free to view this conversation on Fishbowl

By continuing you agree to Terms of Use and Privacy Policy.

Already have an account? Log in

New to Fishbowl?

image with Fishbowl logo and arms reaching out for a handshake

Already have an account? Log in

By continuing you agree to Terms of Use and Privacy Policy.
Messaging rates may apply

For account settings, visit Fishbowl on Desktop Browser or

General

Legal