Related Posts
What’s everyone doing today 🧐
Additional Posts in Risk Assurance
What makes more money IT Audit or IT GRC?
New to Fishbowl?
Download the Fishbowl app to
unlock all discussions on Fishbowl.
unlock all discussions on Fishbowl.
What’s everyone doing today 🧐
What makes more money IT Audit or IT GRC?
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Download the Fishbowl app to unlock all discussions on Fishbowl.
Copy and paste embed code on your site

Scan your QR code to download
Fishbowl app on your mobile

UAR is a detective monitoring control which cannot replace a preventative control. Depending on how often your client performs the UAR (usually every 6 months) that can open risk for someone having inappropriate risk for a long period of time and no one will notice.
Mentor
What is recert?
Recertification, it's just a UAR
Relying solely on UAR can have its advantages - like risk mitigation - it can help identify and address potential segregation of duties (SoD) conflicts or unauthorized access!
Are they performing a look back as part of their access review for users marked as removals (to mitigate risk of access not being termed timely via a term control)? If not, it would likely not fully cover the risk especially if they are only executing a few times a year.
Are they relying on a mitigating control? I.e. timely network terms control may mitigate app term control gap if the app has an network authentication req.
OP stated they dint want a term control
🤣🤣🤣🤣