For those in IT Audit, when you perform user access review - do you not review Read-only bc it’s low risk?

like
Posting as :
works at
You are currently posting as works at

Depends on what information they are accessing. Just because they don’t have “write” privileges doesn’t mean that they should have “read - only” access to PII for example if their job description doesn’t require it. Generally speaking the organization should be following the principle of least privilege necessary to perform their job function and applying that to their access review process.

like

We tend to review elevated access, so no birthright access roles are placed into our samples. Read only is a low risk roles & tends to be a given birthright role depending on the system. Hope this helps.

like

Depends what the client does. If it’s a SAAS like blackline I’m normally comfortable scoping roles. If it’s something on prem that can be customized, I usually expect to see everything reviewed unless management clearly defines the scope ahead of time

like

If I’m looking at an access review process, I usually focus on 1) was it performed as the control states 2) were any changes by the reviewer actually performed in the system 3) were terminated users fully removed. If I’m looking at who actually has access to a system, I tend to focus on admin users or those with write access to the system. As SC1 said, if the system has confidential information, it might be more important to see that least privileges is being enforced, but at the end of the day I also have to ask the client if each of the users with access are authorized. I can’t make that determination myself, unless it’s a segregation of duties issue like in change control situations.

like

Is this financial/sox? If so what is the risk. Often it is hard to see how read only access generates a potential source of misstatement. Maybe if you have access to confidential information that would generate impairments if disclosed.

like

Thank you all!

Depends on whos "read-only" ing

Depends on how the control is written. My company writes them in a way where edit only is the only access requiring review

Yeah. I think ours operate the same way.

Related Posts

Hello Fishes,

Looking for European and UK based companies for QA role

like

Do we get any diwali gift??

like

How do referrals work? Do you apply first or wait for the referral, then apply? Looking for a tiktok referral.

like

Anyone noticed that with aerobic / cardio exercises it gets more difficult to focus? It is like my mind a TV and someone else gets the remote and goes through every channel every 30 seconds or so

like

For a friend: USMC transitioning veteran looking for opportunities in the southeast region, open to remote work. 8 yrs of specialized experience. Roles: Contracts Manager, Contract Specialist, Contracts Administrator, and Procurement Coordinator. GS or Consulting positions.

like

Hello 🦈s,

Role: SAP ABAP
Current: 8 LPA

I am having offer from LTI for 10.5 Fixed & 1
Mouritech for 12 LPA Fixed.

I have also cleared PwC India interview & HR has told me that they can give me 10.5 as Fixed (Before 12 offer). I have not yet received the offer letter.

Now my question is will PwC consider this offer for the re-negotiation? Or will they not release the offer letter itself?

Also what should be my ask for a SAP ABAP Developer with experience of 3.3 Years?

Thanks in Advance 🙏

like

Paisa wasoolega mai achche sai.

Post Photo
likefunny

15/10/22: I will be back by next yr so won't b much active on fishbowl. CYA🤧. Take care of both the memes bowl.
Sayonara!

Post Photo
like

We're seeking a Manhattan Active SWE. Whose experienced with design and dev SaaS solution. Someone hands on exp with Java 1.8, Spring Boot, Kafka, and Aws. Along with expertise in microservices architecture. Send me a DM if you feel you fit the mold.

like

Having a baby and looking for consulting exit opps. I’ve been in strategy consulting for two years and recently promoted to manager. All projects were in tech or LS. Prior to consulting I have 10 yrs of Pharma experience with a MS in Engineering (non-CS) and data science. Fluent in Python, Ruby and Java but never coded professionally. Spent several years in process engineering and then project management. Interested in tech or digital health. Any advice on companies, roles and levels?

like
like

Considering a smart watch or fitness tracker. On Android, and link various apps back to google fit. What have you got or what did you research? Why did you pick what's you've got?

like

How to get released from current project in Wipro.

like

What is the percentage of hike you get on getting promoted from senior consultant to principal consultant in pwc india. Will they do a market correction of your salary is low.

like

Will Verizon Hyd employees get cab service and food for morning and afternoon shifts ?

like

Has anyone recently interviewed with S&P Global and got an offer?

How much does a biomedical bench tech make in Toronto area?

like

Does anyone work at @prose that could refer me for the senior brand designer position? TYIA

like

A little late here, but any suggestions/recommendations or watch outs for an automatic standing desk preferably with charging attachments? Looking to invest in a decent one around $2-300 !

like

Additional Posts in Risk Assurance

How do you apply design factors to IT Audits. Just overheard someone explain 'level of aggregation' for IT Security policies by describing how many people have access to it. Why is this a thing???

like

Are the exit opportunities better in Internal Audit/Business Process than IT Audit? All I hear is how awful IT Audit is but don’t hear as much complaining from the business side

like
like

Is anyone here in KPMG’s CRM Risk practice? If so do you know if they are still hiring??

like

Should I take this offer in a second line role with similar bad WLB as public? Current salary: 155k base, 8k annual bonus (7YOE):

Offer:
170 base
17k sign on
25,500 (15% annual bonus)
28k annual RSUs (vest quarterly)

like

How do you all keep up with trends in risk and internal audit?

like

Any strong performing seniors looking for a pay increase and potential fast track to manager? Reach out to me. Expanding the team and would love to bring in some new talent.

like

Does Deloitte and PWC has a dedicated app sec pen-test team? What percent of the time do you travel? Do you guys work from home or need relocation to any place in US?

like

Im looking at new job opportunities out side of PA but struggle to confidently answer how much I’m looking to be paid. I’m so worried of over asking or leaving money in the table.
I’m in a SoCal HCOL and have been asking for 100k for Senior Internal Audit Roles (2 years) and working on my CiSa.
Is that too optimistic?

like

Currently in external audit but making the switch to internal audit and enterprise risk advisory in the city, how does the work compare? Any advice?

like

Does business Process Internal Audit or IT Internal Audit make more?

like

If anyone is looking for a referral as an experienced hire to the PwC DAT (Digital Assurance & Transparency - formerly Risk Assurance) practice let me know and would be happy to refer you. We are actively looking to hire.

like

I’m getting put up for manager a year early. I have PPMD ,SM, and M support. Pretty much support from all the key individuals on my team and in my service line. Since it is a year early if i don’t get promoted this round I know it’ll come mid year but I do expect a good salary increase still without the promo. If I don’t get the promo nor a salary increase that I’m okay with, how do I let my partner know that I will begin to entertain outside offers? some of which have offered the manager role.

like

If anyone (non EY) wants some referral money, I am looking for a job. Have 1yo in EYs Technology Risk Advisory practice and Gold Standard reviews. Also speak 3 languages but I don't think it matters.

like

Mid year promotions, I found out you need to make your own case for it rather than the firm coming to you. If you think you’re ready make sure you speak up!

Does anyone still have an active Becker account that I could borrow for 2 months to study for my REG exam? Please! Thanks!

like

Anyone hiring for entry level risk compliance roles?

like

I'm a Tech Risk SC, but have an accounting/finance background. I'm doing the FRM now for broader cert experience, is it worth doing CA long term in my area?

Tried to jump to a big 4 as a senior 2 in risk assurance . SF market - offered 93k base and 15k bonus. Is this worth?

New to Fishbowl?

Download the Fishbowl app to
unlock all discussions on Fishbowl.
That was just a preview…
Sign Up to see all discussions
  • Discover what it’s like to work at companies from real professionals
  • Get candid advice from people in your field in a safe space
  • Chat and network with other professionals in your field
Sign up in seconds to unlock all discussions on Fishbowl.

Already a user?
Login here

Share

Embed this post

Copy and paste embed code on your site

Preview

Download the
Fishbowl app

See what’s happening in your industry
from the palm of your hand.

A phone with Fishbowl app

Scan your QR code to download
Fishbowl app on your mobile

Download app

Sign up for free to view this conversation on Fishbowl

By continuing you agree to Terms of Use and Privacy Policy

Already have an account? Log in

Sign up for free to continue using Fishbowl

By continuing you agree to Terms of Use(New) and Privacy Policy(New)
Messaging rates may apply

Already have an account? Log in

For account settings, visit Fishbowl on Desktop Browser or

General

Legal