Case study 3: IT user access and user provisioning
The risk
After discovering a former employee still had access to several software systems despite leaving the organization, Hospital C wanted to gain an understanding of which internal users had access to technology systems and what level of access they were granted.
How internal audit tools helped
While planning their approach, internal auditors collected background information on the topic from Audivate, professional organizations that specialize in healthcare IT, and other industry groups. The background document from Audivate included common IT risks and example controls. Auditors also met with stakeholders to discuss processes and procedures in place for system access and user provisioning. These data points helped guide the internal auditors toward developing the audit scope.
The background information revealed to auditors several areas that would be beneficial to test, such as fraud due to inappropriate access (for example, data confidentiality breaches). The team also considered performance standards (for example, the speed at which user access is granted or removed after initial request and the controls in place to limit modification, destruction, or disclosure of data), the ability to identify separation-of-duties violations, and policies in place for password configuration requirements.
These examples were just some among a list of many areas identified for potential testing. With so many risks, it can sometimes be overwhelming to determine the testing plan and how best to test each item. The internal audit team received help from Audivate, which used RACMs to generate a lengthy list of risks and controls and provided information to auditors about how best to test them.
To streamline this audit, the auditors used another feature of Audivate: an accelerator that allows testing several areas at once. Auditors could cover more ground while still testing the full population of data (not just a sample). As a result, they were able to conduct this audit more quickly and had time to fit in additional risk coverage during their workdays.