Manual Access Recertification: An Audit Nightmare

3 min readMay 11, 2020


The importance of access recertification was established with Sarbanes- Oxley Act of 2002 (SOX). Section 404 states: “Registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting”. Simply put, companies are required to maintain the integrity of reports by ensuring right resources have access to the the right systems that generate these reports. Manual access recertifications seemed like a great way to maintain compliance when the law was enacted. Unfortunately, with proliferation of IT assets and growing sophistication of hackers, manual access recertification is an anti-pattern for security and complaince:

1.Audit Nightmare: Without exception we keep hearing about organizations that have their internal audit teams do assessment of access over spreadsheets spanning hundreds of tabs and then undertaking back and forth emails among stakeholders to capture audit evidence. It is no surpise that many of these organizations have audit findings.

2. Productivity Drain: Manual process is tedious execution of repetitive tasks that are non value add to the company and employee morale. A typical quarterly acmes recertification for a 1000 plus employee company requires many paid hours to collect and transform information from applications , databases and files under review. The process generates endless volumes of data found in excel sheets or unstructured formats such as emails. The same process is repeated every so often. It is not uncommon to see some anti patterns such as reviewers taking to rubber stamping.

3. High Error Rate: Today companies have multiple systems, databases and applications (enterprise, custom and cloud). Authentication methods typically vary between connected and disconnected applications. Therefore, employee ,contractors and vendors have multiple account IDs across today’s IT eco-system. Without a unique identifier or identity source between these accounts it is nearly impossible to attribute these to corresponding employee, vendor or contractor identity information. Reviews just can’t make out with 100% accuracy the abbreviated IDs, roles and access rights coming out of the systems. We keep hearing about many manual recertifications yielding audit findings.

4. Challenging To Enforce Segregation Of Duty (SOD): An Excel based recertification of users and privileges can after a very tedious effort yield information on SOD conflicts. However, this manual process cannot be used to proactively enforce SOD with new-onboarding and employee changes. Every time a employee’s job duties change owing to promotion or moving to a different department, the data needs to be manually updated to check for any SOD conflicts.

5. Lack Of Centralized Visibility: Depending on the company’s risk appetite and internal IT controls, access recertifications may be needed on quarterly or semiannual basis. However, managers who need to review and approve user access often don’t take serious ownership owing to their day job. Sieving though the inbox for access review document is not ideal for anyone. This lack of centralized visibility and review communication that ensures all parties involved understand the significance of access recertifications and the importance of timely closure is missing with a manual process.

6. Non Integrated Deprovisioning: Completing the review process is just one aspect of the user recertification. The most critical being removing or deprovisioning access for users with access privileges or deleting orphaned accounts. Getting to that end game in a timely fashion is nearly impossible if upon completion of the reviews there is not tie up with the task to remove user access.

Manual Access recertifications is not only daunting, inefficient but also a big anti pattern to achieve continuous SOX, IS0 27001, HIPAA, GLBA etc compliance. In our survey of 13 CISO’s across Financial Services, Credit Unions, Healthcare and Manufacturing industries automation of access recertifications ranked among the top three priorities. SecurEnds is leading the market with its lightweight, highly configurable and industry first flex-connector product that keeps companies secure while meeting audit and compliance requirements. Our software allows you to load user data from multiple system of record, connect dynamically to applications, match identities with user credentials, manage heartbeat identities across connected and disconnected, schedule one-time or periodic access recertifications and create proof of compliance for external auditors. In only 30 minutes we can demo why our SAAS software is now a leading choice for identity governance