"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.
Although access to information is conducted and controlled through authorizations, this is not a flawless method, and mistakes can (and do) happen: Employees might change positions within the organization, yet remain with their previous authorizations; authorizations granted for specific timely tasks may be forgotten and never removed.
We all agree, mistakes happen – and when they do things may get complicated, leading to an investigation. Therefore, it is vital to be able to easily trace relevant approvers, while providing reason and justification for each and every case. A fraud investigation is not something to take lightly. My suggestion – be prepared!
Managing authorizations effectively involves the following processes:
This is where the confusion starts… In most organizations the process of requesting and granting authorizations is performed via emails without any further documentation describing or justifying the process. A user sends an email to the helpdesk team, which will then require the approval from an authorization manager, and following approval the user is granted the requested authorization. Evading this process is easy; and often misused by IT teams. The best way to avoid this is by implementing an automated tool that manages the authorization request process from beginning to end.
To obtain complete control over the authorization request process, the following capabilities are needed: (1) multi-system for enabling users to request authorizations for any system in the enterprise; (2) fully web-based for ease-of-use and simplicity (3) well documented steps for facilitating organization and auditors as one; (4) streamlined process, such as recommending best suited authorizations that are based on user-behavior profile; (5) integration with the costly GRC/SoD (Segregation of Duties) systems; (6) alerting system, immediately notifying if authorizations granted have bypassed standard process.
From my experience, the most effective way to avoid wrong or improper authorization usage is conducting an Authorization Review process (which is obligatory for companies under SOX regulations). In this process all authorizations are re-certified by direct managers, followed by approval from senior managers. This ensures that no one holds unnecessary authorizations, in addition to all authorizations being revisited.
The manual process of reviewing authorizations is time consuming and a big burden on managers. To comply with regulations while controlling internal operations, an automated end-to-end tool is strongly recommended. To really simplify the authorization review process the following must be enabled: (1) different review selections with various filtering options, such as reviewing only risky authorizations, by roles, by position, and more; (2) full transparent system with clear documentation and complete history records; (3) web-based platform eliminating the need for spreadsheets, sending emails or chasing after employees; (4) advanced behavioral profiling analysis producing accurate decisions that are based on actual authorization usage.
Answering the Question
Integrated into ProfileTailor™ Dynamics suite, Authorization Request and Authorization Review successfully address the question: who authorized it. Managers simply need to select users and authorizations which they wish to inspect and view the list of previously granted approvals, together with dates and names. Moreover, auditors on their end, are able to view and examine the entire process at any given time, allowing managers to attend to their work peacefully and undisturbed.