Don Goodenow
Director, Product Management, Reinsurance & Collections
StoneRiver
My last few posts covered areas that require attention in order to comply with SOX and Model Audit Rule requirements. Here’s one more thing to think about – How do you audit system administrator or super user activities?
Compliant systems will include controls over what users can and can’t do, log activities and time and date stamp transactions. That’s fine as far as it goes, but do those controls extend to the system administrator?
By definition, a system administrator has what amounts to unlimited control over the entire system. A SysAdmin can change anything that can be changed. The need for the position is obvious, but auditing System Administrator activities is no less important than auditing the activities of an entry-level clerk. It can be argued that auditing this position is even more important. Failure to provide such an audit will no doubt be noted by external auditors.
So, what to do? Here’s one possible approach, and I’d like to hear your other suggestions:
- Generate a list of all system administrators and super users, and a log of all activities. It should include the date and time of all activities, and specify the actions taken.
- Make the log inaccessible to system administrators and super users. No system administrator or super user should be able to see it.
- Establish a System Auditor. There should be a System Auditor role as part of system setup, which has only one function – to receive the log of system administrator activities. The System Auditor should have no system administration authority. This role should be constructed so that the system administrator cannot manage it, and such that it cannot be held by a person who acts as a system administrator.
- Automate the delivery of the log to the System Auditor. The system should allow the setting of the delivery schedule, with built-in, unchangeable base delivery schedule. Failure to add a schedule means the base schedule will be used.
- Produce a notice to senior management and/or the board when a log is produced and delivered. This could be set up by the System Auditor, but would require the entry of an individual or of individuals other than the auditor or system administrator(s).
- Require acknowledgement that the log was received. This should be required of both the auditor and senior management. Acknowledgements should be captured as part of the log.
I’m sure there are other approaches that can work. What do you think? Any suggestions?