Will my audit fail without Attestation? (Part 3 of 3)
Most legal or regulatory requirements simply state that both Access Controls and Attestation are required for an audit, but they don’t specify if those controls are to be paper based or part of an electronic workflow. Many organizations spend thousands of hours building a paper based set of controls and attestation process only to be asked to “prove” the controls work. Because the controls are only paper based verifying the effectiveness of the controls becomes time consuming and difficult as paper requests and reviews are shuffled between people or departments. More and more auditors are discovering that a lack of controls, especially around unintended group usage, is cause to delay or fail an audit.
A caution about Attestation over group memberships: When a group is created and assigned access to a specific resource, this assignment is deliberate and intended. Unfortunately, over time it is possible for the group to receive unintended access to some resources, either maliciously or accidentally, because the operating systems and directories do not have the ability to prevent it. Therefore, the resource owner is never really able to know all of the accessible resources of the group. This directly impacts the third attestation statement so make sure any electronic attestation solution you select has the ability not only to certify who has access, but that it also provide the capability to show to what those users have access.
