Access certification reviews, also referred to as certification reviews or employee access reviews-- or just an audit – can be quite costly. Audits exist simply because audits help ensure compliance. Depending upon the type of audit, there are several expenses and costs to consider.
Types of Audits
A number of industries, such as financial services and trading, banking, healthcare, and transportation-- just to name a few--can expect audits by external regulatory agencies on an annual, semi-annual, or quarterly basis. The scope of the audits varies by industry, but one thing is certain, an extensive internal audit process typically occurs before the external auditors arrive.
In less heavily regulated industries, audits may not be required by outside agencies, but many organizations are seeing the benefit of conducting internal audits. They are recognizing the need to protect their data to minimize risk. For example, a college or university might conduct regular cybersecurity audits to ensure the right people are accessing their students, faculty, and staff’s data and that it is kept safe from breaches. Higher Education, by its very nature, has a constant turnover of people who need to access systems. Almost more importantly, they have people who no longer need access to systems. It’s the access left open to someone who no longer should be entitled to these systems that causes most security compromises. Whatever the industry, banking, and learning, in this age of remote working, protecting data is of utmost importance.
So, why are audits so costly? Well, mainly because they utilize employees’ time. In the banking industry, for example, audit preparation takes hundreds of hours and thousands of dollars to complete. According to a study by the Congressional Research Service in 2015 entitled “An Analysis of the Regulatory Burden on Small Banks,” annual compliance reporting for a community bank consumes 850 hours of employees’ time, on average, over the course of anywhere between 24 and 57 days, which disrupts operations. The report went on to explain that audit preparation costs account for an average of 5.6% of a bank’s operating expense. On average, banks are spending $300,000 per year on “wasted expenses.”
A big part of a bank’s audit process involves presenting auditors with comprehensive reports indicating which employees had access to which systems and when, also known as user access provisioning. Here’s an example of what this audit reporting process would look like when recorded manually. Let’s say the bank has 350 users needing different levels of permissions across an average of about 200 critical systems. For each of those systems, there are five fields of data (including username and password). This equates to roughly 350,000 cells of data. As an added challenge, banks are known for having high turnover rates, which creates even more work for IT and Human Resources departments when someone new is hired. From a security standpoint, keeping track of these user access permissions in a spreadsheet, for example, opens the door for significant risk.
The financial impacts from the discovery of a breach are significant. It’s quite common for financial institutions to spend upwards of $1 million on cybersecurity remediation. Given that most cybersecurity breaches can be attributed to human error, companies are looking to automated processes to elevate cybersecurity and mitigate risk.
Cost Reduction & Risk Mitigation through Automation
Identity access management (IAM) is the latest advancement in automated audit preparation. Not only does an IAM system serve as a single source of sign-on for IT departments, but it also reduces audit prep time and provides a single source of provisioning records for auditors. Additionally, IAM features hardened security that enforces user-specific, policy-driven permissions that remain current. In the end, companies using IAM recognize an increase in ROI by reducing audit-related costs.