Tip Doctor, Insider Learning Network.
Whether you're charged with protecting employee data, securing financial information, or safeguarding customer data, taking steps to regularly review the users who have access to this data is key. The following tip is from "Lessons for conducting user access reviews of your SAP system" given by James Roeske at Savera Systems at the GRC 2011 conference in Las Vegas in March.
Best Practices for Scheduling a User Access Review (UAR)
Best Practice #1: Schedule the UAR according to your needs, but at least once per year (e.g., before year-end closing)
Best Practice #2: Schedule the UAR more often for critical systems
Best Practice #3: Schedule the UAR after a re-organization
Best Practice #4: Schedule the UAR depending on your staff turnover
Best Practice #5: Schedule the UAR for different systems at the same time. The reviewer will only have to make decisions about each user once.
Best Practice #6: Identify and implement a timeframe in which the User Access Review should be finished
Best Practice #7: Ensure that the approver (reviewer, security) cannot review/approve his/her own data