We had auditors in over the past few weeks and one of their observations were around the evidence of job processing controls in Eramba. The recommendation is below.
Contact vendor to determine how to produce audit evidence in respect to the scheduled jobs and monitoring of such failures
I can see the output from Crontab in the Settings but they were focussing on the LDAP pulls and the evidence on how/where and when these pulls happened and producing evidence of same.
Has anyone had anything like this before and if so I would appreciate a steer (i scanned the forum but can’t find the answer I am looking for.)
That seems pretty pedantic of the auditors if you don’t mind me saying! Would be interested to know what they were auditing for this finding - what was the requirement they were auditing against? Obviously there are full logs on the platform, however, if i were auditing i would want to see evidence that audits were going ahead rather than an automated system. In this scenario, a notification should the audit not be completed/review expired etc would be evidence that the process has failed in someway rather than an audit of a specific tools’ functionality - apologies if i have completely misunderstood!
Is auditor not the Latin word for pedantic?!?
I agreed and pushed back on this but they weren’t for budgining. They were focussing on UAR in Eramba and wanted evidence of job processing controls.
From an approach perspective - it sounds like you’re presenting eramba’s account review feature as your control for user access reviews, but the auditors seem to be jumping the shark related to how the system actually works.
Which type of UARs are being questioned? Is this the revalidation one or the ones that are comparing to current/term lists?
At a high level -
You configure the account review to use a feed and you set the frequency within the account review.
You can show access to modify the account reviews is restricted to (hopefully) authorized individuals.
If the account review schedule is changed, it is posted to the activity log for that item.
The daily cron job is the one that picks up and checks this - if the interval is exceeded, it’ll trigger the account pull to execute.
If the daily cron fails to run, you should get a system health warning when logging in, and if it skips a day, it’ll pick up prior things (e.g. daily cron fails for day 90, runs for day 91, all day 90 reviews will fire then)
The data from the pull is in the Pulls tab and pulls lists at a point in time based on the configuration (e.g. from a flat file or via an LDAP connector). LDAP connector should keep history of changes, but the LDAP query and such should be available.
Of course, I would argue that your access review control does not “rely” on the system for job scheduling, in the same way a meeting invite on your calendar doesn’t mean you attended the meeting. State your control as “we do this monthly” or whatever your frequency is and ask them to test the control as designed as opposed to as assumed. Sure, they’ll have questions about the data sources, but the above bullet points should help.
Now, if you’re saying you’re relying on the automated hire/term comparison to systems as a control, you’re probably cooked and will need to have some layer of positive assurance that the job schedule is running….
