Case study overview

Being a large corporation, ACME is subject to yearly account auditing and certification. Most of ACME’s business is supported by IT resources and applications. The ERP application is considered critical as it contains all of the company’s accounting data. Therefore, auditors have a strong focus on this system: A large amount of each audit time is devoted to checking that only duly entitled users can access the financial data.

As a result, auditors are requiring assistance from the application owner and CISO (Chief Information Security Officer) and ask for account and entitlement reports.

Generally speaking, the number of controls carried on the Information System is ever increasing, due to new regulations, need for agility (outsourcing…) and security concerns. SoX, Bale II, HIPAA, Solvency II, ISO27001, PCI DSS: all those regulations and standards require recurring controls.

Compliance officers, internal and external auditors: requests are coming from everywhere and all of them are both pressing and specific in the requested information.

Goals

• Provide reliable, up-to-date and comprehensive data
• Auditors are not technical experts: they must be provided with business-oriented, not technical, data
• Anticipate on the outcome of the audit, know what you’re up to, solve the anomalies before they are discovered
• Ensure that the security and application teams are not overworked due to the audit-related activities and requests

Next: Brainwave approach