Dubious transactions have been recorded in ACME’s Information System. The time period and the business process involved in the fraud are easily determined and IT is requested to identify suspects, i.e. users who were entitled to access the system and could have initiated such transactions.
As a result, a team of IT experts had to restore several database backups and search for user access rights and activity over the considered time period. Then, they tried to establish whether accounts were shared among several users on the system, or if orphan accounts may have been used by a third party. After several days, they were able to bring the list down to a dozen names.
We easily understand why both access control and access history are important in order to be able to perform fraud investigation. Yet, even with comprehensive access logs, it is very difficult to retrace the full user entitlement history, as we are searching for a needle in a haystack.