Internal Audit Training How to Test Access Controls

How to test access controls
How to test access controls

Audit Training Series: Are you an auditor looking to up your game?

ERP Risk Advisors, in partnership with SafePaaS, would like to invite you to our “How to Effectively Test Access Controls with Access Control Software” training series that will ensure you’re at the top of your game. We will teach you how to Get Clean and Stay Clean!

This 6-part series will help you develop the know-how, relevant skills, and technical competencies to perform access control testing across 10 key controls in Oracle ERP Cloud.

This training series has been expertly designed by industry leaders to ensure you have the tools and knowledge to test access controls for in-scope ERP systems.

Why is this important?

There are two main reasons auditors should test access controls in all in-scope systems:

  • ITGCs and ITACs cause a need to test specific segregation of duties conflicts and sensitive access risks.
  • The control performer must maintain independence from the activities they are overseeing and the only way to confirm this is to test to ensure they do not have access to these activities.

Training overview:

The series of training sessions consists of 6 sessions each lasting approximately 45 minutes. The sessions focus on the following:

Session 1: July 6, 1 pm EST

Evaluating Role Design: First Sensitive access risks; then Segregation of Duties Conflicts

  • Scoping the rules: Mapping from RACM and Considering Mitigating Controls
  • How to test role design for Sensitive Access Risks and Segregation of Duties.
  • How to run individual Sensitive Access rules, all Sensitive Access rules, or groups of Sensitive Access Rules.
  • How to see if the role has access to and objects it should not have.
  • Learn how to use the SafePaaS Access Controls platform to understand the risks related to the rules.


Session 2: July 20, 1 pm EST

Evaluating Sensitive Access Risks and Segregation of Duties Conflicts During the Provisioning Process

Provisioning Process

  • How to run a what-if analysis in SafePaaS in production before access is granted / in non-production – Understand why this is a crucial step.

Cross-department Risk

  • Learn how to evaluate conflicts across departments using Access Control technology. For example, the segregation of duties conflict: Enter and Maintain Suppliers vs Enter and Maintain Purchase Orders.

Override of Controls Risks

  • Learn how to evaluate conflicts related to Transactions vs Configurations. Who can override your controls?


Session 3: August 3, 1 pm EST

Evaluating Access Controls as your System Changes; How to Stay Clean

Updates to software / Patch impact on roles assigned to users

  • Learn how software updates can introduce new security objects and changes to roles;
  • Learn how to run a detailed sensitive access analysis to see if there are any abilities that should not be assigned when the patch is applied.

Role Change Management

  • Learn how to re-test relevant sensitive access and segregation of duties conflicts whenever a role changes
  • Ensure users only have access appropriate for their job.
  • Learn how to confirm there are no segregation of duties conflicts within a role or across roles that do not have adequate mitigating controls.


Session 4: August 17, 1 pm EST

User Access Reviews: How to Re-Evaluate if you are Still Clean?

User Access Review

  • Understand the considerations related to user access review and the re-certification process.
  • Learn how to re-certify sensitive access and segregation of duties conflict risks.


Session 5: August 31, 1 pm EST

How to Use Access Control Software to Respond to a Cyber Incident

How to Evaluate the Impact of the Cyber Incident

  • Learn how to use access control software to identify the scope of a cyber incident and help evaluate its impact.
  • Learn how to run a full sensitive access analysis for the users and roles that require a lookback procedure.

Lookback procedures

  • Learn how to scope the activities that need to be performed in your Lookback Procedures


Session 6: September 14, 1 pm EST

How to Test the Independence of Control Performers and License Exposure

Testing the independence of control performers

License Exposure

  • Learn how access control software can be used to identify what is the current license usage.