An OEM manufacturer was operating on an old revision of a mainstream ERP that they were planning on replacing in the near future. Over the years, the company had tried different access methodologies for this ERP, always starting but never completing a full implementation. The company was now struggling with three different user access methodologies which they were unable to correct and which they did not have confidence with the appropriateness of access. To complicate the issue, new access was granted by copying the unknown access of one user to a new user. With the pending obsolescence of the current ER and the history of failed access projects, the company was unwilling to tackle fixing the access system. The company needed a cost effective solution that would address access concerns without bogging management down with tedious reviews.
The solution was to create a detective control that would allow management to quickly review the thousands of transactions, making sure that no abnormal transactions existed. A review of the database revealed transaction logs that were available and could be filtered through Excel pivot tables. The end result was an easy to use pivot table that allowed management to view the total transactions by user with the ability to drill down to specific transactions for investigation. With a quick look, a manager could determine if any user was making transactions that were inappropriate for the job function. While not as effective as a preventative control, this solution was sufficient to mitigate the risks associated with inappropriate user access.