The Starting Point: Compliance Pressure
Harborstone Financial, a growing mid-sized firm, was preparing for its annual SOX audit. Despite strong IT systems, the company struggled with fragmented governance.
-
Access reviews were done manually through spreadsheets.
-
Roles were unclear, and evidence was scattered.
-
IAM risks were identified too late, often during audits.
Management realized that without a structured user access review policy, they were heading toward audit fatigue and potential compliance failures.
Phase One: Writing the User Access Review Policy
The leadership team began by drafting a comprehensive user access review policy. This document:
-
Defined who was responsible for reviews.
-
Outlined which applications were in scope.
-
Established timelines for quarterly checks.
-
Clarified escalation procedures for non-compliance.
By putting these rules in writing, Harborstone created a foundation for consistency and accountability.
Phase Two: Tackling SOX User Access Review Requirements
Next came the challenge of SOX compliance. The firm had to ensure that access to financial reporting systems was properly reviewed.
The first round revealed:
-
Duplicate access rights for finance managers.
-
Privileged accounts with overlapping responsibilities.
-
Orphaned accounts belonging to ex-employees.
By performing a structured SOX user access review, the firm eliminated these risks, reduced audit findings, and gained confidence in its reporting controls.
Phase Three: Embedding IAM Risk Management
While compliance improved, Harborstone recognized a deeper issue—security risks extended beyond SOX systems. To address this, they adopted a proactive IAM risk management process.
The security team:
-
Identified high-risk accounts, such as administrators with excessive privileges.
-
Flagged role inflation, where employees accumulated access as they changed positions.
-
Reviewed inactive accounts left open for months.
This broader risk lens helped the firm move from reactive compliance to proactive security management.
Phase Four: Turning to Automation
Manual efforts were still consuming hundreds of hours. Business managers complained about unclear spreadsheets, and auditors demanded cleaner evidence. That’s when Harborstone invested in an automation platform—Securends.
With automation, they:
-
Routed reviews directly to business managers with clear role descriptions.
-
Automated risk scoring to highlight the riskiest accounts.
-
Generated audit-ready reports in minutes, not weeks.
The platform allowed IT and business teams to collaborate seamlessly, turning governance into an efficient, repeatable process.
Results After One Year
Twelve months later, Harborstone Financial saw measurable results:
-
SOX audits closed faster with fewer findings.
-
Review cycles dropped from eight weeks to two.
-
IAM risk management became a continuous process instead of a once-a-year exercise.
-
Managers felt empowered to make access decisions without heavy IT involvement.
The transformation was not just technical—it shifted the organization’s culture toward shared accountability for security and compliance.
Lessons Learned
Harborstone’s journey offers valuable insights for other organizations:
-
Start with policy. A written user access review policy provides structure and accountability.
-
Prioritize compliance. A SOX user access review ensures regulatory requirements are met.
-
Think beyond audits. IAM risk management addresses broader security risks.
-
Automate early. Platforms like Securends save time, reduce errors, and simplify evidence collection.
Conclusion
The Harborstone story shows that governance is not just about passing audits—it’s about building resilience. By combining a strong user access review policy, structured SOX user access reviews, and proactive IAM risk management, organizations can transform compliance challenges into long-term security strengths.
With automation as an enabler, governance becomes a competitive advantage rather than a burden.
Comments
0 comment