Access rights for current employees are essential for the completion of a successful audit. Your company should have a hiring and firing policy that is followed to the letter of the law. When an employee is hired or fired they should have an authorization process to add or delete from company systems or applications. It is essential that you educate your current employees, contractors, an third party users on this process on a continual basis.
Your company should company not only operating systems or applications, but physical access to company assets. Shared passwords or usernames should be immediately deactivated once an employee or third party leaves. When developing a policy for hiring or terminating consider:
1. whether the termination or change of employment will be initiated by your or a third party
2. the current responsibilities of the employee
3. the value of the company assets or data that the employee has access too.
Without a good termination policy or checklist, you will have exceptions within your SAS 70 audit. SAS70ExPERT@gmail.com