Hello, I am auditing a client and would like to understand if there is any risk with the following scenario. We are auditing the periodic review of system privilege for payroll/HR system.
The review is only done by one individual. This individual is the system owner and the system administrator. I am trying to understand if there is any potential SoD risk here with this review.
The potential risk that I can think of is that this user could create fictitious accounts and use that account to process fraudulent payroll activity. Since this user has access to setup new accounts or make unuauthorized access changes, should the review be also performed by another user that is not a system administrator? I would appreciate any insights on this. Thank you.